Establish device identity and trust context with FortiClient EMS
How device identity is established through client certificates, and how device trust context is established between FortiClient, FortiClient EMS, and the FortiProxy, are integral to ZTNA.
Device roles
FortiClient
FortiClient endpoints provide the following information to FortiClient EMS when they register to the EMS:
-
Device information (network details, operating system, model, and others)
-
Logged on user information
-
Security posture (On-net/Off-net, antivirus software, vulnerability status, and others)
It also requests and obtains a client device certificate from the EMS ZTNA Certificate Authority (CA) when it registers to FortiClient EMS. The client uses this certificate to identify itself to the FortiProxy.
FortiClient EMS
FortiClient EMS issues and signs the client certificate with the FortiClient UID, certificate serial number, and EMS serial number. The certificate is then synchronized to the FortiProxy. EMS also shares its EMS ZTNA CA certificate with the FortiProxy, so that the FortiProxy can use it to authenticate the clients.
FortiClient EMS uses zero trust tagging rules to tag endpoints based on the information that it has on each endpoint. The tags are also shared with the FortiProxy. See Endpoint Posture Check Reference for a list of the endpoint posture checks that EMS can perform.
|
Each security posture tag creates two firewall addresses in all VDOMs on a FortiProxy. One firewall address is the IP address, and the other firewall address is the MAC address. Because each FortiProxy model has a global limit and a per-VDOM limit for the maximum number of supported firewall addresses, the FortiProxy model determines the maximum number of security posture tags allowable by that unit, which is the maximum number of firewall address divided by two. For each FortiProxy model's limit, see the Maximum Values table. |
FortiProxy
The FortiProxy maintains a continuous connection to the EMS server to synchronize endpoint device information, including primarily:
-
FortiClient UID
-
Client certificate SN
-
EMS SN
-
Device credentials (user/domain)
-
Network details (IP and MAC address and routing to the FortiProxy)
When a device's information changes, such as when a client moves from on-net to off-net, or their security posture changes, EMS is updated with the new device information and then updates the FortiProxy. The FortiProxy's WAD daemon can use this information when processing ZTNA traffic. If an endpoint's security posture change causes it to no longer match the ZTNA policy criteria on an existing session, then the session is terminated.
Certificate management on FortiClient EMS
FortiClient EMS has a default_ZTNARootCA certificate generated by default that the ZTNA CA uses to sign CSRs from the FortiClient endpoints. Clicking the refresh button revokes and updates the root CA, forcing updates to the FortiProxy and FortiClient endpoints by generating new certificates for each client.
|
|
Do not confuse the EMS CA certificate (ZTNA) with the SSL certificate. The latter is the server certificate that is used by EMS for HTTPS access and fabric connectivity to the EMS server. |
EMS can also manage individual client certificates. To revoke the current client certificate that is used by the endpoint: go to Endpoint > All Endpoints, select the client, and click Action > Revoke Client Certificate.
Locating and viewing the client certificate on an endpoint
In Windows, FortiClient automatically installs certificates into the certificate store. The certificate information in the store, such as certificate UID and SN, should match the information on EMS and the FortiProxy.
To locate certificates on other operating systems, consult the vendor documentation.
To locate the client certificate and EMS ZTNA CA certificate on a Windows PC:
-
In the Windows search box, enter user certificate and click Manage user certificates from the results.
-
In the certificate manager, go to Certificates - Current User > Personal > Certificates and find the certificate that is issued by the FortiClient EMS.
-
Right-click on it and select Properties.
-
The General tab shows the client certificate UID and the issue and expiry dates. The Details tab show the certificate SN.
-
Go to the Certificate Path tab to see the full certificate chain.
-
Select the root CA and click View Certificate to view the details about the EMS ZTNA CA certificate.
Verifying that the client information is synchronized to the FortiProxy
The following diagnose commands help to verify the presence of matching endpoint record, and information such as the client UID, client certificate SN, and EMS certificate SN on the FortiProxy. If any of the information is missing or incomplete, client certificate authentication might fail because the corresponding endpoint entry is not found. More in-depth diagnosis would be needed to determine the reason for the missing records.
|
Command |
Description |
|---|---|
|
# dia endpoint record list |
Show the endpoint record list. Optionally, add filters. |
|
# diagnose wad dev query-by uid <uid> <ems sn> <ems tenant id> |
Query from WAD diagnose command by UID. |
|
# diagnose wad dev query-by ipv4 <ip> |
Query from WAD diagnose command by IP address. |
|
# diagnose test application fcnacd 7 # diagnose test application fcnacd 8 |
Check the FortiClient NAC daemon ZTNA and route cache. |
|
#diagnose test application fcnacd 5 |
Force a sync with the FortiClient EMS server. |
To check the endpoint record list for IP address 10.100.1.58:
# dia endpoint record list 10.100.1.58
Record #1:
IP Address = 10.100.1.58
MAC Address = 00:0c:29:07:44:ab
MAC list =
VDOM = root (0)
EMS serial number: FCTEMS8823005021
EMS tenant id: 00000000000000000000000000000000
Client cert SN: 77E6D29D582E05296DB4F78E10BEECD295BF5DEB
Public IP address: 207.102.138.19
Quarantined: no
Online status: online
Registration status: registered
On-net status: on-net
Gateway Interface: port2
FortiClient version: 7.2.4
AVDB version: 1.0
FortiClient app signature version: 28.807
FortiClient vulnerability scan engine version: 2.40
FortiClient UID: F0D60B28FCAB464E81C725270B62BEC0
Host Name: DESKTOP-2BGPITB
OS Type: WIN64
OS Version: Microsoft Windows 10 Professional Edition, 64-bit (build 14393)
Host Description:
Domain:
Last Login User: guodong
Owner:
Host Model: VMware7,1
Host Manufacturer: VMware, Inc.
CPU Model: Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz
Memory Size: 8190
AV Feature: 1
FW Feature: 1
WF Feature: 1
AS Feature: 0
VS Feature: 1
VN Feature: 1
Last vul message received time: N/A
Last vul scanned time: N/A
Last vul statistic: critical=0, high=0, medium=0, low=0, info=0
Avatar fingerprint: e67ab4781b95573859127ca8a3e9dae913afc2b1
Avatar source username:
Avatar source email:
Avatar source: OS
Phone number:
Number of Routes: (1)
Gateway Route #0:
- IP:10.100.1.58, MAC: 00:0c:29:07:44:ab, VPN: no
- Interface:port2, VFID:0, SN: FPXVULTM24000082
online records: 1; offline records: 0; quarantined records: 0; out-of-sync records: 0
To check the tags that are processed by the WAD daemon for a particular device:
# diagnose wad dev query-by uid F0D60B28FCAB464E81C725270B62BEC0 FCTEMS8823005021 00000000000000000000000000000000 Attr of type=0, length=83, value(ascii)=F0D60B28FCAB464E81C725270B62BEC0 Attr of type=4, length=0, value(ascii)= Attr of type=6, length=1, value(ascii)=true Attr of type=5, length=40, value(ascii)=77E6D29D582E05296DB4F78E10BEECD295BF5DEB Attr of type=3, length=17, value(ascii)=EMS1_ZTNA_disk-en Attr of type=3, length=21, value(ascii)=MAC_EMS1_ZTNA_disk-en Attr of type=3, length=32, value(ascii)=EMS1_ZTNA_all_registered_clients Attr of type=3, length=36, value(ascii)=MAC_EMS1_ZTNA_all_registered_clients Attr of type=3, length=23, value(ascii)=EMS1_ZTNA_anti-virus-ok Attr of type=3, length=27, value(ascii)=MAC_EMS1_ZTNA_anti-virus-ok Response termination due to no more data
To check the FortiNAC daemon cache:
# diagnose test application fcnacd 7 ZTNA Cache V2: Entry #1: - UID: F0D60B28FCAB464E81C725270B62BEC0 - EMS Fabric ID: FCTEMS8823005021:00000000000000000000000000000000 - Domain: - User: guodong - Owner: - Certificate SN: 77E6D29D582E05296DB4F78E10BEECD295BF5DEB - online: true - Routes (1): -- Route #0: IP=10.100.1.58, vfid=0 - FWAddrNames (6): -- Name (#0): EMS1_ZTNA_disk-en -- Name (#1): MAC_EMS1_ZTNA_disk-en -- Name (#2): EMS1_ZTNA_all_registered_clients -- Name (#3): MAC_EMS1_ZTNA_all_registered_clients -- Name (#4): EMS1_ZTNA_anti-virus-ok -- Name (#5): MAC_EMS1_ZTNA_anti-virus-ok lls_idx_mask = 0x00000001,
ZTNA scalability support for concurrent endpoints
ZTNA scalability supports up to 50 thousand concurrent endpoints. Communication between FortiProxy and FortiClient EMS has efficient queries that request incremental updates. Retrieved device information can be written to the FortiClient NAC daemon cache.
FortiProxy can receive tag information from the EMS common tags API. This feature requires FortiClient EMS 7.0.3 or later.
The APIs api/v1/report/fct/uid_tags and api/v1/report/fct/tags replace the API api/v1/report/fct/host_tags.
To use the common tags API capability:
-
Enable the common tags API when connecting the EMS:
config endpoint-control fctems edit 1 set status enable set name "emstest" set server "10.120.1.24" set serial-number "FCTEMS8823005021" set tenant-id "00000000000000000000000000000000" set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api tenant-id nextend
-
The FortiProxy uses the new APIs to obtain device information from the EMS:
[ec_ems_context_submit_work:519] Call submitted successfully. obj-id: 12, desc: REST API to get updates of tag endpoints., entry: api/v1/report/fct/tags. [ec_ez_worker_base_prep_resolver:374] Outgoing interface index 0 for 1 (emstest). [ec_ems_context_submit_work:519] Call submitted successfully. obj-id: 13, desc: REST API to get updates of tags associated with FCT UID., entry: api/v1/report/fct/uid_tags. [ec_ez_worker_process:368] Processing call for obj-id: 13, entry: "api/v1/report/fct/uid_tags" [_send_tags_to_info_store:166] Saving MAC and IP tag usergrp2 [_send_tags_to_info_store:166] Saving MAC and IP tag disk-en [_send_tags_to_info_store:166] Saving MAC and IP tag all_registered_clients [_send_tags_to_info_store:166] Saving MAC and IP tag anti-virus-ok [_send_tags_to_info_store:166] Saving MAC and IP tag usergrp3 [_update_obj_stats:336] Storing (13, emstest, 0) [ec_ez_worker_process:475] Call completed successfully. obj-id: 13, desc: "REST API to get updates of tags associated with FCT UID.", entry: "api/v1/report/fct/uid_tags". [ec_ez_worker_base_prep_resolver:374] Outgoing interface index 0 for 1 (emstest). [ec_ems_context_submit_work:519] Call submitted successfully. obj-id: 8, desc: REST API to get updates about system info., entry: api/v1/report/fct/sysinfo. [ec_ez_worker_process:368] Processing call for obj-id: 8, entry: "api/v1/report/fct/sysinfo" [ec_mh_update:318] Error 22 opening mac_host. [_update_obj_stats:336] Storing (8, emstest, 0) [ec_ez_worker_process:475] Call completed successfully. obj-id: 8, desc: "REST API to get updates about system info.", entry: "api/v1/report/fct/sysinfo". [ec_ez_worker_process:368] Processing call for obj-id: 12, entry: "api/v1/report/fct/tags" [_update_obj_stats:336] Storing (12, emstest, 0) [ec_ez_worker_process:475] Call completed successfully. obj-id: 12, desc: "REST API to get updates of tag endpoints.", entry: "api/v1/report/fct/tags". (......)
-
Confirm that the device information from the EMS is written to the FortiClient NAC daemon cache:
# dia endpoint record list ... Avatar source: OS Phone number: Number of Routes: (1) Gateway Route #0: - IP:10.100.1.58, MAC: 00:0c:29:07:44:ab, VPN: no - Interface:port2, VFID:0, SN: FPXVULTM24000082 online records: 1; offline records: 0; quarantined records: 0; out-of-sync records: 0 -
Use the tags that are pulled from the EMS in a firewall address:
config firewall address edit "EMS1_ZTNA_anti-virus-software" set uuid c4e5692c-283d-51ef-690b-af63889a4e89 set type dynamic set sub-type ems-tag set obj-tag "anti-virus-software" set tag-type "zero_trust" next end -
Check the tags' resolved IP and MAC addresses:
# diagnose firewall fqdn getinfo-ip EMS1_ZTNA_anti-virus-ok getinfo EMS1_ZTNA_anti-virus-ok id:115 generation:7 count:1 data_len:20 flag 0 # diagnose firewall fqdn getinfo-mac MAC_EMS1_ZTNA_anti-virus-ok getinfo MAC_EMS1_ZTNA_anti-virus-ok id:99 generation:5 count:1 data_len:6 flag 0 # diagnose firewall dynamic address EMS1_ZTNA_anti-virus-ok CMDB name: EMS1_ZTNA_anti-virus-ok TAG name: anti-virus-ok EMS1_ZTNA_anti-virus-ok: ID(115) ADDR(10.100.1.58) Total IP dynamic range blocks: 0. Total IP dynamic addresses: 1. # diagnose firewall dynamic address MAC_EMS1_ZTNA_anti-virus-ok CMDB name: MAC_EMS1_ZTNA_anti-virus-ok TAG name: anti-virus-ok MAC_EMS1_ZTNA_anti-virus-ok: ID(99) MAC(00:0c:29:07:44:ab) Total MAC dynamic addresses: 1.
