Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Managed Endpoints

Managed Endpoints

You can view managed endpoints via the Network > Managed Endpoints page.

Alternatively, you can display the Managed Endpoints status widget or status monitor under Dashboards as follows:

  • Go to Dashboards > Status and under the Managed Endpoints widget, click Click to Expand. If this widget does not exist, add a new Managed Endpoints widget as Adding a custom dashboard describes.
  • Go to an existing Managed Endpoints monitor. If this monitor does not exist, add a new Managed Endpoints monitor as Adding a custom monitor describes.

The page, status widget, and status monitor all display a list of endpoints that show endpoint information, including but not limited to the following:

  • Device username
  • VPN username
  • Management connection status

  • Security point of presence

  • Public IP address

  • VPN status

  • Platform

  • Vulnerabilities detected

  • FortiClient version and ID

  • Zero trust network access tags

The Managed Endpoints view contains the following buttons at the top of the page:

  • When an endpoint is selected, you can use the View Endpoint Details button to display detailed endpoint information that FortiClient gathers on the endpoint device.

  • The Management Connection button allows enabling/disabling the management connection for endpoints.

  • When the endpoint has a Connected VPN status, you can click More Options to access the following actions:

    • Export Diagnostic Logs. You can only export diagnostic logs for online Windows endpoints.

    • View VPN Session

    • Show in FortiView

    • Show Matching Traffic Logs

  • The Export All button exports the list of endpoints in a CSV file format that includes endpoint details such as device username name, IP and MAC addresses, FortiClient version, and so on.

    You can toggle between Managed Endpoints and Unmanaged Endpoints views.

Management Connection button

By default, the management connection for all endpoints is enabled. Therefore, you do not need to enable the management connection for an endpoint when you have not yet disabled it.

You can remove an endpoint from management by disabling its management connection with the following results:

  • The endpoint is permanently excluded from management and cannot register with FortiSASE using an invitation code unless its management connection is reenabled.

  • FortiSASE removes the endpoint profile and zero trust network access (ZTNA) tagging settings from the selected endpoint.

  • A license seat is freed up for use by other endpoints.

After an endpoint has previously been removed from management, you can add it to management by enabling its management connection with the following results:

  • FortiSASE is now managing the endpoint and the endpoint is allowed to register with FortiSASE using an invitation code.

  • FortiSASE applies the endpoint profile and ZTNA tagging settings configured in Configuration > Profiles and Configuration > ZTNA Tagging respectively to the selected endpoint.

  • The endpoint uses up a license seat.

To remove an endpoint from management:
  1. Go to the Managed Endpoints page, status widget, or status monitor.
  2. Click Managed Endpoint to enter that view.
  3. Select the desired endpoint.
  4. Click Management Connection > Disable. After disabling the endpoint’s management connection, the endpoint should disappear from the Managed Endpoints view and appear in the Unmanaged Endpoints view.
Note

When you remove an endpoint from management by disabling its management connection, in FortiClient the endpoint’s zero trust telemetry connection and Remote Access FortiSASE VPN connection will both be disconnected.
Note

The Disable option within Management Connection is not equivalent to the Deregister button in previous FortiSASE versions.

In previous versions, Deregister just disconnected the endpoint from FortiSASE and allowed the possibility for the endpoint to remain managed and reregister with FortiSASE.

Currently, once you configure Management Connection > Disable for an endpoint, it is permanently excluded from management. Namely, it is considered an unmanaged endpoint, and cannot register with FortiSASE.

To allow an unmanaged endpoint to be managed by and register with FortiSASE, you must select the endpoint and configure Management Connection > Enable.

To add an endpoint to management when it has been previously removed from management:

  1. Go to the Managed Endpoints page, status widget, or status monitor.

  2. Click Unmanaged Endpoint to enter that view.

  3. Select the desired endpoint.

  4. Click Management Connection > Enable. After enabling the endpoint’s management connection, the endpoint disappears from the Unmanaged Endpoints view and does not appear in the Managed Endpoints view until it reconnects to FortiSASE.

Previous
Next

Managed Endpoints

You can view managed endpoints via the Network > Managed Endpoints page.

Alternatively, you can display the Managed Endpoints status widget or status monitor under Dashboards as follows:

  • Go to Dashboards > Status and under the Managed Endpoints widget, click Click to Expand. If this widget does not exist, add a new Managed Endpoints widget as Adding a custom dashboard describes.
  • Go to an existing Managed Endpoints monitor. If this monitor does not exist, add a new Managed Endpoints monitor as Adding a custom monitor describes.

The page, status widget, and status monitor all display a list of endpoints that show endpoint information, including but not limited to the following:

  • Device username
  • VPN username
  • Management connection status

  • Security point of presence

  • Public IP address

  • VPN status

  • Platform

  • Vulnerabilities detected

  • FortiClient version and ID

  • Zero trust network access tags

The Managed Endpoints view contains the following buttons at the top of the page:

  • When an endpoint is selected, you can use the View Endpoint Details button to display detailed endpoint information that FortiClient gathers on the endpoint device.

  • The Management Connection button allows enabling/disabling the management connection for endpoints.

  • When the endpoint has a Connected VPN status, you can click More Options to access the following actions:

    • Export Diagnostic Logs. You can only export diagnostic logs for online Windows endpoints.

    • View VPN Session

    • Show in FortiView

    • Show Matching Traffic Logs

  • The Export All button exports the list of endpoints in a CSV file format that includes endpoint details such as device username name, IP and MAC addresses, FortiClient version, and so on.

    You can toggle between Managed Endpoints and Unmanaged Endpoints views.

Management Connection button

By default, the management connection for all endpoints is enabled. Therefore, you do not need to enable the management connection for an endpoint when you have not yet disabled it.

You can remove an endpoint from management by disabling its management connection with the following results:

  • The endpoint is permanently excluded from management and cannot register with FortiSASE using an invitation code unless its management connection is reenabled.

  • FortiSASE removes the endpoint profile and zero trust network access (ZTNA) tagging settings from the selected endpoint.

  • A license seat is freed up for use by other endpoints.

After an endpoint has previously been removed from management, you can add it to management by enabling its management connection with the following results:

  • FortiSASE is now managing the endpoint and the endpoint is allowed to register with FortiSASE using an invitation code.

  • FortiSASE applies the endpoint profile and ZTNA tagging settings configured in Configuration > Profiles and Configuration > ZTNA Tagging respectively to the selected endpoint.

  • The endpoint uses up a license seat.

To remove an endpoint from management:
  1. Go to the Managed Endpoints page, status widget, or status monitor.
  2. Click Managed Endpoint to enter that view.
  3. Select the desired endpoint.
  4. Click Management Connection > Disable. After disabling the endpoint’s management connection, the endpoint should disappear from the Managed Endpoints view and appear in the Unmanaged Endpoints view.
Note

When you remove an endpoint from management by disabling its management connection, in FortiClient the endpoint’s zero trust telemetry connection and Remote Access FortiSASE VPN connection will both be disconnected.
Note

The Disable option within Management Connection is not equivalent to the Deregister button in previous FortiSASE versions.

In previous versions, Deregister just disconnected the endpoint from FortiSASE and allowed the possibility for the endpoint to remain managed and reregister with FortiSASE.

Currently, once you configure Management Connection > Disable for an endpoint, it is permanently excluded from management. Namely, it is considered an unmanaged endpoint, and cannot register with FortiSASE.

To allow an unmanaged endpoint to be managed by and register with FortiSASE, you must select the endpoint and configure Management Connection > Enable.

To add an endpoint to management when it has been previously removed from management:

  1. Go to the Managed Endpoints page, status widget, or status monitor.

  2. Click Unmanaged Endpoint to enter that view.

  3. Select the desired endpoint.

  4. Click Management Connection > Enable. After enabling the endpoint’s management connection, the endpoint disappears from the Unmanaged Endpoints view and does not appear in the Managed Endpoints view until it reconnects to FortiSASE.

Previous
Next