Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

FortiClient EMS

Fortinet FortiClient EMS

FortiClient Enterprise Management Server (FortiClient EMS) is a security management solution that enables scalable and centralized management of multiple endpoints (computers). FortiClient EMS provides efficient and effective administration of endpoints running FortiClient. It can control FortiClient to scan devices to find vulnerabilities and collect all vulnerabilities which all FortiClient scans.

For information on FortiEMS Endpoint Tagging, see the FortiSIEM Appendix topic - FortiEMS Endpoint Tagging.

Support Added: FortiSIEM 7.0.0

Vendor Version Tested: FortiClient EMS 7.2.0

Vendor: Fortinet

Product Information: https://www.fortinet.com/products/endpoint-security/forticlient

Event Types

In ADMIN > Device Support > Event Types, search for "fortiems" to see the event types associated with this device.

Configuration

FortiEMS Configuration

See the current FortiClient EMS Administration Guide for the latest configuration information. The instructions provided here are based off the 7.2.0 EMS Administration Guide.

  1. Login to FortiClient EMS.

  2. Navigate to Administration > Administrators.

  3. Click Add.

  4. Under User source, select Create a new user, Choose from Windows users or Choose from LDAP.

    Note: If you selected Choose from LDAP, select the desired server from the Authentication Server dropdown list. You must have already configured an authentication server.

  5. Click Next.

  6. In the Username field, enter a user name.

  7. From the Role drop-down list, select Super administrator, Standard administrator, or Endpoint administrator.

  8. Click Next.

  9. In the Password field, enter a password.

  10. Click Save.

FortiSIEM Configuration
  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a FortiClient EMS Credential:
    1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:
    3. Settings Description
      Name Enter a name for the credential
      Device TypeFortinet FortiClient EMS
      Access Protocol FORTIEMS_API

      Pull Interval

      Default is 5 minutes.

      PortEnsure that 443 is entered here.

      Serial Number

      On your FortiEMS server, navigate to Dashboard > Status to locate your serial number, and enter it in the Serial Number field.

      User Name

      Enter the FortiClient EMS username created in FortiEMS Configuration.

      Password / Confirm Password

      Enter the FortiClient EMS user's password in the Password field, and re-enter in the Confirm Password field.

      Description (optional)Description of the device.
  3. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
    1. Select the name of the credential created in step 2 from the Credentials drop-down list.
    2. Enter the FortiEMS IP address in the IP/Host Name field.
    3. Click Save.
  4. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results. Proceed to step 5 when connectivity succeeds.
  5. Navigate to ADMIN > Setup > Discovery, and click New.
    1. Enter Name of the discovery entry.

    2. Select Discovery Type.

    3. Enter IP address or hostname of the FortiEMS server in the Include entry.

    4. Click Save.

  6. Select the identified discovery, and click Discover.
  7. After discovery succeeds, an entry is created in ADMIN > Setup > Pull Events corresponding to the event pull job. FortiSIEM will start to pull events from FortiClient EMS. Events can be queried on the ANALYTICS page.

Sample Events

[FortiEMS-Vuln-Detected] = {"avatar":0,"client_id":1001,"critical":1,"device_id":"1463","dont_patch":1,"fct_version":"7.0.2.0090","high":4,"host":"John Smith Laptop","ip":"192.0.2.0","last_vuln_scan":1675748166,"low":1,"medium":8,"os_version":"Linux LUBUNTU 16.0.4","patch_status":0,"scan_status":"vulnerable","serverName":"evansr-fsm-lab-321.fortidemo.fortinet.com","serverIp":"198.51.100.0","total":14,"username":"ExampleUser","vblt_running":false}

[FortiEMS-Vuln-Scan] = {"category":"Applications","client_id":"1770","cve_list":"CVE-2016-7426","cvss":0.0,"device_id":"1353","dont_patch":true,"fct_version":"7.0.2.0090","host":"Jane Doe Desktop","ip":"192.0.2.0","last_scan_time":1676314038,"os_version":"Linux LUBUNTU 14.0.4","patch_status":0,"product_name":null,"reference_page":"http://support.ntp.org/bin/view/Main/NtpSec3071","serverName":"evansr-fsm-lab-321.fortidemo.fortinet.com","serverIp":"198.51.100.0","severity":"Medium","title":"Client rate limiting and server responses","vulnerability_id":38942}

FortiClient EMS

Fortinet FortiClient EMS

FortiClient Enterprise Management Server (FortiClient EMS) is a security management solution that enables scalable and centralized management of multiple endpoints (computers). FortiClient EMS provides efficient and effective administration of endpoints running FortiClient. It can control FortiClient to scan devices to find vulnerabilities and collect all vulnerabilities which all FortiClient scans.

For information on FortiEMS Endpoint Tagging, see the FortiSIEM Appendix topic - FortiEMS Endpoint Tagging.

Support Added: FortiSIEM 7.0.0

Vendor Version Tested: FortiClient EMS 7.2.0

Vendor: Fortinet

Product Information: https://www.fortinet.com/products/endpoint-security/forticlient

Event Types

In ADMIN > Device Support > Event Types, search for "fortiems" to see the event types associated with this device.

Configuration

FortiEMS Configuration

See the current FortiClient EMS Administration Guide for the latest configuration information. The instructions provided here are based off the 7.2.0 EMS Administration Guide.

  1. Login to FortiClient EMS.

  2. Navigate to Administration > Administrators.

  3. Click Add.

  4. Under User source, select Create a new user, Choose from Windows users or Choose from LDAP.

    Note: If you selected Choose from LDAP, select the desired server from the Authentication Server dropdown list. You must have already configured an authentication server.

  5. Click Next.

  6. In the Username field, enter a user name.

  7. From the Role drop-down list, select Super administrator, Standard administrator, or Endpoint administrator.

  8. Click Next.

  9. In the Password field, enter a password.

  10. Click Save.

FortiSIEM Configuration
  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a FortiClient EMS Credential:
    1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:
    3. Settings Description
      Name Enter a name for the credential
      Device TypeFortinet FortiClient EMS
      Access Protocol FORTIEMS_API

      Pull Interval

      Default is 5 minutes.

      PortEnsure that 443 is entered here.

      Serial Number

      On your FortiEMS server, navigate to Dashboard > Status to locate your serial number, and enter it in the Serial Number field.

      User Name

      Enter the FortiClient EMS username created in FortiEMS Configuration.

      Password / Confirm Password

      Enter the FortiClient EMS user's password in the Password field, and re-enter in the Confirm Password field.

      Description (optional)Description of the device.
  3. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
    1. Select the name of the credential created in step 2 from the Credentials drop-down list.
    2. Enter the FortiEMS IP address in the IP/Host Name field.
    3. Click Save.
  4. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results. Proceed to step 5 when connectivity succeeds.
  5. Navigate to ADMIN > Setup > Discovery, and click New.
    1. Enter Name of the discovery entry.

    2. Select Discovery Type.

    3. Enter IP address or hostname of the FortiEMS server in the Include entry.

    4. Click Save.

  6. Select the identified discovery, and click Discover.
  7. After discovery succeeds, an entry is created in ADMIN > Setup > Pull Events corresponding to the event pull job. FortiSIEM will start to pull events from FortiClient EMS. Events can be queried on the ANALYTICS page.

Sample Events

[FortiEMS-Vuln-Detected] = {"avatar":0,"client_id":1001,"critical":1,"device_id":"1463","dont_patch":1,"fct_version":"7.0.2.0090","high":4,"host":"John Smith Laptop","ip":"192.0.2.0","last_vuln_scan":1675748166,"low":1,"medium":8,"os_version":"Linux LUBUNTU 16.0.4","patch_status":0,"scan_status":"vulnerable","serverName":"evansr-fsm-lab-321.fortidemo.fortinet.com","serverIp":"198.51.100.0","total":14,"username":"ExampleUser","vblt_running":false}

[FortiEMS-Vuln-Scan] = {"category":"Applications","client_id":"1770","cve_list":"CVE-2016-7426","cvss":0.0,"device_id":"1353","dont_patch":true,"fct_version":"7.0.2.0090","host":"Jane Doe Desktop","ip":"192.0.2.0","last_scan_time":1676314038,"os_version":"Linux LUBUNTU 14.0.4","patch_status":0,"product_name":null,"reference_page":"http://support.ntp.org/bin/view/Main/NtpSec3071","serverName":"evansr-fsm-lab-321.fortidemo.fortinet.com","serverIp":"198.51.100.0","severity":"Medium","title":"Client rate limiting and server responses","vulnerability_id":38942}