Using EMS integrated with FortiGate
You can integrate FortiGate with FortiClient EMS. When used together, FortiGate is used for endpoint control and network access compliance (NAC), and FortiClient EMS is used to deploy and manage FortiClient software on endpoints.
When FortiGate is configured for NAC, you can use FortiOS to create a FortiClient profile that defines compliance rules and non-compliance action. The compliance rules define what configuration FortiClient software and the endpoint must have for the endpoint to maintain access to the network through FortiGate.
FortiOS 6.0.0 and later versions use one of the following two methods to determine endpoint compliance. The FortiOS configuration determines which method is used. FortiOS versions prior to 6.0.0 only use the second method below to determine endpoint compliance. In both cases, FortiClient must be installed on the endpoint.
- An endpoint is considered compliant if FortiClient is managed by the EMS server authorized in FortiOS.
- An endpoint is considered compliant if it complies with the specific compliance rules configured in FortiOS.
The non-compliance action can be block or warn and defines what action FortiGate takes when endpoints fail to comply with the compliance rules. When the non-compliance action is block, FortiGate blocks endpoints from accessing the network when they fail to comply with the compliance rules. When the non-compliance action is warn, FortiGate warns the endpoint about non-compliance but allows network access after the endpoint user acknowledges the warning.
Although the compliance rules define what configuration FortiClient software and the endpoint must have, the FortiClient profile from FortiGate does not include any configuration information. The endpoint user or administrator is responsible for configuring FortiClient Console to adhere to the compliance rules. An administrator can use FortiClient EMS to configure FortiClient Console.
After you create a FortiClient profile using FortiOS, you can import the profile into FortiClient EMS and edit the profile to add a FortiClient installer and specify configuration information for FortiClient software. Then you can use FortiClient EMS to deploy the updated profile containing compliance rules and configuration information to endpoints.
To use EMS integrated with FortiGate:
- Using FortiGate running FortiOS 5.6 or a later version, define the compliance rules. Do one of the following:
- Configure FortiGate to consider an endpoint compliant if it has FortiClient installed and is reporting to a specified EMS server. Enter the desired FortiClient EMS server IP address or hostname. This option is only available for FortiOS 6.0.0 and later versions. If using this option, proceed to step 4.
- Define specific endpoint compliance rules.
- Using FortiClient EMS, import the FortiClient profile. See Importing FortiGate profiles.
- Review the compliance rules.
- Do one of the following:
- If you configured FortiGate to consider an endpoint compliant if its FortiClient is reporting to the specified EMS server, edit your endpoint profile as desired, then save. Add a FortiClient installer if needed.
- If importing a FortiGate profile, edit the imported profile to add configuration information that supports the compliance rules, and save the profile. You can add a FortiClient installer if needed.
- Create a gateway list that includes the gateway IP address or fully qualified domain name (FQDN) for the FortiGate. See Creating gateway lists.
Each gateway list includes a list of one or more IP addresses or fully qualified domain names (FQDN) that FortiClient can use when connecting to EMS or FortiGate.
- Assign the gateway list to domains or workgroups as needed. See Assigning gateway lists to endpoints.
FortiClient software uses the IP addresses in the gateway list to connect FortiClient Telemetry to EMS and/or FortiGate.
- Assign the profile to domains or workgroups as needed. See Assigning profiles.
After the profile is assigned to endpoints, the settings are pushed to endpoints with the next Telemetry communication.
- Use FortiClient EMS to monitor and manage endpoints. See Viewing the Endpoints content pane.
- Use FortiClient EMS to update the profile as needed.