FortiClient with FortiGate and EMS
In this scenario, FortiClient Telemetry connects to EMS to receive a profile of configuration information as part of an endpoint policy and to FortiGate to participate in the Fortinet Security Fabric. The FortiGate can also receive dynamic endpoint group lists from EMS and use them to build dynamic firewall policies. EMS sends group updates to FortiOS, and FortiOS uses the updates to adjust the policies based on those groups. This feature requires FortiOS 6.2.0 or a later version.
FortiGate does not provide configuration information for FortiClient and the endpoint. An administrator must configure FortiClient using an EMS endpoint profile.
Following is a summary of how the FortiClient Telemetry connection works in this scenario:
- FortiClient Telemetry connects to EMS.
- FortiClient receives a profile of configuration information from EMS as part of an endpoint policy.
- FortiClient Telemetry connects to the FortiGate using a Telemetry gateway list received from EMS. This allows the endpoint to participate in the Security Fabric.
- EMS sends compliance verification rules to the endpoint.
- FortiClient checks the endpoint using the provided compliance verification rules and sends the results to EMS.
- EMS receives the results from FortiClient and dynamically groups the endpoints according to the results.
- FortiOS pulls the dynamic endpoint group information from EMS. You can use this data to build dynamic firewall policies.
- EMS sends dynamic endpoint group updates to FortiOS. FortiOS uses the updates to adjust the policies based on those groups.
For details about configuring dynamic endpoint groups in FortiOS, see the FortiClient EMS Administration Guide.
FortiClient follows the endpoint profile configuration received from EMS. FortiClient settings are locked so the endpoint user cannot change any configuration.
Only EMS can control the connection between FortiClient and EMS. Disconnecting FortiClient from EMS can only be done in EMS.
FortiClient installers created in EMS are embedded with the EMS server's IP address. This allows the endpoint to connect FortiClient Telemetry to the specified EMS server. The administrator can also embed a Telemetry gateway list in the installer that contains FortiGate IP addresses. This allows the endpoint to connect FortiClient Telemetry to a FortiGate. FortiClient only registers to a FortiGate if all of the following is true:
- FortiClient is registered to EMS.
- FortiClient has received a Telemetry gateway list from EMS.
- EMS has allocated a Fabric Agent license to the endpoint. A Fabric Agent license is required to register to the FortiGate. See the FortiClient EMS Administration Guide.