Fortinet black logo

EMS Administration Guide

Adding a compliance verification rule

Adding a compliance verification rule

  1. Go to Compliance Verification > Compliance Verification Rules, and click Add.
  2. In the Name field, enter the desired rule name.
  3. Toggle Status on or off to enable or disable the rule.
  4. For Type, select Windows, Mac, or Linux. This affects what rule types are available.
  5. From the Rule dropdown list, select the rule type and configure the related options. Ensure that you click the + button after entering each criterion.

    Rule type

    Description

    Certificate

    In the Subject CN and Issuer CN fields, enter the certificate subject and issuer. You can enter multiple certificates using the + button. You can also use the NOT option to indicate that the rule requires that a certain certificate is not present for the endpoint.

    The endpoint must satisfy all conditions to satisfy this rule. For example, if the rule is configured to require certificate A, certificate B, and NOT certificate C, then the endpoint must have both certificates A and B and not certificate C.

    Logged in Domain

    In the Domain field, enter the domain name. You can enter multiple domain names using the + button. If the rule is configured for multiple domains, the endpoint is considered as satisfying the rule if it belongs to one of the configured domains. This option is not available for Linux endpoints.

    File

    In the File field, enter the file path. You can enter multiple files using the + button. You can also use the NOT option to indicate that the rule requires that a certain file is not present on the endpoint.

    The endpoint must satisfy all conditions to satisfy this rule. For example, if the rule is configured to require file A, file B, and NOT file C, then the endpoint must have both files A and B and not file C.

    OS Version

    From the OS Version field, select the OS version. You can enter multiple OS versions using the + button. If the rule is configured for multiple OS versions, the endpoint is considered as satisfying the rule if it has one of the configured OS versions installed.

    Running Process

    In the Running Process field, enter the process name. You can enter multiple processes using the + button. You can also use the NOT option to indicate that the rule requires that a certain process is not running on the endpoint.

    The endpoint must satisfy all conditions to satisfy this rule. For example, if the rule is configured to require process A, process B, and NOT process C, then the endpoint must have both processes A and B running and process C not running.

    Registry Key

    In the Registry Key field, enter the registry key value. You can enter values using the + button. You can also use the NOT option to indicate that the rule requires that a certain registry key is not present on the endpoint.

    The endpoint must satisfy all conditions to satisfy this rule. For example, if the rule is configured to require registry key A, registry key B, and NOT registry key C, then the endpoint must have both registry keys A and B and not registry key C.

    This option is only available for Windows endpoints.

    Vulnerable Devices

    From the Severity Level dropdown list, select the desired vulnerability severity level. You can select multiple severity levels using the + button. If the rule is configured for multiple severity levels, the endpoint is considered as satisfying the rule if it has vulnerabilities of one of the configured severity levels present.

  6. Under Assign to, select All.
  7. In the Tag endpoint as dropdown list, select an existing tag or enter a new tag. EMS uses this tag to dynamically group together endpoints that satisfy the rule, as well as any other rules that are configured to use this tag.
  8. Click Save.
Note

For some rule types, such as the Running Process rule type, the endpoint must satisfy all conditions to satisfy the rule. There may be situations where you want endpoints that satisfy different conditions to be in the same dynamic group. Consider that you want endpoints that are running Process A or Process B in the "RP" dynamic group. In this case, you can create two rules: one for endpoints running Process A and another rule for endpoints running Process B. You can configure both rules to apply the "RP" tag to place endpoints running either process in the same dynamic group.

Adding a compliance verification rule

  1. Go to Compliance Verification > Compliance Verification Rules, and click Add.
  2. In the Name field, enter the desired rule name.
  3. Toggle Status on or off to enable or disable the rule.
  4. For Type, select Windows, Mac, or Linux. This affects what rule types are available.
  5. From the Rule dropdown list, select the rule type and configure the related options. Ensure that you click the + button after entering each criterion.

    Rule type

    Description

    Certificate

    In the Subject CN and Issuer CN fields, enter the certificate subject and issuer. You can enter multiple certificates using the + button. You can also use the NOT option to indicate that the rule requires that a certain certificate is not present for the endpoint.

    The endpoint must satisfy all conditions to satisfy this rule. For example, if the rule is configured to require certificate A, certificate B, and NOT certificate C, then the endpoint must have both certificates A and B and not certificate C.

    Logged in Domain

    In the Domain field, enter the domain name. You can enter multiple domain names using the + button. If the rule is configured for multiple domains, the endpoint is considered as satisfying the rule if it belongs to one of the configured domains. This option is not available for Linux endpoints.

    File

    In the File field, enter the file path. You can enter multiple files using the + button. You can also use the NOT option to indicate that the rule requires that a certain file is not present on the endpoint.

    The endpoint must satisfy all conditions to satisfy this rule. For example, if the rule is configured to require file A, file B, and NOT file C, then the endpoint must have both files A and B and not file C.

    OS Version

    From the OS Version field, select the OS version. You can enter multiple OS versions using the + button. If the rule is configured for multiple OS versions, the endpoint is considered as satisfying the rule if it has one of the configured OS versions installed.

    Running Process

    In the Running Process field, enter the process name. You can enter multiple processes using the + button. You can also use the NOT option to indicate that the rule requires that a certain process is not running on the endpoint.

    The endpoint must satisfy all conditions to satisfy this rule. For example, if the rule is configured to require process A, process B, and NOT process C, then the endpoint must have both processes A and B running and process C not running.

    Registry Key

    In the Registry Key field, enter the registry key value. You can enter values using the + button. You can also use the NOT option to indicate that the rule requires that a certain registry key is not present on the endpoint.

    The endpoint must satisfy all conditions to satisfy this rule. For example, if the rule is configured to require registry key A, registry key B, and NOT registry key C, then the endpoint must have both registry keys A and B and not registry key C.

    This option is only available for Windows endpoints.

    Vulnerable Devices

    From the Severity Level dropdown list, select the desired vulnerability severity level. You can select multiple severity levels using the + button. If the rule is configured for multiple severity levels, the endpoint is considered as satisfying the rule if it has vulnerabilities of one of the configured severity levels present.

  6. Under Assign to, select All.
  7. In the Tag endpoint as dropdown list, select an existing tag or enter a new tag. EMS uses this tag to dynamically group together endpoints that satisfy the rule, as well as any other rules that are configured to use this tag.
  8. Click Save.
Note

For some rule types, such as the Running Process rule type, the endpoint must satisfy all conditions to satisfy the rule. There may be situations where you want endpoints that satisfy different conditions to be in the same dynamic group. Consider that you want endpoints that are running Process A or Process B in the "RP" dynamic group. In this case, you can create two rules: one for endpoints running Process A and another rule for endpoints running Process B. You can configure both rules to apply the "RP" tag to place endpoints running either process in the same dynamic group.