In this scenario, FortiClient Telemetry connects to EMS to receive a profile of configuration information as part of an endpoint policy and to FortiGate to participate in the Fortinet Security Fabric. The FortiGate can also receive dynamic endpoint group lists from EMS and use them to build dynamic firewall policies. EMS sends group updates to FortiOS, and FortiOS uses the updates to adjust the policies based on those groups. This feature requires FortiOS 6.2.0 or a later version. See Configuring FortiOS dynamic policies using EMS dynamic endpoint groups.
FortiClient only registers to a FortiGate if all of the following is true:
- FortiClient is registered to EMS.
- FortiClient has received a Telemetry gateway list from EMS.
- EMS has allocated a Fabric Agent license seat to the endpoint. A Fabric Agent license is required to register to the FortiGate. If the EMS server has only Sandbox Cloud licenses, FortiClient cannot register to FortiGates. See FortiClient EMS.
If using a version of FortiOS earlier than 6.2.0, FortiClient endpoints can connect to the Security Fabric, but compliance enforcement is not supported.
When viewing the endpoint in the FortiClient EMS GUI, the endpoint's connection is shown as Managed by EMS and FortiTelemetry to <FortiGate hostname>.
When FortiClient Telemetry is connected to both EMS and FortiGate, the FortiClient GUI shows the connection status for both the EMS and FortiGate.
Depending on the EMS compliance verification rules and policies configured in FortiOS, the FortiClient endpoint may be blocked from accessing the network. The EMS administrator can adjust the endpoint configuration so that the endpoint regains network access.