Configuring FortiOS dynamic policies using EMS dynamic endpoint groups
After defining compliance verification rules as described in Adding a compliance verification rule, you can configure FortiOS to receive the dynamic endpoint groups from EMS via the FSSO protocol, using the new "fortiems" FSSO agent type which supports SSL and imports trusted certificates. When a change to the dynamic endpoint groups occurs, EMS sends the update to FortiOS, and FortiOS updates its dynamic policies accordingly. This feature is only available for FortiOS 6.2.0 or a later version.
The following configuration is necessary for this feature:
- In FortiClient EMS, create compliance verification rules.
- After Telemetry communication has occurred between EMS and FortiClient, ensure that EMS has dynamically grouped endpoints based on the compliance verification rules.
- In FortiOS, configure the following options to allow FortiOS to pull dynamic endpoint groups from EMS:
- In FortiOS, create a dynamic firewall policy for the user group.
When a dynamic endpoint group event occurs (such as an endpoint being added to or removed from a dynamic endpoint group), EMS sends the updates to FortiOS. FortiOS updates firewall policies accordingly, providing dynamic access control based on endpoint status.
EMS can be connected to a maximum of three FortiGates at a time via the FSSO protocol.
Create a compliance verification rule to dynamically group endpoints. See Adding a compliance verification rule.
After Telemetry communication has occurred between EMS and FortiClient, ensure that EMS has dynamically grouped endpoints using tags by going to Compliance Verification > Host Tag Monitor. See Host Tag Monitor.
config user fsso
set server "<EMS_IP_address>"
set type fortiems
set ssl enable
set ssl-trusted-cert "Fortinet_CA"
In the above CLI sample,
set ssl-trusted cert is optional. For this option to function, you must upload a certificate in System Settings > Server > EMS FSSO Settings.
In the FortiOS CLI, run the following commands. For the FSSO group name, use the format
<tag_name> is the tag name configured in EMS as described in Adding a compliance verification rule. For example, if you configured the tag with the name "WIN10_EMS134" in EMS, the FSSO group name is
server-name, enter the FSSO agent name configured in To create the fortiems FSSO agent.
config user adgrp
set server-name "<agent_name>"
- In FortiOS, go to User & Device > User Groups. Click Create New.
- In the Name field, enter the desired name.
- For Type, select Fortinet Single Sign-On (FSSO).
- In the Members field, click +. The Select Entries pane appears. You can identify the dynamic endpoint groups pulled from EMS because the names begin with TAG_, followed by the tag name from EMS.
- Select the desired dynamic endpoint groups. Endpoints that currently belong to this EMS dynamic endpoint group will be members of this FortiOS user group.
- Click OK.
You can now create a dynamic firewall policy for the user group. In this example, an IPv4 policy is created for the user group.
- In FortiOS, go to Policy & Objects > IPv4 Policy. Click Create New.
- In the Source field, click +. The Select Entries pane appears. On the User tab, select the user group configured above.
- Configure other options as desired. Click OK.
- Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group.
FortiOS will update this policy when it receives updates from EMS.