Fortinet black logo

EMS Administration Guide

Configuring FortiOS dynamic policies using EMS dynamic endpoint groups

Configuring FortiOS dynamic policies using EMS dynamic endpoint groups

After defining compliance verification rules as described in Adding a compliance verification rule, you can configure FortiOS to receive the dynamic endpoint groups from EMS via the FSSO protocol, using the new "fortiems" FSSO agent type which supports SSL and imports trusted certificates. When a change to the dynamic endpoint groups occurs, EMS sends the update to FortiOS, and FortiOS updates its dynamic policies accordingly. This feature is only available for FortiOS 6.2.0 or a later version.

The following configuration is necessary for this feature:

  1. In FortiClient EMS, create compliance verification rules.
  2. After Telemetry communication has occurred between EMS and FortiClient, ensure that EMS has dynamically grouped endpoints based on the compliance verification rules.
  3. In FortiOS, configure the following options to allow FortiOS to pull dynamic endpoint groups from EMS:
    1. Create the fortiems FSSO agent.
    2. Configure EMS FSSO groups.
    3. Create a user group based on EMS dynamic endpoint groups.
  4. In FortiOS, create a dynamic firewall policy for the user group.

When a dynamic endpoint group event occurs (such as an endpoint being added to or removed from a dynamic endpoint group), EMS sends the updates to FortiOS. FortiOS updates firewall policies accordingly, providing dynamic access control based on endpoint status.

EMS can be connected to a maximum of three FortiGates at a time via the FSSO protocol.

To add a compliance verification rule in EMS:

Create a compliance verification rule to dynamically group endpoints. See Adding a compliance verification rule.

To ensure EMS has dynamically grouped endpoints:

After Telemetry communication has occurred between EMS and FortiClient, ensure that EMS has dynamically grouped endpoints using tags by going to Compliance Verification > Host Tag Monitor. See Host Tag Monitor.

To create the fortiems FSSO agent:

Run the following commands in the FortiOS CLI:

config user fsso

edit "<agent_name>"

set server "<EMS_IP_address>"

set type fortiems

set ssl enable

set ssl-trusted-cert "Fortinet_CA"

next

end

In the above CLI sample, set ssl-trusted cert is optional. For this option to function, you must upload a certificate in System Settings > Server > EMS FSSO Settings.

To configure EMS FSSO groups in FortiOS:

In the FortiOS CLI, run the following commands. For the FSSO group name, use the format TAG_<tag_name>, where <tag_name> is the tag name configured in EMS as described in Adding a compliance verification rule. For example, if you configured the tag with the name "WIN10_EMS134" in EMS, the FSSO group name is TAG_WIN10_EMS134. For server-name, enter the FSSO agent name configured in To create the fortiems FSSO agent.

config user adgrp

edit "TAG_<tag_name>"

set server-name "<agent_name>"

next

end​​​​​​​

To create a user group based on EMS dynamic groups:
  1. In FortiOS, go to User & Device > User Groups. Click Create New.
  2. In the Name field, enter the desired name.
  3. For Type, select Fortinet Single Sign-On (FSSO).
  4. In the Members field, click +. The Select Entries pane appears. You can identify the dynamic endpoint groups pulled from EMS because the names begin with TAG_, followed by the tag name from EMS.

  5. Select the desired dynamic endpoint groups. Endpoints that currently belong to this EMS dynamic endpoint group will be members of this FortiOS user group.
  6. Click OK.
To create a dynamic firewall policy for the user group:

You can now create a dynamic firewall policy for the user group. In this example, an IPv4 policy is created for the user group.

  1. In FortiOS, go to Policy & Objects > IPv4 Policy. Click Create New.
  2. In the Source field, click +. The Select Entries pane appears. On the User tab, select the user group configured above.
  3. Configure other options as desired. Click OK.
  4. Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group. FortiOS will update this policy when it receives updates from EMS.

Configuring FortiOS dynamic policies using EMS dynamic endpoint groups

After defining compliance verification rules as described in Adding a compliance verification rule, you can configure FortiOS to receive the dynamic endpoint groups from EMS via the FSSO protocol, using the new "fortiems" FSSO agent type which supports SSL and imports trusted certificates. When a change to the dynamic endpoint groups occurs, EMS sends the update to FortiOS, and FortiOS updates its dynamic policies accordingly. This feature is only available for FortiOS 6.2.0 or a later version.

The following configuration is necessary for this feature:

  1. In FortiClient EMS, create compliance verification rules.
  2. After Telemetry communication has occurred between EMS and FortiClient, ensure that EMS has dynamically grouped endpoints based on the compliance verification rules.
  3. In FortiOS, configure the following options to allow FortiOS to pull dynamic endpoint groups from EMS:
    1. Create the fortiems FSSO agent.
    2. Configure EMS FSSO groups.
    3. Create a user group based on EMS dynamic endpoint groups.
  4. In FortiOS, create a dynamic firewall policy for the user group.

When a dynamic endpoint group event occurs (such as an endpoint being added to or removed from a dynamic endpoint group), EMS sends the updates to FortiOS. FortiOS updates firewall policies accordingly, providing dynamic access control based on endpoint status.

EMS can be connected to a maximum of three FortiGates at a time via the FSSO protocol.

To add a compliance verification rule in EMS:

Create a compliance verification rule to dynamically group endpoints. See Adding a compliance verification rule.

To ensure EMS has dynamically grouped endpoints:

After Telemetry communication has occurred between EMS and FortiClient, ensure that EMS has dynamically grouped endpoints using tags by going to Compliance Verification > Host Tag Monitor. See Host Tag Monitor.

To create the fortiems FSSO agent:

Run the following commands in the FortiOS CLI:

config user fsso

edit "<agent_name>"

set server "<EMS_IP_address>"

set type fortiems

set ssl enable

set ssl-trusted-cert "Fortinet_CA"

next

end

In the above CLI sample, set ssl-trusted cert is optional. For this option to function, you must upload a certificate in System Settings > Server > EMS FSSO Settings.

To configure EMS FSSO groups in FortiOS:

In the FortiOS CLI, run the following commands. For the FSSO group name, use the format TAG_<tag_name>, where <tag_name> is the tag name configured in EMS as described in Adding a compliance verification rule. For example, if you configured the tag with the name "WIN10_EMS134" in EMS, the FSSO group name is TAG_WIN10_EMS134. For server-name, enter the FSSO agent name configured in To create the fortiems FSSO agent.

config user adgrp

edit "TAG_<tag_name>"

set server-name "<agent_name>"

next

end​​​​​​​

To create a user group based on EMS dynamic groups:
  1. In FortiOS, go to User & Device > User Groups. Click Create New.
  2. In the Name field, enter the desired name.
  3. For Type, select Fortinet Single Sign-On (FSSO).
  4. In the Members field, click +. The Select Entries pane appears. You can identify the dynamic endpoint groups pulled from EMS because the names begin with TAG_, followed by the tag name from EMS.

  5. Select the desired dynamic endpoint groups. Endpoints that currently belong to this EMS dynamic endpoint group will be members of this FortiOS user group.
  6. Click OK.
To create a dynamic firewall policy for the user group:

You can now create a dynamic firewall policy for the user group. In this example, an IPv4 policy is created for the user group.

  1. In FortiOS, go to Policy & Objects > IPv4 Policy. Click Create New.
  2. In the Source field, click +. The Select Entries pane appears. On the User tab, select the user group configured above.
  3. Configure other options as desired. Click OK.
  4. Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group. FortiOS will update this policy when it receives updates from EMS.