Fortinet Document Library

Version:


Table of Contents

6.2.0
Download PDF
Copy Link

Dynamic endpoint grouping/tagging and EMS connector (endpoint compliance)

As part of the Security Fabric, you can now configure categorization rules on EMS to dynamically group/tag FortiClient Fabric Agent endpoints. You can then share these endpoint groups with FortiGate over the EMS connector. EMS dynamically updates these endpoint groups when host compliance or other events happen. You can combine the endpoint groups with FortiGate firewall policies to provide dynamic access control based on endpoint status.

You can dynamically group endpoints by OS type, OS version, certificate, logged in domain, files, running applications/processes, registry keys, and more. When a FortiClient endpoint registers to EMS, EMS dynamically groups the endpoint based on the compliance verification rules.

You can selectively block, allow, or captive portal display endpoint groups based on their real-time compliance statuses.

You can configure EMS to send requests for tags to registered endpoints. Each endpoint responds by sending the values of matching tags to EMS in the endpoint control protocol keepalive messages. You can configure FortiGates to retrieve endpoint tags from EMS. You can use the tags in FortiGate firewall policies.

This feature requires three main components:

  • FortiClient (Windows, macOS, or Linux)
  • EMS
  • FortiGate

This feature is new to 6.2.0 and requires that all components are running 6.2.0 or a newer version.

To configure EMS for dynamic endpoint grouping:
  1. In EMS, create a Telemetry gateway list:
    1. Go to Telemetry Gateway Lists > Manage Telemetry Gateway Lists.
    2. Click Add.
    3. Configure the new gateway list as desired. Add the IP address of the FortiGate that the endpoints should register to.
  2. Create a profile:
    1. Go to Endpoint Profiles > Manage Profiles.
    2. Click Add.
    3. Configure the security features in the profile as desired.
    4. If you want the host tags to display on the FortiClient GUI, on the System Settings tab, enable Show Host Tag on FortiClient & FortiClient EMS GUI. By default, the FortiClient GUI does not display host tags.

  3. Create a policy:
    1. Go to Endpoint Policy > Manage Policies.
    2. Click Add.
    3. Configure the new policy. Select the desired group or Active Directory organizational unit (OU), profile, and Telemetry gateway list.
  4. Create host verification rules:
    1. Go to Compliance Verification > Compliance Verification Rules.
    2. Click Add.
    3. Configure rules and tags as desired.
To configure FortiOS for dynamic endpoint grouping:

config user fsso

edit "ems_user"

set server 10.127.121.21

set type fortiems

set ssl enable

next

end

config user adgrp

edit "ems_group"

set server-name "ems_user"

next

end

config user group

edit "ems_service"

set group-type fsso-service

set member "ems_group"

next

end

To configure FortiClient for dynamic endpoint grouping:

Ensure that FortiClient is registered to EMS. If FortiClient is not registered to EMS, manually enter the EMS IP address in the FortiClient GUI on the Fabric Telemetry tab. FortiClient receives the assigned Telemetry gateway list and registers to the FortiGate on the gateway list. FortiClient then sends the tags to EMS.

To view the results:
  1. In EMS, go to Compliance Verification > Compliance Verification Rules to view all configured rules and tags.

  2. Go to Compliance Verification > Host Tag Monitor to view all tags and the endpoints that are currently applicable.

  3. Go to Compliance Verification > Fabric Device Monitor to view connected FortiGates.

  4. View the endpoint details. You can see that host verification tags have been applied. In this example, the endpoint is running Firefox and has Windows 8.1 or 10 installed, and therefore has the has_firefox and winos tags applied according to the compliance verification rules.

  5. In the FortiOS CLI, run the diag debug authd fsso list command to view received endpoint tags:

    ----FSSO logons----

    IP: 10.127.131.102 User: LEDINGTON Groups: 6E813333919A475F9AA7C9B640A8B871+HAS_FIREFOX+WINOS Workstation: CHERRYWOOD

    IP: 10.127.131.108 User: DLAMBERSON Groups: F3C5191D4F6E47B996467A25AB12C4A4+HAS_FIREFOX Workstation: ALDERWOOD

    Total number of logons listed: 2, filtered: 0

    ----end of FSSO logons----

  6. Run the diag debug enable command, then the diag debug authd fsso server-status command to view the EMS that the FortiGate is connected to:

  7. Disable debug mode by running the diag debug disable command.
  8. View the tags that FortiClient sends on the avatar page in the FortiClient GUI.

Dynamic endpoint grouping/tagging and EMS connector (endpoint compliance)

As part of the Security Fabric, you can now configure categorization rules on EMS to dynamically group/tag FortiClient Fabric Agent endpoints. You can then share these endpoint groups with FortiGate over the EMS connector. EMS dynamically updates these endpoint groups when host compliance or other events happen. You can combine the endpoint groups with FortiGate firewall policies to provide dynamic access control based on endpoint status.

You can dynamically group endpoints by OS type, OS version, certificate, logged in domain, files, running applications/processes, registry keys, and more. When a FortiClient endpoint registers to EMS, EMS dynamically groups the endpoint based on the compliance verification rules.

You can selectively block, allow, or captive portal display endpoint groups based on their real-time compliance statuses.

You can configure EMS to send requests for tags to registered endpoints. Each endpoint responds by sending the values of matching tags to EMS in the endpoint control protocol keepalive messages. You can configure FortiGates to retrieve endpoint tags from EMS. You can use the tags in FortiGate firewall policies.

This feature requires three main components:

  • FortiClient (Windows, macOS, or Linux)
  • EMS
  • FortiGate

This feature is new to 6.2.0 and requires that all components are running 6.2.0 or a newer version.

To configure EMS for dynamic endpoint grouping:
  1. In EMS, create a Telemetry gateway list:
    1. Go to Telemetry Gateway Lists > Manage Telemetry Gateway Lists.
    2. Click Add.
    3. Configure the new gateway list as desired. Add the IP address of the FortiGate that the endpoints should register to.
  2. Create a profile:
    1. Go to Endpoint Profiles > Manage Profiles.
    2. Click Add.
    3. Configure the security features in the profile as desired.
    4. If you want the host tags to display on the FortiClient GUI, on the System Settings tab, enable Show Host Tag on FortiClient & FortiClient EMS GUI. By default, the FortiClient GUI does not display host tags.

  3. Create a policy:
    1. Go to Endpoint Policy > Manage Policies.
    2. Click Add.
    3. Configure the new policy. Select the desired group or Active Directory organizational unit (OU), profile, and Telemetry gateway list.
  4. Create host verification rules:
    1. Go to Compliance Verification > Compliance Verification Rules.
    2. Click Add.
    3. Configure rules and tags as desired.
To configure FortiOS for dynamic endpoint grouping:

config user fsso

edit "ems_user"

set server 10.127.121.21

set type fortiems

set ssl enable

next

end

config user adgrp

edit "ems_group"

set server-name "ems_user"

next

end

config user group

edit "ems_service"

set group-type fsso-service

set member "ems_group"

next

end

To configure FortiClient for dynamic endpoint grouping:

Ensure that FortiClient is registered to EMS. If FortiClient is not registered to EMS, manually enter the EMS IP address in the FortiClient GUI on the Fabric Telemetry tab. FortiClient receives the assigned Telemetry gateway list and registers to the FortiGate on the gateway list. FortiClient then sends the tags to EMS.

To view the results:
  1. In EMS, go to Compliance Verification > Compliance Verification Rules to view all configured rules and tags.

  2. Go to Compliance Verification > Host Tag Monitor to view all tags and the endpoints that are currently applicable.

  3. Go to Compliance Verification > Fabric Device Monitor to view connected FortiGates.

  4. View the endpoint details. You can see that host verification tags have been applied. In this example, the endpoint is running Firefox and has Windows 8.1 or 10 installed, and therefore has the has_firefox and winos tags applied according to the compliance verification rules.

  5. In the FortiOS CLI, run the diag debug authd fsso list command to view received endpoint tags:

    ----FSSO logons----

    IP: 10.127.131.102 User: LEDINGTON Groups: 6E813333919A475F9AA7C9B640A8B871+HAS_FIREFOX+WINOS Workstation: CHERRYWOOD

    IP: 10.127.131.108 User: DLAMBERSON Groups: F3C5191D4F6E47B996467A25AB12C4A4+HAS_FIREFOX Workstation: ALDERWOOD

    Total number of logons listed: 2, filtered: 0

    ----end of FSSO logons----

  6. Run the diag debug enable command, then the diag debug authd fsso server-status command to view the EMS that the FortiGate is connected to:

  7. Disable debug mode by running the diag debug disable command.
  8. View the tags that FortiClient sends on the avatar page in the FortiClient GUI.