Dynamic endpoint grouping/tagging and EMS connector (endpoint compliance)
As part of the Security Fabric, you can now configure categorization rules on EMS to dynamically group/tag FortiClient Fabric Agent endpoints. You can then share these endpoint groups with FortiGate over the EMS connector. EMS dynamically updates these endpoint groups when host compliance or other events happen. You can combine the endpoint groups with FortiGate firewall policies to provide dynamic access control based on endpoint status.
You can dynamically group endpoints by OS type, OS version, certificate, logged in domain, files, running applications/processes, registry keys, and more. When a FortiClient endpoint registers to EMS, EMS dynamically groups the endpoint based on the compliance verification rules.
You can selectively block, allow, or captive portal display endpoint groups based on their real-time compliance statuses.
You can configure EMS to send requests for tags to registered endpoints. Each endpoint responds by sending the values of matching tags to EMS in the endpoint control protocol keepalive messages. You can configure FortiGates to retrieve endpoint tags from EMS. You can use the tags in FortiGate firewall policies.
This feature requires three main components:
- FortiClient (Windows, macOS, or Linux)
This feature is new to 6.2.0 and requires that all components are running 6.2.0 or a newer version.
To configure EMS for dynamic endpoint grouping:
- In EMS, create a Telemetry gateway list:
- Create a profile:
- Go to Endpoint Profiles > Manage Profiles.
- Click Add.
- Configure the security features in the profile as desired.
- If you want the host tags to display on the FortiClient GUI, on the System Settings tab, enable Show Host Tag on FortiClient & FortiClient EMS GUI. By default, the FortiClient GUI does not display host tags.
- Create a policy:
- Go to Endpoint Policy > Manage Policies.
- Click Add.
- Configure the new policy. Select the desired group or Active Directory organizational unit (OU), profile, and Telemetry gateway list.
- Create host verification rules:
- Go to Compliance Verification > Compliance Verification Rules.
- Click Add.
- Configure rules and tags as desired.
To configure FortiOS for dynamic endpoint grouping:
config user fsso
set server 10.127.121.21
set type fortiems
set ssl enable
config user adgrp
set server-name "ems_user"
config user group
set group-type fsso-service
set member "ems_group"
To configure FortiClient for dynamic endpoint grouping:
Ensure that FortiClient is registered to EMS. If FortiClient is not registered to EMS, manually enter the EMS IP address in the FortiClient GUI on the Fabric Telemetry tab. FortiClient receives the assigned Telemetry gateway list and registers to the FortiGate on the gateway list. FortiClient then sends the tags to EMS.
To view the results:
- In EMS, go to Compliance Verification > Compliance Verification Rules to view all configured rules and tags.
- Go to Compliance Verification > Host Tag Monitor to view all tags and the endpoints that are currently applicable.
- Go to Compliance Verification > Fabric Device Monitor to view connected FortiGates.
- View the endpoint details. You can see that host verification tags have been applied. In this example, the endpoint is running Firefox and has Windows 8.1 or 10 installed, and therefore has the has_firefox and winos tags applied according to the compliance verification rules.
In the FortiOS CLI, run the
diag debug authd fsso listcommand to view received endpoint tags:
IP: 10.127.131.102 User: LEDINGTON Groups: 6E813333919A475F9AA7C9B640A8B871+HAS_FIREFOX+WINOS Workstation: CHERRYWOOD
IP: 10.127.131.108 User: DLAMBERSON Groups: F3C5191D4F6E47B996467A25AB12C4A4+HAS_FIREFOX Workstation: ALDERWOOD
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----
- Run the
diag debug enablecommand, then the
diag debug authd fsso server-statuscommand to view the EMS that the FortiGate is connected to:
- Disable debug mode by running the
diag debug disablecommand.
- View the tags that FortiClient sends on the avatar page in the FortiClient GUI.