Configuring FortiOS dynamic policies using EMS dynamic endpoint groups
After defining compliance verification rules as described in Adding a compliance verification rule set, you can configure FortiOS to receive the dynamic endpoint groups from EMS via the FSSO protocol, using the new "fortiems" FSSO agent type which supports SSL and imports trusted certificates. When a change to the dynamic endpoint groups occurs, EMS sends the update to FortiOS, and FortiOS updates its dynamic policies accordingly. This feature is only available for FortiOS 6.2.0 or a later version.
The following configuration is necessary for this feature:
- In FortiClient EMS, create compliance verification rules.
- After Telemetry communication has occurred between EMS and FortiClient, ensure that EMS has dynamically grouped endpoints based on the compliance verification rules.
- In FortiOS, configure the following options to allow FortiOS to pull dynamic endpoint groups from EMS:
- In FortiOS, create a dynamic firewall policy for the user group.
When a dynamic endpoint group event occurs (such as an endpoint being added to or removed from a dynamic endpoint group), EMS sends the updates to FortiOS. FortiOS updates firewall policies accordingly, providing dynamic access control based on endpoint status.
EMS can be connected to a maximum of three FortiGates at a time via the FSSO protocol.
Create a compliance verification rule to dynamically group endpoints. See Adding a compliance verification rule set.
After Telemetry communication has occurred between EMS and FortiClient, ensure that EMS has dynamically grouped endpoints using tags by going to Compliance Verification > Host Tag Monitor. See Host Tag Monitor.
config user fsso
set server "<EMS_IP_address>"
set type fortiems
set ssl enable
set ssl-trusted-cert "<certificate_name>"
set group-poll-interval <desired interval in minutes>
group-poll-interval is only available for FortiOS 6.2.2 and later versions. In FortiOS 6.2.0 and 6.2.1, you can go to
Security Fabric > Fabric Connectors,
open the EMS connector editing page, then click
Apply & Refresh to fetch endpoint grouping data from EMS.
- In FortiOS, go to User & Device > User Groups. Click Create New.
- In the Name field, enter the desired name.
- For Type, select Fortinet Single Sign-On (FSSO).
- In the Members field, click +. The Select Entries pane appears. Select the dynamic endpoint groups pulled from EMS.
- Select the desired dynamic endpoint groups. Endpoints that currently belong to this EMS dynamic endpoint group will be members of this FortiOS user group.
- Click OK.
You can now create a dynamic firewall policy for the user group. In this example, an IPv4 policy is created for the user group.
- In FortiOS, go to Policy & Objects > IPv4 Policy. Click Create New.
- In the Source field, click +. The Select Entries pane appears. On the User tab, select the user group configured above.
- Configure other options as desired. Click OK.
- Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group.
FortiOS will update this policy when it receives updates from EMS.