Quarantining an endpoint from FortiOS using EMS
The Security Fabric offers visibility of endpoints at various monitoring levels. When the Security Fabric includes the following network devices, you can configure the system to automatically quarantine an endpoint on which an Indicator of Compromise (IoC) is detected. This requires the following network components:
- FortiClient EMS
You must connect FortiClient to both the EMS and FortiGate. The FortiGate and FortiClient must both be sending logs to the FortiAnalyzer. You must configure the EMS IP address on the FortiGate, as well as administrator login credentials.
This configuration functions as follows:
- FortiClient sends logs to the FortiAnalyzer.
- FortiAnalyzer discovers IoCs in the logs and notifies the FortiGate.
- FortiGate determines if the FortiClient is among its connected endpoints and if it has the login credentials for the EMS that the FortiClient is connected to. With this information, FortiGate sends a notification to EMS to quarantine the endpoint.
- EMS searches for the endpoint and sends a quarantine message to it.
- The endpoint receives the quarantine message and quarantines itself, blocking all network traffic. The endpoint notifies the FortiGate and EMS of the status change.
FortiClient (Linux) does not support this feature.
The following lists the prerequisites that must be met for FortiClient, EMS, and the FortiGate.
FortiClient must be installed on the endpoint and connected to both EMS and the FortiGate.
- You must create a profile for the endpoint. See Creating a profile to configure FortiClient.
- You must create a Telemetry gateway list using the FortiGate's IP address for the endpoint. See Creating a Telemetry gateway list
- You must create and configure an endpoint policy that is configured with the desired profile and Telemetry gateway list for the desired endpoint group. See Adding an endpoint policy.
- Enable Remote HTTPS access. See Configuring Server settings.
Before automation can be triggered, you must configure the following:
- Configure an automation trigger.
- Configure an automation object.
- Configure an automation stitch.
- Configure an EMS firewall address object. This is only required if using a FortiOS version earlier than 6.2.0.
- Configure EMS endpoint control.
config system automation-trigger
set trigger-type event-based
set event-type ioc
set ioc-level high
config system automation-action
set action-type quarantine-forticlient
set minimum-interval 0
config system automation-stitch
set status enable
set trigger "trigger01"
set action "action01"
This step is only necessary when using a version of FortiOS prior to 6.2.0.
config firewall address
set type ipmask
set subnet <EMS_IP_address> 255.255.255.255
There are separate instructions when using FortiOS 6.2.0 or a later version, and a version of FortiOS earlier than 6.2.0.
If using FortiOS 6.2.0 or a later version, do the following:
- Go to Security Fabric > Settings.
- Enable FortiClient Endpoint Management System (EMS).
- In the Name field, enter the desired EMS name.
- In the IP/Domain Name field, enter the EMS IP address or FQDN.
- In the Serial Number field, enter the EMS serial number. You can find this in the System Information widget on the EMS dashboard.
- In the Admin User field, enter the EMS admin username.
- In the Password field, enter the admin user's password.
- Click Apply.
If using a FortiOS version earlier than 6.2.0, enter the following commands in the CLI. In the commands below, <EMS_SERIAL_NUMBER> is the EMS serial number, <EMS_ADMIN> is the EMS administrator name, and <PASSWORD> is the EMS administrator's password:
config endpoint-control forticlient-ems
set address "EMS01"
set serial-number <EMS_SERIAL_NUMBER>
set rest-api-auth userpass
set https-port 443
set admin-username <EMS_ADMIN>
set admin-password <PASSWORD>
set admin-type Windows
Once prerequisites are met, you can trigger the automation process. The following procedure triggers the quarantine action on the endpoint at <endpoint_ip_address>:
diag endpoint forticlient-ems-rest-api queue-quarantine-ipv4 <endpoint_ip_address>
After this action, EMS and FortiOS both display that the endpoint is quarantined.