Fortinet black logo

New Features

Home FortiClient 6.2.2 New Features

Using certificate Fabric authentication

6.2.2
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0
Copy Link
Copy Doc ID 98b4e085-ff54-11e9-8977-00505692583a:3783
Download PDF

Using certificate Fabric authentication

To support FortiOS Fabric authentication moving towards certificate-based authentication, this feature adds support for certificate-based authentication for the Fabric connection between FortiOS and FortiClient Cloud. The FortiClient Cloud administrator can authorize or deny a connection request from a FortiGate. An authorized connection request establishes the Fabric connection between FortiOS and FortiClient Cloud.

To configure FortiOS:
  1. Enable FortiHeartbeat:

    config system interface

    edit "wan1"

    set fortiheartbeat enable

    next

    end

  2. Configure FortiClient Cloud:

    config endpoint-control fctems

    edit "ems-cloud"

    set serial-number ''

    set fortinetone-cloud-authentication enable

    set source-ip 0.0.0.0

    set call-timeout 5000

    next

    end

To enable remote HTTPS access in FortiClient Cloud:
  1. Go to System Settings > Server.
  2. Under Shared Settings, enable Remote HTTPS access. Ensure that the HTTPS port is defined as 443.
To establish Fabric connection between FortiOS and FortiClient Cloud:
  1. Test Fabric device connectivity from FortiOS by entering the diagnose endpoint fctems-test-connectivity ems95 command. FortiClient Cloud should respond with a Not authorized message.
  2. Log in to FortiClient Cloud. Do one of the following:
    1. A popup notification prompts you to authorize or deny the Fabric connection for access from that particular FortiGate. The authorization request includes the FortiGate hostname, serial number, and IP address. Click Authorize.
    2. If you do not see a popup notification, you can also authorize Fabric devices in Administration > Fabric Devices. This page shows devices pending authorization with a yellow question mark.

      Click the desired device, then click Authorize.

  3. Go to Administration > Fabric Devices. Verify that the Fabric connection is established between FortiOS and FortiClient Cloud. The connection's status displays as authorized.

  4. Repeat step 1 to test Fabric device connectivity from FortiOS. FortiClient Cloud should respond with a Connection test passed message.
  5. After FortiClient Cloud authorizes a Fabric device, FortiOS can quarantine an endpoint and remove it from quarantine via FortiClient Cloud. To quarantine an endpoint, run the diagnose endpoint fctems-queue-complete-calls Q-<endpoint IP address> command. For example, if the endpoint's IP address is 192.168.10.204, the command would be diagnose endpoint fctems-queue-complete-calls Q-<192.168.10.204>. The response should be SUCCESS! Queued the <call> 'Q-<endpoint IP address>'.<call> stats: total=1, valid=1, queued=1.

  6. To remove the endpoint from quarantine, run the diagnose endpoint fctems-queue-complete-calls U-<endpoint IP address> command.
Previous
Next

Using certificate Fabric authentication

To support FortiOS Fabric authentication moving towards certificate-based authentication, this feature adds support for certificate-based authentication for the Fabric connection between FortiOS and FortiClient Cloud. The FortiClient Cloud administrator can authorize or deny a connection request from a FortiGate. An authorized connection request establishes the Fabric connection between FortiOS and FortiClient Cloud.

To configure FortiOS:
  1. Enable FortiHeartbeat:

    config system interface

    edit "wan1"

    set fortiheartbeat enable

    next

    end

  2. Configure FortiClient Cloud:

    config endpoint-control fctems

    edit "ems-cloud"

    set serial-number ''

    set fortinetone-cloud-authentication enable

    set source-ip 0.0.0.0

    set call-timeout 5000

    next

    end

To enable remote HTTPS access in FortiClient Cloud:
  1. Go to System Settings > Server.
  2. Under Shared Settings, enable Remote HTTPS access. Ensure that the HTTPS port is defined as 443.
To establish Fabric connection between FortiOS and FortiClient Cloud:
  1. Test Fabric device connectivity from FortiOS by entering the diagnose endpoint fctems-test-connectivity ems95 command. FortiClient Cloud should respond with a Not authorized message.
  2. Log in to FortiClient Cloud. Do one of the following:
    1. A popup notification prompts you to authorize or deny the Fabric connection for access from that particular FortiGate. The authorization request includes the FortiGate hostname, serial number, and IP address. Click Authorize.
    2. If you do not see a popup notification, you can also authorize Fabric devices in Administration > Fabric Devices. This page shows devices pending authorization with a yellow question mark.

      Click the desired device, then click Authorize.

  3. Go to Administration > Fabric Devices. Verify that the Fabric connection is established between FortiOS and FortiClient Cloud. The connection's status displays as authorized.

  4. Repeat step 1 to test Fabric device connectivity from FortiOS. FortiClient Cloud should respond with a Connection test passed message.
  5. After FortiClient Cloud authorizes a Fabric device, FortiOS can quarantine an endpoint and remove it from quarantine via FortiClient Cloud. To quarantine an endpoint, run the diagnose endpoint fctems-queue-complete-calls Q-<endpoint IP address> command. For example, if the endpoint's IP address is 192.168.10.204, the command would be diagnose endpoint fctems-queue-complete-calls Q-<192.168.10.204>. The response should be SUCCESS! Queued the <call> 'Q-<endpoint IP address>'.<call> stats: total=1, valid=1, queued=1.

  6. To remove the endpoint from quarantine, run the diagnose endpoint fctems-queue-complete-calls U-<endpoint IP address> command.
Previous
Next