Fortinet black logo

EMS Administration Guide

Configuring FortiOS dynamic policies using EMS dynamic endpoint groups

Configuring FortiOS dynamic policies using EMS dynamic endpoint groups

After defining compliance verification rules as described in Adding a compliance verification rule set, you can configure FortiOS to receive the dynamic endpoint groups from EMS via the FSSO protocol, using the new "fortiems" FSSO agent type which supports SSL and imports trusted certificates. When a change to the dynamic endpoint groups occurs, EMS sends the update to FortiOS, and FortiOS updates its dynamic policies accordingly. This feature is only available for FortiOS 6.2.0 or a later version.

The following configuration is necessary for this feature:

  1. In FortiClient EMS, create compliance verification rules.
  2. After Telemetry communication has occurred between EMS and FortiClient, ensure that EMS has dynamically grouped endpoints based on the compliance verification rules.
  3. In FortiOS, configure the following options to allow FortiOS to pull dynamic endpoint groups from EMS:
    1. Create the fortiems FSSO agent.
    2. Create a user group based on EMS dynamic endpoint groups.
  4. In FortiOS, create a dynamic firewall policy for the user group.

When a dynamic endpoint group event occurs (such as an endpoint being added to or removed from a dynamic endpoint group), EMS sends the updates to FortiOS. FortiOS updates firewall policies accordingly, providing dynamic access control based on endpoint status.

EMS can be connected to a maximum of three FortiGates at a time via the FSSO protocol.

To add a compliance verification rule in EMS:

Create a compliance verification rule to dynamically group endpoints. See Adding a compliance verification rule set.

To ensure EMS has dynamically grouped endpoints:

After Telemetry communication has occurred between EMS and FortiClient, ensure that EMS has dynamically grouped endpoints using tags by going to Compliance Verification > Host Tag Monitor. See Host Tag Monitor.

To create the fortiems FSSO agent:

config user fsso

edit "<agent_name>"

set server "<EMS_IP_address>"

set type fortiems

set ssl enable

set ssl-trusted-cert "<certificate_name>"

set group-poll-interval <desired interval in minutes>

next

end

In the above CLI sample, set ssl-trusted cert is optional. For this option to function, you must upload the same certificate in System Settings > Server > EMS FSSO Settings.

group-poll-interval is only available for FortiOS 6.2.2 and later versions. In FortiOS 6.2.0 and 6.2.1, you can go to Security Fabric > Fabric Connectors, open the EMS connector editing page, then click Apply & Refresh to fetch endpoint grouping data from EMS.

To create a user group based on EMS dynamic groups:
  1. In FortiOS, go to User & Device > User Groups. Click Create New.
  2. In the Name field, enter the desired name.
  3. For Type, select Fortinet Single Sign-On (FSSO).
  4. In the Members field, click +. The Select Entries pane appears. Select the dynamic endpoint groups pulled from EMS.

  5. Select the desired dynamic endpoint groups. Endpoints that currently belong to this EMS dynamic endpoint group will be members of this FortiOS user group.
  6. Click OK.
To create a dynamic firewall policy for the user group:

You can now create a dynamic firewall policy for the user group. In this example, an IPv4 policy is created for the user group.

  1. In FortiOS, go to Policy & Objects > IPv4 Policy. Click Create New.
  2. In the Source field, click +. The Select Entries pane appears. On the User tab, select the user group configured above.
  3. Configure other options as desired. Click OK.
  4. Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group. FortiOS will update this policy when it receives updates from EMS.

Configuring FortiOS dynamic policies using EMS dynamic endpoint groups

After defining compliance verification rules as described in Adding a compliance verification rule set, you can configure FortiOS to receive the dynamic endpoint groups from EMS via the FSSO protocol, using the new "fortiems" FSSO agent type which supports SSL and imports trusted certificates. When a change to the dynamic endpoint groups occurs, EMS sends the update to FortiOS, and FortiOS updates its dynamic policies accordingly. This feature is only available for FortiOS 6.2.0 or a later version.

The following configuration is necessary for this feature:

  1. In FortiClient EMS, create compliance verification rules.
  2. After Telemetry communication has occurred between EMS and FortiClient, ensure that EMS has dynamically grouped endpoints based on the compliance verification rules.
  3. In FortiOS, configure the following options to allow FortiOS to pull dynamic endpoint groups from EMS:
    1. Create the fortiems FSSO agent.
    2. Create a user group based on EMS dynamic endpoint groups.
  4. In FortiOS, create a dynamic firewall policy for the user group.

When a dynamic endpoint group event occurs (such as an endpoint being added to or removed from a dynamic endpoint group), EMS sends the updates to FortiOS. FortiOS updates firewall policies accordingly, providing dynamic access control based on endpoint status.

EMS can be connected to a maximum of three FortiGates at a time via the FSSO protocol.

To add a compliance verification rule in EMS:

Create a compliance verification rule to dynamically group endpoints. See Adding a compliance verification rule set.

To ensure EMS has dynamically grouped endpoints:

After Telemetry communication has occurred between EMS and FortiClient, ensure that EMS has dynamically grouped endpoints using tags by going to Compliance Verification > Host Tag Monitor. See Host Tag Monitor.

To create the fortiems FSSO agent:

config user fsso

edit "<agent_name>"

set server "<EMS_IP_address>"

set type fortiems

set ssl enable

set ssl-trusted-cert "<certificate_name>"

set group-poll-interval <desired interval in minutes>

next

end

In the above CLI sample, set ssl-trusted cert is optional. For this option to function, you must upload the same certificate in System Settings > Server > EMS FSSO Settings.

group-poll-interval is only available for FortiOS 6.2.2 and later versions. In FortiOS 6.2.0 and 6.2.1, you can go to Security Fabric > Fabric Connectors, open the EMS connector editing page, then click Apply & Refresh to fetch endpoint grouping data from EMS.

To create a user group based on EMS dynamic groups:
  1. In FortiOS, go to User & Device > User Groups. Click Create New.
  2. In the Name field, enter the desired name.
  3. For Type, select Fortinet Single Sign-On (FSSO).
  4. In the Members field, click +. The Select Entries pane appears. Select the dynamic endpoint groups pulled from EMS.

  5. Select the desired dynamic endpoint groups. Endpoints that currently belong to this EMS dynamic endpoint group will be members of this FortiOS user group.
  6. Click OK.
To create a dynamic firewall policy for the user group:

You can now create a dynamic firewall policy for the user group. In this example, an IPv4 policy is created for the user group.

  1. In FortiOS, go to Policy & Objects > IPv4 Policy. Click Create New.
  2. In the Source field, click +. The Select Entries pane appears. On the User tab, select the user group configured above.
  3. Configure other options as desired. Click OK.
  4. Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group. FortiOS will update this policy when it receives updates from EMS.