Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • EMS Administration Guide

    Home FortiClient 6.2.7 EMS Administration Guide
    6.2.7
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    On-net Detection Rules

    On-net Detection Rules

    You can configure on-net detection rules for endpoints. EMS uses the rules to determine if the endpoint is on-net or off-net. Depending on the endpoint's on-net status, EMS may apply a different profile to the endpoint, as configured in the applied endpoint policy. See Adding an endpoint policy.

    Note

    On-net detection rules do not apply to endpoints running FortiClient 6.2.1 and earlier versions. For endpoints running FortiClient 6.2.1 and earlier versions, the On-Net Subnets setting in the endpoint profile determines on-net/off-net status. See System Settings.
    To add an on-net detection rule:
    1. Go to Policy Components > On-net Detection Rules.
    2. Click Add.
    3. In the Name field, enter the desired name.
    4. Enable or disable the rule by toggling Enable Rule on or off.
    5. In the IP Addresses/Subnet Masks field, enter the desired values. You can enter multiple values by clicking the + button.
    6. (Optional) In the Gateway MAC Addresses field, enter the desired values. You can enter multiple values by clicking the + button.
    7. Click Save.
    To edit an on-net detection rule:
    1. Go to Policy Components > On-net Detection Rules.
    2. Select the rule.
    3. Click Edit.
    4. Edit as desired.
    5. Click Save.
    To delete an on-net detection rule:
    1. Go to Policy Components > On-net Detection Rules.
    2. Click the desired rule.
    3. Click Delete.
    4. In the confirmation dialog, click Yes.
    To enable/disable an on-net detection rule:
    1. Go to Policy Components > On-net Detection Rules.
    2. Select or deselect the Enabled checkbox for the desired endpoint policy.

    Determining on-net/off-net status

    There are two settings in EMS that affect FortiClient on-net/off-net status:

    • DHCP on-net/off-net
    • On-net detection rules configured for the endpoint's assigned policy. See On-net Detection Rules.

    The table below shows how the DHCP on-net/off-net setting, on-net detection rules, and Option 224 serial number affect the endpoint's on-net/off-net status. DHCP on-net/off-net only applies when the endpoint is connected to EMS. You can configure Option 224 with any Fortinet device's serial number. EMS assumes that FortiClient is behind a FortiGate and on-net with that FortiGate.

    DHCP on-net/off-net

    On-net detection rules

    Option 224 serial number

    Resulting endpoint status

    Disabled

    Not configured

    N/A

    Endpoint is on-net when registered to EMS.

    Enabled

    Not configured

    Not configured

    Endpoint is off-net when registered to EMS.

    Enabled

    Not configured

    Configured

    On-net

    Since Option 224 is configured with a Fortinet device's serial number, EMS assumes FortiClient is on-net with that FortiGate.

    N/A

    Enabled, with subnet configured.

    Endpoint IP address is in the configured subnet.

    N/A

    On-net

    The endpoint is inside the on-net networks configured in the applied endpoint policy's on-net detection rules.

    N/A

    Enabled, with subnet configured. Endpoint IP address is not in the configured subnet.

    N/A

    Off-net

    The endpoint is outside the on-net networks configured in the applied endpoint policy's on-net detection rules.

    An endpoint has an offline off-net status when it cannot connect FortiClient Telemetry to EMS and is outside any of the on-net networks.

    An endpoint has an offline on-net status when it cannot connect FortiClient Telemetry to EMS but is inside one of the on-net networks, or if no on-net rules are configured within the assigned policy.

    Previous
    Next

    On-net Detection Rules

    On-net Detection Rules

    You can configure on-net detection rules for endpoints. EMS uses the rules to determine if the endpoint is on-net or off-net. Depending on the endpoint's on-net status, EMS may apply a different profile to the endpoint, as configured in the applied endpoint policy. See Adding an endpoint policy.

    Note

    On-net detection rules do not apply to endpoints running FortiClient 6.2.1 and earlier versions. For endpoints running FortiClient 6.2.1 and earlier versions, the On-Net Subnets setting in the endpoint profile determines on-net/off-net status. See System Settings.
    To add an on-net detection rule:
    1. Go to Policy Components > On-net Detection Rules.
    2. Click Add.
    3. In the Name field, enter the desired name.
    4. Enable or disable the rule by toggling Enable Rule on or off.
    5. In the IP Addresses/Subnet Masks field, enter the desired values. You can enter multiple values by clicking the + button.
    6. (Optional) In the Gateway MAC Addresses field, enter the desired values. You can enter multiple values by clicking the + button.
    7. Click Save.
    To edit an on-net detection rule:
    1. Go to Policy Components > On-net Detection Rules.
    2. Select the rule.
    3. Click Edit.
    4. Edit as desired.
    5. Click Save.
    To delete an on-net detection rule:
    1. Go to Policy Components > On-net Detection Rules.
    2. Click the desired rule.
    3. Click Delete.
    4. In the confirmation dialog, click Yes.
    To enable/disable an on-net detection rule:
    1. Go to Policy Components > On-net Detection Rules.
    2. Select or deselect the Enabled checkbox for the desired endpoint policy.

    Determining on-net/off-net status

    There are two settings in EMS that affect FortiClient on-net/off-net status:

    • DHCP on-net/off-net
    • On-net detection rules configured for the endpoint's assigned policy. See On-net Detection Rules.

    The table below shows how the DHCP on-net/off-net setting, on-net detection rules, and Option 224 serial number affect the endpoint's on-net/off-net status. DHCP on-net/off-net only applies when the endpoint is connected to EMS. You can configure Option 224 with any Fortinet device's serial number. EMS assumes that FortiClient is behind a FortiGate and on-net with that FortiGate.

    DHCP on-net/off-net

    On-net detection rules

    Option 224 serial number

    Resulting endpoint status

    Disabled

    Not configured

    N/A

    Endpoint is on-net when registered to EMS.

    Enabled

    Not configured

    Not configured

    Endpoint is off-net when registered to EMS.

    Enabled

    Not configured

    Configured

    On-net

    Since Option 224 is configured with a Fortinet device's serial number, EMS assumes FortiClient is on-net with that FortiGate.

    N/A

    Enabled, with subnet configured.

    Endpoint IP address is in the configured subnet.

    N/A

    On-net

    The endpoint is inside the on-net networks configured in the applied endpoint policy's on-net detection rules.

    N/A

    Enabled, with subnet configured. Endpoint IP address is not in the configured subnet.

    N/A

    Off-net

    The endpoint is outside the on-net networks configured in the applied endpoint policy's on-net detection rules.

    An endpoint has an offline off-net status when it cannot connect FortiClient Telemetry to EMS and is outside any of the on-net networks.

    An endpoint has an offline on-net status when it cannot connect FortiClient Telemetry to EMS but is inside one of the on-net networks, or if no on-net rules are configured within the assigned policy.

    Previous
    Next