FortiClient Telemetry can connect to EMS or FortiGate and EMS.
EMS manages FortiClient endpoints using the FortiClient Telemetry connection. Endpoints connect FortiClient Telemetry to FortiGate to participate in the Security Fabric. FortiGates do not manage endpoints.
In this scenario, EMS provides FortiClient endpoint provisioning. FortiClient connects Telemetry to EMS to receive configuration information in an endpoint profile as part of an endpoint policy from EMS. EMS also sends compliance verification rules to FortiClient and uses the results from FortiClient to dynamically group endpoints in EMS. Only EMS can control the connection between FortiClient and EMS. You must make any changes to the connection from EMS, not FortiClient. When FortiClient is connected to EMS, FortiClient settings are locked so the endpoint user cannot change any configuration. To disconnect FortiClient from EMS, the EMS administrator must deregister the endpoint in EMS.
See the FortiClient Compliance Guide.
In this scenario, FortiClient Telemetry connects to EMS to receive a profile of configuration information as part of an endpoint policy and to FortiGate to participate in the Security Fabric. The FortiGate can also receive dynamic endpoint group lists from EMS and use them to build dynamic firewall policies. EMS sends group updates to FortiOS, and FortiOS uses the updates to adjust the policies based on those groups. This feature requires FortiOS 6.2.0 or a later version.
FortiGate does not provide configuration information for FortiClient and the endpoint. An administrator must configure FortiClient using an EMS endpoint profile.
Following is a summary of how the FortiClient Telemetry connection works in this scenario:
- FortiClient Telemetry connects to EMS.
- FortiClient receives a profile of configuration information from EMS as part of an endpoint policy.
- FortiClient Telemetry connects to the FortiGate using a Telemetry gateway list received from EMS. This allows the endpoint to participate in the Security Fabric.
- EMS sends compliance verification rules to the endpoint.
- FortiClient checks the endpoint using the provided compliance verification rules and sends the results to EMS.
- EMS receives the results form FortiClient and dynamically groups the endpoints according to the results.
- FortiOS pulls the dynamic endpoint group information from EMS. You can use this data to build dynamic firewall policies.
- EMS sends dynamic endpoint group updates to FortiOS. FortiOS uses the updates to adjust the policies based on those groups.
For details on configuring FortiOS to pull endpoint tags and their corresponding endpoint lists from EMS, see the FortiClient EMS Administration Guide.