Fortinet white logo
Fortinet white logo

EMS Administration Guide

On-fabric Detection Rules

On-fabric Detection Rules

You can configure on-fabric detection rules for endpoints. EMS uses the rules to determine if the endpoint is on- or off-fabric. Depending on the endpoint's on-fabric status, EMS may apply a different profile to the endpoint, as configured in the applied endpoint policy. See Adding an endpoint policy.

Note

On-fabric detection rules do not apply to endpoints running FortiClient 6.2.1 and earlier versions. Endpoints running FortiClient 6.2.1 and earlier versions determine on-/off-fabric status as Determining on-fabric/off-fabric status describes.

To add an on-fabric detection rule set:
  1. Go to Policy Components > On-fabric Detection Rules.
  2. Click Add.
  3. In the Name field, enter the desired name.
  4. Enable or disable the rule set by toggling Enabled on or off.
  5. Click Add Rule.
  6. In the Add New Rule dialog, from the Detection Type dropdown list, select and configure the desired rule detection type. If you configure rules of multiple detection types for a rule set, the endpoint must satisfy all configured rules to satisfy the entire rule set:

    Detection type

    Description

    DHCP Server

    On the IP/MAC Address tab, configure the IP and/or MAC address for the desired DHCP server. On the DHCP Code tab, configure the DHCP code for the desired DHCP server. You can configure just the IP/MAC Address tab, just the DHCP Code tab, or both tabs. If configuring the IP/Mac Address tab, the MAC Address field is optional.

    The DHCP code is synonymous with the old option 224, which FortiClient would read from the DHCP server and send to the FortiGate in FortiOS 6.0. It used to be the FortiGate serial number. Now, it can be any string configured in the DHCP server as option 224. You may still use FortiGate serial number as the DHCP code if desired.

    EMS considers the endpoint as satisfying the rule if it is connected to a DHCP server that matches the specified configuration. You can configure multiple IP and MAC addresses and DHCP codes using the + button on each tab.

    DNS Server

    Configure at least one IP address for the desired DNS server. EMS considers the endpoint as satisfying the rule if it is connected to a DNS server that matches the specified configuration. You can configure multiple IP addresses using the + button.

    EMS Connection

    The only available option for this detection type is that EMS considers the endpoint as satisfying the rule if it is online with EMS.

    Local IP/Subnet

    In the IP Range field, enter a range of IP addresses. In the Default Gateway MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if it is configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

    This is the only detection type that applies to endpoints running FortiClient 6.4.0 and earlier versions. Other detection types do not apply to these endpoints.

    Default Gateway

    In the IP Address field, enter the default gateway IP address. In the MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its default gateway configuration matches the IP address specified and MAC address, if it is configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

    Ping Server

    In the IP Address field, enter the server IP address. EMS considers the endpoint as satisfying the rule if it can access the server at the specified IP address. You can configure multiple addresses using the + button.

    Public IP

    In the IP Address field, enter the desired IP address. EMS considers the endpoint as satisfying the rule if its public (WAN) IP address matches the one specified. You can configure multiple addresses using the + button.

    Connection Media

    From the Ethernet and/or Wi-Fi dropdown lists, select Connected or Not Connected. EMS considers the endpoint as satisfying the rule if its network settings match all configured fields.

    VPN Tunnel

    In the Name field, enter an SSL or IPsec VPN tunnel name. EMS considers the endpoint as satisfying the rule if it is connected to a VPN tunnel with a matching name. You can configure tunnels using the + button.

  7. Click Add Rule.
  8. Click Save.
To edit an on-fabric detection rule set:
  1. Go to Policy Components > On-fabric Detection Rules.
  2. Select the rule set.
  3. Click Edit.
  4. Edit as desired.
  5. Click Save.
To delete an on-fabric detection rule set:
  1. Go to Policy Components > On-fabric Detection Rules.
  2. Click the desired rule set.
  3. Click Delete.
  4. In the confirmation dialog, click Yes.
To delete an on-fabric detection rule from a rule set:
  1. Go to Policy Components > On-fabric Detection Rules.
  2. Click the desired rule set.
  3. Under Rules, select the desired rule.
  4. Click Delete Rule.
  5. Click Save.
To enable/disable an on-fabric detection rule:
  1. Go to Policy Components > On-fabric Detection Rules.
  2. Select or deselect the Enabled checkbox for the desired rule set.

Determining on-fabric/off-fabric status

This section only applies to endpoints running FortiClient 6.2.1 and earlier versions.

There are two settings in EMS that affect FortiClient on-fabric/off-fabric status:

  • DHCP on-fabric/off-fabric
  • On-fabric detection rules configured for the endpoint's assigned policy.

The table shows how the DHCP on-fabric/off-fabric setting, on-fabric detection rules, and Option 224 serial number affect the endpoint's on-fabric/off-fabric status. DHCP on-fabric/off-fabric only applies when the endpoint is connected to EMS. You can configure Option 224 with any Fortinet device's serial number. EMS assumes that FortiClient is behind a FortiGate and on-fabric with that FortiGate.

DHCP on-fabric/off-fabric

On-fabric detection rules

Option 224 serial number

Resulting endpoint status

Disabled

Not configured

N/A

Endpoint is on-fabric when registered to EMS.

Enabled

Not configured

Not configured

Endpoint is off-fabric when registered to EMS.

Enabled

Not configured

Configured

On-fabric

Since Option 224 is configured with a Fortinet device's serial number, EMS assumes FortiClient is on-fabric with that FortiGate.

N/A

Enabled, with subnet configured.

Endpoint IP address is in the configured subnet.

N/A

On-fabric

The endpoint is inside the on-fabric networks configured in the applied endpoint policy's on-fabric detection rules.

N/A

Enabled, with subnet configured. Endpoint IP address is not in the configured subnet.

N/A

Off-fabric

The endpoint is outside the on-fabric networks configured in the applied endpoint policy's on-fabric detection rules.

An endpoint has an offline off-fabric status when it cannot connect FortiClient Telemetry to EMS and is outside any of the on-fabric networks.

An endpoint has an offline on-fabric status when it cannot connect FortiClient Telemetry to EMS but is inside one of the on-fabric networks, or if no on-fabric rules are configured within the assigned policy.

On-fabric Detection Rules

On-fabric Detection Rules

You can configure on-fabric detection rules for endpoints. EMS uses the rules to determine if the endpoint is on- or off-fabric. Depending on the endpoint's on-fabric status, EMS may apply a different profile to the endpoint, as configured in the applied endpoint policy. See Adding an endpoint policy.

Note

On-fabric detection rules do not apply to endpoints running FortiClient 6.2.1 and earlier versions. Endpoints running FortiClient 6.2.1 and earlier versions determine on-/off-fabric status as Determining on-fabric/off-fabric status describes.

To add an on-fabric detection rule set:
  1. Go to Policy Components > On-fabric Detection Rules.
  2. Click Add.
  3. In the Name field, enter the desired name.
  4. Enable or disable the rule set by toggling Enabled on or off.
  5. Click Add Rule.
  6. In the Add New Rule dialog, from the Detection Type dropdown list, select and configure the desired rule detection type. If you configure rules of multiple detection types for a rule set, the endpoint must satisfy all configured rules to satisfy the entire rule set:

    Detection type

    Description

    DHCP Server

    On the IP/MAC Address tab, configure the IP and/or MAC address for the desired DHCP server. On the DHCP Code tab, configure the DHCP code for the desired DHCP server. You can configure just the IP/MAC Address tab, just the DHCP Code tab, or both tabs. If configuring the IP/Mac Address tab, the MAC Address field is optional.

    The DHCP code is synonymous with the old option 224, which FortiClient would read from the DHCP server and send to the FortiGate in FortiOS 6.0. It used to be the FortiGate serial number. Now, it can be any string configured in the DHCP server as option 224. You may still use FortiGate serial number as the DHCP code if desired.

    EMS considers the endpoint as satisfying the rule if it is connected to a DHCP server that matches the specified configuration. You can configure multiple IP and MAC addresses and DHCP codes using the + button on each tab.

    DNS Server

    Configure at least one IP address for the desired DNS server. EMS considers the endpoint as satisfying the rule if it is connected to a DNS server that matches the specified configuration. You can configure multiple IP addresses using the + button.

    EMS Connection

    The only available option for this detection type is that EMS considers the endpoint as satisfying the rule if it is online with EMS.

    Local IP/Subnet

    In the IP Range field, enter a range of IP addresses. In the Default Gateway MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if it is configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

    This is the only detection type that applies to endpoints running FortiClient 6.4.0 and earlier versions. Other detection types do not apply to these endpoints.

    Default Gateway

    In the IP Address field, enter the default gateway IP address. In the MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its default gateway configuration matches the IP address specified and MAC address, if it is configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

    Ping Server

    In the IP Address field, enter the server IP address. EMS considers the endpoint as satisfying the rule if it can access the server at the specified IP address. You can configure multiple addresses using the + button.

    Public IP

    In the IP Address field, enter the desired IP address. EMS considers the endpoint as satisfying the rule if its public (WAN) IP address matches the one specified. You can configure multiple addresses using the + button.

    Connection Media

    From the Ethernet and/or Wi-Fi dropdown lists, select Connected or Not Connected. EMS considers the endpoint as satisfying the rule if its network settings match all configured fields.

    VPN Tunnel

    In the Name field, enter an SSL or IPsec VPN tunnel name. EMS considers the endpoint as satisfying the rule if it is connected to a VPN tunnel with a matching name. You can configure tunnels using the + button.

  7. Click Add Rule.
  8. Click Save.
To edit an on-fabric detection rule set:
  1. Go to Policy Components > On-fabric Detection Rules.
  2. Select the rule set.
  3. Click Edit.
  4. Edit as desired.
  5. Click Save.
To delete an on-fabric detection rule set:
  1. Go to Policy Components > On-fabric Detection Rules.
  2. Click the desired rule set.
  3. Click Delete.
  4. In the confirmation dialog, click Yes.
To delete an on-fabric detection rule from a rule set:
  1. Go to Policy Components > On-fabric Detection Rules.
  2. Click the desired rule set.
  3. Under Rules, select the desired rule.
  4. Click Delete Rule.
  5. Click Save.
To enable/disable an on-fabric detection rule:
  1. Go to Policy Components > On-fabric Detection Rules.
  2. Select or deselect the Enabled checkbox for the desired rule set.

Determining on-fabric/off-fabric status

This section only applies to endpoints running FortiClient 6.2.1 and earlier versions.

There are two settings in EMS that affect FortiClient on-fabric/off-fabric status:

  • DHCP on-fabric/off-fabric
  • On-fabric detection rules configured for the endpoint's assigned policy.

The table shows how the DHCP on-fabric/off-fabric setting, on-fabric detection rules, and Option 224 serial number affect the endpoint's on-fabric/off-fabric status. DHCP on-fabric/off-fabric only applies when the endpoint is connected to EMS. You can configure Option 224 with any Fortinet device's serial number. EMS assumes that FortiClient is behind a FortiGate and on-fabric with that FortiGate.

DHCP on-fabric/off-fabric

On-fabric detection rules

Option 224 serial number

Resulting endpoint status

Disabled

Not configured

N/A

Endpoint is on-fabric when registered to EMS.

Enabled

Not configured

Not configured

Endpoint is off-fabric when registered to EMS.

Enabled

Not configured

Configured

On-fabric

Since Option 224 is configured with a Fortinet device's serial number, EMS assumes FortiClient is on-fabric with that FortiGate.

N/A

Enabled, with subnet configured.

Endpoint IP address is in the configured subnet.

N/A

On-fabric

The endpoint is inside the on-fabric networks configured in the applied endpoint policy's on-fabric detection rules.

N/A

Enabled, with subnet configured. Endpoint IP address is not in the configured subnet.

N/A

Off-fabric

The endpoint is outside the on-fabric networks configured in the applied endpoint policy's on-fabric detection rules.

An endpoint has an offline off-fabric status when it cannot connect FortiClient Telemetry to EMS and is outside any of the on-fabric networks.

An endpoint has an offline on-fabric status when it cannot connect FortiClient Telemetry to EMS but is inside one of the on-fabric networks, or if no on-fabric rules are configured within the assigned policy.