Telemetry connection options
FortiClient Telemetry can connect Telemetry to EMS to participate in the Security Fabric, or to EMS only.
EMS manages FortiClient endpoints using the FortiClient Telemetry connection. If EMS is configured as part of a Security Fabric, endpoints participate in the Security Fabric. FortiGates do not manage endpoints.
FortiClient in the Security Fabric
In this scenario, FortiClient Telemetry connects to EMS to receive a profile of configuration information as part of an endpoint policy. EMS is connected to the FortiGate to participate in the Security Fabric. EMS sends FortiClient endpoint information to the FortiGate. The FortiGate can also receive dynamic endpoint group lists from EMS and use them to build dynamic firewall policies. EMS sends group updates to FortiOS, and FortiOS uses the updates to adjust the policies based on those groups. This feature requires FortiOS 6.2.0 or a later version.
FortiClient 6.4 does not directly connect to FortiOS. FortiOS receives FortiClient data only from EMS.
FortiGate does not provide configuration information for FortiClient and the endpoint. An administrator must configure FortiClient using an EMS endpoint policy.
Following is a summary of how the FortiClient Telemetry connection works in this scenario:
- EMS is connected to the FortiGate as a participant in the Security Fabric.
- FortiClient Telemetry attempts connection to EMS. FortiClient receives an SSL certificate from EMS to verify the connection. If the certificate is valid, FortiClient Telemetry connects to EMS.
- EMS sends the endpoint information received via FortiClient Telemetry to FortiOS.
- FortiClient receives a profile of configuration information from EMS as part of an endpoint policy.
- EMS sends Zero Trust tagging rules to the endpoint.
- FortiClient checks the endpoint using the provided Zero Trust tagging rules and sends the results to EMS.
- EMS receives the results from FortiClient and dynamically groups the endpoints according to the results.
- FortiOS pulls the dynamic endpoint group information from EMS. You can use this data to build dynamic firewall policies.
- EMS sends dynamic endpoint group updates to FortiOS. FortiOS uses the updates to adjust the policies based on those groups.
For details on configuring FortiOS to pull endpoint tags and their corresponding endpoint lists from EMS, see the FortiClient EMS Administration Guide.
In this scenario, EMS provides FortiClient endpoint provisioning. FortiClient connects Telemetry to EMS to receive configuration information in an endpoint profile as part of an endpoint policy from EMS. EMS also sends Zero Trust tagging rules to FortiClient, and use the results from FortiClient to dynamically group endpoints in EMS. Only EMS can control the connection between FortiClient and EMS. You must make any changes to the connection from EMS, not FortiClient. When FortiClient is connected to EMS, EMS locks FortiClient settings so that the endpoint user cannot change any configuration. To disconnect FortiClient from EMS, the EMS administrator must deregister the endpoint in EMS.