Fortinet black logo

EMS Administration Guide

On-fabric Detection Rules

On-fabric Detection Rules

You can configure on-fabric detection rules for endpoints. EMS uses the rules to determine if the endpoint is on- or off-fabric. Depending on the endpoint's on-fabric status, EMS may apply a different profile to the endpoint, as configured in the applied endpoint policy. See Adding an endpoint policy.

When a user switches accounts between a local non-domain account and a domain account on the same machine, FortiClient EMS may not apply the correct policy to the endpoint.

To add an on-fabric detection rule set:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Click Add.
  3. In the Name field, enter the desired name.
  4. Enable or disable the rule set by toggling Enabled on or off.
  5. Click Add Rule.
  6. In the Add New Rule dialog, from the Detection Type dropdown list, select and configure the desired rule detection type. If you configure rules of multiple detection types for a rule set, the endpoint must satisfy all configured rules to satisfy the entire rule set:

    Detection type

    Description

    DHCP Server

    On the IP/MAC Address tab, configure the IP and/or MAC address for the desired DHCP server. On the DHCP Code tab, configure the DHCP code for the desired DHCP server. You can configure just the IP/MAC Address tab, just the DHCP Code tab, or both tabs. If configuring the IP/Mac Address tab, the MAC Address field is optional.

    The DHCP code is synonymous with the old option 224, which FortiClient would read from the DHCP server and send to the FortiGate in FortiOS 6.0. It used to be the FortiGate serial number. Now, it can be any string configured in the DHCP server as option 224. You may still use FortiGate serial number as the DHCP code if desired.

    EMS considers the endpoint as satisfying the rule if it is connected to a DHCP server that matches the specified configuration. You can configure multiple IP and MAC addresses and DHCP codes using the + button on each tab.

    DNS Server

    Configure at least one IP address for the desired DNS server. EMS considers the endpoint as satisfying the rule if it is connected to a DNS server that matches the specified configuration. You can configure multiple IP addresses using the + button.

    EMS Connection

    The only available option for this detection type is that EMS considers the endpoint as satisfying the rule if it is online with EMS.

    Local IP/Subnet

    In the IP Range field, enter a range of IP addresses. In the Default Gateway MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if it is configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

    This is the only detection type that applies to endpoints running FortiClient 6.4.0 and earlier versions. Other detection types do not apply to these endpoints.

    Default Gateway

    In the IP Address field, enter the default gateway IP address. In the MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its default gateway configuration matches the IP address specified and MAC address, if it is configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

    Ping Server

    In the IP Address field, enter the server IP address. EMS considers the endpoint as satisfying the rule if it can access the server at the specified IP address. You can configure multiple addresses using the + button.

    Public IP

    In the IP Address field, enter the desired IP address. EMS considers the endpoint as satisfying the rule if its public (WAN) IP address matches the one specified. You can configure multiple addresses using the + button.

    Connection Media

    From the Ethernet and/or Wi-Fi dropdown lists, select Connected or Not Connected. EMS considers the endpoint as satisfying the rule if its network settings match all configured fields.

    VPN Tunnel

    In the Name field, enter an SSL or IPsec VPN tunnel name. EMS considers the endpoint as satisfying the rule if it is connected to a VPN tunnel with a matching name. You can configure tunnels using the + button.

  7. Click Add Rule.
  8. Click Save.
To edit an on-fabric detection rule set:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Select the rule set.
  3. Click Edit.
  4. Edit as desired.
  5. Click Save.
To delete an on-fabric detection rule set:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Click the desired rule set.
  3. Click Delete.
  4. In the confirmation dialog, click Yes.
To delete an on-fabric detection rule from a rule set:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Click the desired rule set.
  3. Under Rules, select the desired rule.
  4. Click Delete Rule.
  5. Click Save.
To enable/disable an on-fabric detection rule:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Select or deselect the Enabled checkbox for the desired rule set.

On-fabric Detection Rules

You can configure on-fabric detection rules for endpoints. EMS uses the rules to determine if the endpoint is on- or off-fabric. Depending on the endpoint's on-fabric status, EMS may apply a different profile to the endpoint, as configured in the applied endpoint policy. See Adding an endpoint policy.

When a user switches accounts between a local non-domain account and a domain account on the same machine, FortiClient EMS may not apply the correct policy to the endpoint.

To add an on-fabric detection rule set:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Click Add.
  3. In the Name field, enter the desired name.
  4. Enable or disable the rule set by toggling Enabled on or off.
  5. Click Add Rule.
  6. In the Add New Rule dialog, from the Detection Type dropdown list, select and configure the desired rule detection type. If you configure rules of multiple detection types for a rule set, the endpoint must satisfy all configured rules to satisfy the entire rule set:

    Detection type

    Description

    DHCP Server

    On the IP/MAC Address tab, configure the IP and/or MAC address for the desired DHCP server. On the DHCP Code tab, configure the DHCP code for the desired DHCP server. You can configure just the IP/MAC Address tab, just the DHCP Code tab, or both tabs. If configuring the IP/Mac Address tab, the MAC Address field is optional.

    The DHCP code is synonymous with the old option 224, which FortiClient would read from the DHCP server and send to the FortiGate in FortiOS 6.0. It used to be the FortiGate serial number. Now, it can be any string configured in the DHCP server as option 224. You may still use FortiGate serial number as the DHCP code if desired.

    EMS considers the endpoint as satisfying the rule if it is connected to a DHCP server that matches the specified configuration. You can configure multiple IP and MAC addresses and DHCP codes using the + button on each tab.

    DNS Server

    Configure at least one IP address for the desired DNS server. EMS considers the endpoint as satisfying the rule if it is connected to a DNS server that matches the specified configuration. You can configure multiple IP addresses using the + button.

    EMS Connection

    The only available option for this detection type is that EMS considers the endpoint as satisfying the rule if it is online with EMS.

    Local IP/Subnet

    In the IP Range field, enter a range of IP addresses. In the Default Gateway MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if it is configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

    This is the only detection type that applies to endpoints running FortiClient 6.4.0 and earlier versions. Other detection types do not apply to these endpoints.

    Default Gateway

    In the IP Address field, enter the default gateway IP address. In the MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its default gateway configuration matches the IP address specified and MAC address, if it is configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

    Ping Server

    In the IP Address field, enter the server IP address. EMS considers the endpoint as satisfying the rule if it can access the server at the specified IP address. You can configure multiple addresses using the + button.

    Public IP

    In the IP Address field, enter the desired IP address. EMS considers the endpoint as satisfying the rule if its public (WAN) IP address matches the one specified. You can configure multiple addresses using the + button.

    Connection Media

    From the Ethernet and/or Wi-Fi dropdown lists, select Connected or Not Connected. EMS considers the endpoint as satisfying the rule if its network settings match all configured fields.

    VPN Tunnel

    In the Name field, enter an SSL or IPsec VPN tunnel name. EMS considers the endpoint as satisfying the rule if it is connected to a VPN tunnel with a matching name. You can configure tunnels using the + button.

  7. Click Add Rule.
  8. Click Save.
To edit an on-fabric detection rule set:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Select the rule set.
  3. Click Edit.
  4. Edit as desired.
  5. Click Save.
To delete an on-fabric detection rule set:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Click the desired rule set.
  3. Click Delete.
  4. In the confirmation dialog, click Yes.
To delete an on-fabric detection rule from a rule set:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Click the desired rule set.
  3. Under Rules, select the desired rule.
  4. Click Delete Rule.
  5. Click Save.
To enable/disable an on-fabric detection rule:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Select or deselect the Enabled checkbox for the desired rule set.