FortiClient in the Security Fabric
In this scenario, FortiClient Zero Trust Telemetry connects to EMS to receive a profile of configuration information as part of an endpoint policy. EMS is connected to the FortiGate to participate in the Security Fabric. EMS sends FortiClient endpoint information to the FortiGate.
The FortiGate can also receive dynamic endpoint group lists from EMS and use them to build dynamic firewall policies. EMS sends group updates to FortiOS, and FortiOS uses the updates to adjust the policies based on those groups.
FortiClient can also receive a device certificate from EMS that it can use to securely encrypt and tunnel TCP or HTTPS traffic through HTTPS to the FortiGate. This feature requires FortiClient 7.0.0 or a later version and FortiOS 7.0.0 or later.
FortiGate does not provide configuration information for FortiClient and the endpoint. An administrator must configure FortiClient using an EMS endpoint policy.
Following is a summary of how the Zero Trust Telemetry connection works in this scenario. The following assumes that EMS is already connected to the FortiGate as a participant in the Security Fabric, and that FortiClient and FortiOS are also 7.0.0 or a later version:
- EMS sends its CA certificate to the FortiGate.
- FortiClient Telemetry connects to EMS.
- FortiClient receives the following from EMS:
- Licensing. See Windows, macOS, and Linux endpoint licenses.
- Profile of configuration information as part of an endpoint policy. See Endpoint Profiles.
- Device certificate that includes the FortiClient UID. FortiClient installs the received certificate to the current user certificate store for Chrome and Edge browser, and installs it to the browser certificate store for Firefox. This feature may not be available for Firefox.
- FortiClient sends security posture information to EMS, including third-party software information, running processes, network information, and so on.
- EMS dynamically groups the endpoint based on the information it received, using the configured Zero Trust tagging rules. See Zero Trust Tagging Rules.
- FortiOS pulls the dynamic endpoint group information from EMS. The FortiOS administrator can use this data to build dynamic firewall policies.
- When the endpoint initiates TCP or HTTPS traffic, FortiClient works as a local proxy gateway to securely encrypt and tunnel the traffic through HTTPS to the FortiGate, using the certificate received from EMS.
- The FortiGate retrieves the UID to identify the device and check other information using the endpoint information that EMS provided to the FortiGate. The FortiGate allows or denies the access as applicable.
- EMS sends dynamic endpoint group updates to FortiOS. FortiOS uses the updates to adjust the policies based on those groups.
For details about dynamic endpoint groups, see FortiOS dynamic policies using EMS dynamic endpoint groups.
FortiClient follows the endpoint profile configuration that it receives from EMS. EMS locks FortiClient settings so that the endpoint user cannot manually change FortiClient configuration.
Only EMS can control the connection between FortiClient and EMS. You can only disconnect FortiClient when you are logged into EMS.
The EMS server's IP addresses are embedded in FortiClient deployment packages created in EMS. This allows the endpoint to connect FortiClient Telemetry to the specified EMS server.
EMS sends the following endpoint information to FortiOS:
- User profile:
- Logged-in username
- Full name
- Email address
- Phone number
- User avatar
- Social network account IDs
- MAC address
- OS type
- OS version
- FortiClient version
- FortiClient UUID
FortiGate also opens a websocket with EMS. EMS adds a new FcmNotify daemon to handle the websocket connection. EMS notifies the FortiGate if any of the following device information has changed. FortiOS loads the updated information:
- System information
- User avatar
- Zero Trust tags
EMS also sends the following endpoint information to FortiAnalyzer:
- Telemetry/system information
- User avatar
- Software inventory
- Network statistics
- Classification tags
FortiClient directly sends the following information to FortiAnalyzer:
- Windows host events
See the FortiAnalyzer Administration Guide for details.