FortiOS 6.4 uses an EMS connector to retrieve dynamic endpoint groups from EMS. The following instructions only apply when using FortiOS 6.4. Configuring this feature requires the following steps:
- Checking prerequisites
- Configuring the EMS connector:
- Creating a dynamic firewall policy using dynamic endpoint groups from EMS
If you configure a connection between EMS and a FortiGate that is part of a Security Fabric with multiple FortiGates, the root FortiGate can also obtain Zero Trust tags from EMS. However, the root FortiGate does not have any IP addresses to associate with the received tags.
You must ensure that the following prerequisites are met before configuring this feature:
- Create Zero Trust tagging rules. See Adding a Zero Trust tagging rule set.
- After FortiClient connects Telemetry to EMS, confirm that EMS dynamically groups endpoints based on the Zero Trust tagging rules. See Zero Trust Tag Monitor.
- Export a certificate authority (CA)-signed certificate to upload to FortiOS and web server certificate to upload to EMS. For details on configuring a server certificate using the Microsoft Certification Authority Management Console, see Configure the Server Certificate Template. You can use another CA as desired.
Certificates are required to set up a secure connection between EMS and FortiOS. Uploading the CA-signed certificate to FortiOS allows FortiOS to trust the certificate that you upload to EMS.
- Upload the server certificate to EMS:
- Go to System Settings > EMS Settings.
- Under Shared Settings, click the Upload new SSL certificate button.
- Upload the server certificate and private key. Click Test.
- Click Save.
- Upload the certificate to FortiOS:
- Go to System > Certificates.
- From the Import dropdown list, select CA Certificates.
- Upload the CA-signed certificate.
- Go to Security Fabric > Fabric Connectors.
- Click Create New, then select FortiClient EMS.
- For Type, select FortiClient EMS.
- In the Name field, enter the desired name.
- In the IP/Domain name field, enter the EMS IP address or domain name. If EMS multitenancy is enabled, you must enter the FQDN instead of the IP address. You must enter the FQDN in the format side.fqdn to integrate the FortiGate to the a specific EMS multitenancy site. For example, if the site name is site A, enter sitea.ems.example.com. See Multitenancy.
- Ensure that Synchronize firewall addresses is enabled. This allows FortiOS to automatically create and synchronize firewall addresses for dynamic endpoint groups received from EMS.
- Click OK.
config endpoint-control fctems
set fortinetone-cloud-authentication disable
set server "172.16.200.137"
set https-port 443
set source-ip 0.0.0.0
set pull-sysinfo enable
set pull-vulnerabilities enable
set pull-avatars enable
set pull-tags enable
set call-timeout 5000
- EMS must authorize the Fabric connector created in FortiOS. Do one of the following:
- Log in to EMS. A prompt displays to authorize the FortiGate. Click Authorize.
- Go to Administration > Fabric Devices. Select the desired FortiGate, then click Authorize.
You can view all FortiGates that the EMS has authorized in Administration > Fabric Devices. See Fabric Devices.
- Authorize the connection by doing one of the following:
- In the right pane, under FortiClient EMS Status, click Authorize.
- After EMS authorizes the FortiGate, authorize the connection in the FortiOS CLI by running the
execute fctems verify <fctems>command.
- FortiOS should now automatically pull the dynamic endpoint groups from EMS as dynamic firewall addresses. Go to Policy & Objects > Addresses to view the addresses.
- In FortiOS, go to Policy & Objects > Firewall Policy. Click Create New.
- In the Source field, click +. The Select Entries pane appears. On the Address tab, select the address based on the desired dynamic endpoint group from EMS.
- Configure other options as desired. Click OK.
- Go to Policy & Objects > Firewall Policy to ensure the policy was created. FortiOS updates this policy when it receives updates from EMS.