Fortinet white logo
Fortinet white logo

EMS Administration Guide

FortiClient in the Security Fabric

FortiClient in the Security Fabric

In this scenario, FortiClient Zero Trust Telemetry connects to EMS to receive a profile of configuration information as part of an endpoint policy. EMS is connected to the FortiGate to participate in the Security Fabric. EMS sends FortiClient endpoint information to the FortiGate.

The FortiGate can also receive dynamic endpoint group lists from EMS and use them to build dynamic firewall policies. EMS sends group updates to FortiOS, and FortiOS uses the updates to adjust the policies based on those groups. This feature requires FortiOS 6.2.0 or a later version.

FortiClient can also receive a device certificate from EMS that it can use to securely encrypt and tunnel TCP or HTTPS traffic through HTTPS to the FortiGate. This feature requires FortiClient 7.0.0 or a later version and FortiOS 7.0.0 or later.

Note

FortiGate does not provide configuration information for FortiClient and the endpoint. An administrator must configure FortiClient using an EMS endpoint policy.

Following is a summary of how the Zero Trust Telemetry connection works in this scenario. The following assumes that EMS is already connected to the FortiGate as a participant in the Security Fabric, and that FortiClient and FortiOS are also 7.0.0 or a later version:

  1. EMS sends its CA certificate to the FortiGate.
  2. FortiClient Telemetry attempts connection to EMS. Based on the EMS configuration, FortiClient may receive an SSL certificate from EMS to verify the connection. If the certificate is valid, FortiClient Telemetry connects to EMS. If the certificate is invalid, FortiClient may allow or deny connection to the EMS based on configured invalid certificate action.
  3. FortiClient receives the following from EMS:
    • Licensing. See Windows, macOS, and Linux licenses.
    • Profile of configuration information as part of an endpoint policy. See Endpoint Profiles.
    • Device certificate that includes the FortiClient UID. FortiClient installs the received certificate to the current user certificate store for Chrome and Edge browser, and installs it to the browser certificate store for Firefox. This feature may not be available for Firefox.
  4. FortiClient sends security posture information to EMS, including third-party software information, running processes, network information, and so on.
  5. EMS dynamically groups the endpoint based on the information it received, using the configured Zero Trust tagging rules. See Zero Trust Tagging Rules.
  6. FortiOS pulls the dynamic endpoint group information from EMS. The FortiOS administrator can use this data to build dynamic firewall policies.
  7. When the endpoint initiates TCP or HTTPS traffic, FortiClient works as a local proxy gateway to securely encrypt and tunnel the traffic through HTTPS to the FortiGate, using the certificate received from EMS.
  8. The FortiGate retrieves the UID to identify the device and check other information using the endpoint information that EMS provided to the FortiGate. The FortiGate allows or denies the access as applicable.
  9. EMS sends dynamic endpoint group updates to FortiOS. FortiOS uses the updates to adjust the policies based on those groups.

For details about dynamic endpoint groups, see FortiOS dynamic policies using EMS dynamic endpoint groups.

FortiClient follows the endpoint profile configuration that it receives from EMS. EMS locks FortiClient settings so that the endpoint user cannot manually change FortiClient configuration.

Only EMS can control the connection between FortiClient and EMS. You can only disconnect FortiClient when you are logged into EMS.

The EMS server's IP addresses are embedded in FortiClient deployment packages created in EMS. This allows the endpoint to connect FortiClient Telemetry to the specified EMS server.

EMS sends the following endpoint information to FortiOS:

  • User profile:
    • Logged-in username
    • Full name
    • Email address
    • Phone number
  • User avatar
  • Social network account IDs
  • MAC address
  • OS type
  • OS version
  • FortiClient version
  • FortiClient UUID

FortiGate also opens a websocket with EMS. EMS adds a new FcmNotify daemon to handle the websocket connection. EMS notifies the FortiGate if any of the following device information has changed. FortiOS loads the updated information:

  • System information
  • User avatar
  • Vulnerabilities
  • Zero Trust tags

EMS also sends the following endpoint information to FortiAnalyzer:

  • Telemetry/system information
  • User avatar
  • Software inventory
  • Processes
  • Network statistics
  • Classification tags

FortiClient directly sends the following information to FortiAnalyzer:

  • Logs
  • Windows host events

See the FortiAnalyzer Administration Guide for details.

Related Videos

sidebar video

FortiClient Fabric Agent

  • 902 views
  • 3 years ago

FortiClient in the Security Fabric

FortiClient in the Security Fabric

In this scenario, FortiClient Zero Trust Telemetry connects to EMS to receive a profile of configuration information as part of an endpoint policy. EMS is connected to the FortiGate to participate in the Security Fabric. EMS sends FortiClient endpoint information to the FortiGate.

The FortiGate can also receive dynamic endpoint group lists from EMS and use them to build dynamic firewall policies. EMS sends group updates to FortiOS, and FortiOS uses the updates to adjust the policies based on those groups. This feature requires FortiOS 6.2.0 or a later version.

FortiClient can also receive a device certificate from EMS that it can use to securely encrypt and tunnel TCP or HTTPS traffic through HTTPS to the FortiGate. This feature requires FortiClient 7.0.0 or a later version and FortiOS 7.0.0 or later.

Note

FortiGate does not provide configuration information for FortiClient and the endpoint. An administrator must configure FortiClient using an EMS endpoint policy.

Following is a summary of how the Zero Trust Telemetry connection works in this scenario. The following assumes that EMS is already connected to the FortiGate as a participant in the Security Fabric, and that FortiClient and FortiOS are also 7.0.0 or a later version:

  1. EMS sends its CA certificate to the FortiGate.
  2. FortiClient Telemetry attempts connection to EMS. Based on the EMS configuration, FortiClient may receive an SSL certificate from EMS to verify the connection. If the certificate is valid, FortiClient Telemetry connects to EMS. If the certificate is invalid, FortiClient may allow or deny connection to the EMS based on configured invalid certificate action.
  3. FortiClient receives the following from EMS:
    • Licensing. See Windows, macOS, and Linux licenses.
    • Profile of configuration information as part of an endpoint policy. See Endpoint Profiles.
    • Device certificate that includes the FortiClient UID. FortiClient installs the received certificate to the current user certificate store for Chrome and Edge browser, and installs it to the browser certificate store for Firefox. This feature may not be available for Firefox.
  4. FortiClient sends security posture information to EMS, including third-party software information, running processes, network information, and so on.
  5. EMS dynamically groups the endpoint based on the information it received, using the configured Zero Trust tagging rules. See Zero Trust Tagging Rules.
  6. FortiOS pulls the dynamic endpoint group information from EMS. The FortiOS administrator can use this data to build dynamic firewall policies.
  7. When the endpoint initiates TCP or HTTPS traffic, FortiClient works as a local proxy gateway to securely encrypt and tunnel the traffic through HTTPS to the FortiGate, using the certificate received from EMS.
  8. The FortiGate retrieves the UID to identify the device and check other information using the endpoint information that EMS provided to the FortiGate. The FortiGate allows or denies the access as applicable.
  9. EMS sends dynamic endpoint group updates to FortiOS. FortiOS uses the updates to adjust the policies based on those groups.

For details about dynamic endpoint groups, see FortiOS dynamic policies using EMS dynamic endpoint groups.

FortiClient follows the endpoint profile configuration that it receives from EMS. EMS locks FortiClient settings so that the endpoint user cannot manually change FortiClient configuration.

Only EMS can control the connection between FortiClient and EMS. You can only disconnect FortiClient when you are logged into EMS.

The EMS server's IP addresses are embedded in FortiClient deployment packages created in EMS. This allows the endpoint to connect FortiClient Telemetry to the specified EMS server.

EMS sends the following endpoint information to FortiOS:

  • User profile:
    • Logged-in username
    • Full name
    • Email address
    • Phone number
  • User avatar
  • Social network account IDs
  • MAC address
  • OS type
  • OS version
  • FortiClient version
  • FortiClient UUID

FortiGate also opens a websocket with EMS. EMS adds a new FcmNotify daemon to handle the websocket connection. EMS notifies the FortiGate if any of the following device information has changed. FortiOS loads the updated information:

  • System information
  • User avatar
  • Vulnerabilities
  • Zero Trust tags

EMS also sends the following endpoint information to FortiAnalyzer:

  • Telemetry/system information
  • User avatar
  • Software inventory
  • Processes
  • Network statistics
  • Classification tags

FortiClient directly sends the following information to FortiAnalyzer:

  • Logs
  • Windows host events

See the FortiAnalyzer Administration Guide for details.