Fortinet black logo

EMS Administration Guide

Fabric Devices

Fabric Devices

You can view all Fabric devices that the EMS has authorized in Administration > Fabric Devices. You can also deny or authorize a Fabric device. These Fabric devices receive endpoint data from EMS. FortiClient does not directly connect to Fabric devices listed on this page.

FortiOS versions 7.0.2 to 7.0.6 only support zero trust tags and does not support other tag types when used with EMS. FortiClient endpoints connected via zero trust network access do not provide IP addresses to FortiOS.

For connection to FortiAnalyzer, see Incoming ports. The communication between EMS and FortiAnalyzer is unencrypted.

To edit the Fabric device tag sharing settings:
  1. Go to Administration > Fabric Devices.
  2. Select the desired device, then select Edit.
  3. From the FortiClient Endpoint Sharing dropdown list, select one of the following:

    Option

    Description

    Share all FortiClients

    The selected Fabric device receives all endpoints' resolved IP or MAC addresses (hereafter referred to as "host tag"), regardless of whether the gateways point to the selected Fabric device.

    Only share FortiClients connected to this fabric device (Recommended)

    This is the default setting. The selected Fabric device only receives the host tags for endpoints whose gateways point to the selected Fabric device.

    Share FortiClients connected to selected fabric devices

    The selected Fabric device receives host tags for the following:

    • Endpoints whose gateways point to the selected Fabric device
    • Endpoints whose gateways point to the configured additional Fabric devices. You can configure up to four additional Fabric devices.
  4. In Tag Types Being Shared, select at least one of the tag types to share. Zero Trust Tags is selected by default and cannot be deselected. EMS only shares the selected tag types with the configured Fabric devices.

    Tag

    Description

    Zero Trust tags

    See Zero Trust Tags.

    FortiGuard outbreak alert tags

    See FortiGuard Outbreak Alerts.

    Classification tags

    See Viewing the Endpoints pane.

    Fabric tags

    Fabric tags require connection to FortiAnalyzer. See the following process:

    1. EMS administrator configures FortiAnalyzer in an endpoint profile. See System Settings.
    2. FortiClient connects to EMS and receives FortiAnalyzer connection information from the endpoint profile.
    3. FortiClient sends logs to FortiAnalyzer.
    4. FortiAnalyzer administrator configures rule to tag endpoints which have indicators of compromise (IOC).
    5. If a log entry received from FortiClient on the FortiAnalyzer matches an IOC, FortiAnalyzer adds a tag to that endpoint.
    6. EMS adds this tag to the endpoint. You can view the tag in the endpoint details, as well as in Zero Trust Tag Monitor. Note that this tag displays as a Fabric tag in Zero Trust Tag Monitor, but the tag displays under Classification Tags in endpoint details. See Viewing the Endpoints pane.
    7. If FortiGate is configured to receive all tags for this specific endpoint, EMS sends the tag to FortiGate.

    See EMS API support for FortiAnalyzer to notify and tag suspicious endpoints.

  5. Click Save.
To change the Fabric device authorization status:
  1. Go to Administration > Fabric Devices.
  2. Select the desired Fabric device.
  3. Click Deny or Authorize. The Fabric device status in the Authorized column changes.

Fabric Devices

You can view all Fabric devices that the EMS has authorized in Administration > Fabric Devices. You can also deny or authorize a Fabric device. These Fabric devices receive endpoint data from EMS. FortiClient does not directly connect to Fabric devices listed on this page.

FortiOS versions 7.0.2 to 7.0.6 only support zero trust tags and does not support other tag types when used with EMS. FortiClient endpoints connected via zero trust network access do not provide IP addresses to FortiOS.

For connection to FortiAnalyzer, see Incoming ports. The communication between EMS and FortiAnalyzer is unencrypted.

To edit the Fabric device tag sharing settings:
  1. Go to Administration > Fabric Devices.
  2. Select the desired device, then select Edit.
  3. From the FortiClient Endpoint Sharing dropdown list, select one of the following:

    Option

    Description

    Share all FortiClients

    The selected Fabric device receives all endpoints' resolved IP or MAC addresses (hereafter referred to as "host tag"), regardless of whether the gateways point to the selected Fabric device.

    Only share FortiClients connected to this fabric device (Recommended)

    This is the default setting. The selected Fabric device only receives the host tags for endpoints whose gateways point to the selected Fabric device.

    Share FortiClients connected to selected fabric devices

    The selected Fabric device receives host tags for the following:

    • Endpoints whose gateways point to the selected Fabric device
    • Endpoints whose gateways point to the configured additional Fabric devices. You can configure up to four additional Fabric devices.
  4. In Tag Types Being Shared, select at least one of the tag types to share. Zero Trust Tags is selected by default and cannot be deselected. EMS only shares the selected tag types with the configured Fabric devices.

    Tag

    Description

    Zero Trust tags

    See Zero Trust Tags.

    FortiGuard outbreak alert tags

    See FortiGuard Outbreak Alerts.

    Classification tags

    See Viewing the Endpoints pane.

    Fabric tags

    Fabric tags require connection to FortiAnalyzer. See the following process:

    1. EMS administrator configures FortiAnalyzer in an endpoint profile. See System Settings.
    2. FortiClient connects to EMS and receives FortiAnalyzer connection information from the endpoint profile.
    3. FortiClient sends logs to FortiAnalyzer.
    4. FortiAnalyzer administrator configures rule to tag endpoints which have indicators of compromise (IOC).
    5. If a log entry received from FortiClient on the FortiAnalyzer matches an IOC, FortiAnalyzer adds a tag to that endpoint.
    6. EMS adds this tag to the endpoint. You can view the tag in the endpoint details, as well as in Zero Trust Tag Monitor. Note that this tag displays as a Fabric tag in Zero Trust Tag Monitor, but the tag displays under Classification Tags in endpoint details. See Viewing the Endpoints pane.
    7. If FortiGate is configured to receive all tags for this specific endpoint, EMS sends the tag to FortiGate.

    See EMS API support for FortiAnalyzer to notify and tag suspicious endpoints.

  5. Click Save.
To change the Fabric device authorization status:
  1. Go to Administration > Fabric Devices.
  2. Select the desired Fabric device.
  3. Click Deny or Authorize. The Fabric device status in the Authorized column changes.