In this scenario, FortiClient Zero Trust Telemetry connects to EMS to receive a profile of configuration information as part of an endpoint policy. EMS is connected to the FortiGate to participate in the Security Fabric. EMS sends FortiClient endpoint information to the FortiGate.
The FortiGate can also receive dynamic endpoint group lists from EMS and use them to build dynamic firewall policies. EMS sends group updates to FortiOS, and FortiOS uses the updates to adjust the policies based on those groups. This feature requires FortiOS 6.2.0 or a later version.
FortiClient can also receive a device certificate from EMS that it can use to securely encrypt and tunnel TCP and HTTPS traffic through HTTPS to the FortiGate. This feature requires FortiClient 7.0.0 or a later version and FortiOS 7.0.0 or later.
FortiGate does not provide configuration information for FortiClient and the endpoint. An administrator must configure FortiClient using an EMS endpoint policy.
Following is a summary of how the Zero Trust Telemetry connection works in this scenario. The following assumes that EMS is already connected to the FortiGate as a participant in the Security Fabric, and that FortiClient and FortiOS are also 7.0.0 or a later version:
- EMS sends its CA certificate to the FortiGate.
- FortiClient Telemetry attempts connection to EMS. Based on the EMS configuration, FortiClient may receive an SSL certificate from EMS to verify the connection. If the certificate is valid, FortiClient Telemetry connects to EMS. If the certificate is invalid, FortiClient may allow or deny connection to the EMS based on configured invalid certificate action.
- FortiClient receives the following from EMS:
- Profile of configuration information as part of an endpoint policy.
- Device certificate that includes the FortiClient UID. FortiClient installs the received certificate to the current user certificate store for Chrome and Edge browser, and installs it to the browser certificate store for Firefox. This feature may not be available for Firefox.
- FortiClient sends security posture information to EMS, including third-party software information, running processes, network information, and so on.
- EMS dynamically groups the endpoint based on the information it received, using the configured Zero Trust tagging rules.
- FortiOS pulls the dynamic endpoint group information from EMS. The FortiOS administrator can use this data to build dynamic firewall policies.
- When the endpoint initiates TCP or HTTPS traffic, FortiClient works as a local proxy gateway to securely encrypt and tunnel the traffic through HTTPS to the FortiGate, using the certificate received from EMS.
- The FortiGate retrieves the UID to identify the device and check other information using the endpoint information that EMS provided to the FortiGate. The FortiGate allows or denies the access as applicable.
- EMS sends dynamic endpoint group updates to FortiOS. FortiOS uses the updates to adjust the policies based on those groups.
FortiClient follows the endpoint profile configuration that it receives from EMS. EMS locks FortiClient settings so that the endpoint user cannot manually change FortiClient configuration.
Only EMS can control the connection between FortiClient and EMS. You can only disconnect FortiClient when you are logged into EMS.
EMS sends the following endpoint information to FortiOS:
- User profile:
- Logged-in username
- Full name
- Email address
- Phone number
- User avatar
- Social network account IDs
- MAC address
- OS type
- OS version
- FortiClient version
- FortiClient UUID
FortiGate also opens a websocket with EMS. EMS adds a new FcmNotify daemon to handle the websocket connection. EMS notifies the FortiGate if any of the following device information has changed. FortiOS loads the updated information:
- System information
- User avatar
- Zero Trust tags
EMS also sends the following endpoint information to FortiAnalyzer:
- Telemetry/system information
- User avatar
- Software inventory
- Network statistics
- Classification tags
FortiClient directly sends the following information to FortiAnalyzer:
- Windows host events
See the FortiAnalyzer Administration Guide for details.
For details on configuring FortiOS to pull endpoint tags and their corresponding endpoint lists from EMS, see the FortiClient EMS Administration Guide.
In this scenario, EMS provides FortiClient endpoint provisioning. FortiClient connects Telemetry to EMS to receive configuration information in an endpoint profile as part of an endpoint policy from EMS. EMS also sends Zero Trust tagging rules to FortiClient, and use the results from FortiClient to dynamically group endpoints in EMS. Only EMS can control the connection between FortiClient and EMS. You must make any changes to the connection from EMS, not FortiClient. When FortiClient is connected to EMS, EMS locks FortiClient settings so that the endpoint user cannot change any configuration. To disconnect FortiClient from EMS, the EMS administrator must deregister the endpoint in EMS.