Fortinet black logo

EMS Administration Guide

Zero Trust tagging rule types

Zero Trust tagging rule types

The following table describes Zero Trust tagging rule types and the operating systems (OS) that they are available for. For all rule types, you can configure multiple conditions using the + button.

Rule type

OS

Description

User in AD Group

  • Windows
  • macOS

From the AD Group dropdown list, select the desired Active Directory (AD) group. EMS considers the endpoint as satisfying the rule if the logged in user belongs to the selected AD group. The rule considers the logged-in user's group membership, not the computer's attributes.

By default, EMS performs AD group lookup, which is considered more efficient and prevents the issue where an endpoint loses all AD-related tags when it goes offline. You can also configure FortiClient to perform AD group lookup instead by enabling Evaluate on FortiClient.

In cases where the user/endpoint is a member only of a subgroup or of top and sublevel groups, EMS can apply tags for both levels.

You can use the NOT option to indicate that the rule requires that the logged in user does not belong to certain AD groups. You cannot use the NOT option to indicate that the rule requires that the logged in user does not belong to any AD group. EMS does not support a rule to dynamically group all endpoints that do not belong to a domain.

To use this option, you must configure your domain under Endpoints. See Adding endpoints using an AD domain server.

AntiVirus Software

  • Windows
  • macOS
  • Linux

From the AV Software dropdown list, select the desired conditions. You can require that an endpoint have AV software installed and running and that the AV signature is up-to-date. You can also use the NOT option for the rule to require that the endpoint does not have AV software installed or running or that the AV signature is not up-to-date. This rule applies for FortiClient AV and third-party AV software that registers to the Windows Security Center. The third-party software notifies the Windows Security Center of the status of its signatures. FortiClient queries the Windows Security Center to determine what third party AV software is installed and if the software reports signatures as up-to-date.

For Windows, this feature supports third party AV applications. For macOS and Linux, this feature can only check if FortiClient AV protection is enabled and does not recognize third party AV applications.

The endpoint must satisfy all configured conditions to satisfy this rule.

Certificate

  • Windows
  • macOS
  • Linux

In the Subject CN and Issuer CN fields, enter the certificate subject and issuer. You can also use the NOT option to indicate that the rule requires that a certain certificate is not present for the endpoint.

For Windows and macOS, FortiClient checks certificates in the current user personal store and local computer personal store. It does not check in trusted root or other stores.

For Linux, FortiClient checks root CA certificates installed on the system. For Ubuntu, FortiClient checks /etc/ssl/certs/ca-certificates.crt. For CentOS and Red Hat, FortiClient checks /etc/pki/tls/certs/ca-bundle.crt. For Linux, FortiClient does not check user certificates.

The Subject CN and Issuer CN fields do not support wildcards.

The endpoint must satisfy all conditions to satisfy this rule. For example, if the rule is configured to require certificate A, certificate B, and NOT certificate C, then the endpoint must have both certificates A and B and not certificate C.

EMS Management

  • Windows
  • macOS
  • Linux
  • iOS
  • Android

EMS considers the endpoint as satisfying the rule if the endpoint has FortiClient installed and Telemetry connected to EMS.

File

  • Windows
  • macOS
  • Linux

In the File field, enter the file path. You can also use the NOT option to indicate that the rule requires that a certain file is not present on the endpoint.

The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require file A, file B, and NOT file C, then the endpoint must have both files A and B and not file C.

Logged in Domain

  • Windows
  • macOS

In the Domain field, enter the domain name. If the rule is configured for multiple domains, EMS considers the endpoint as satisfying the rule if it belongs to one of the configured domains.

OS Version

  • Windows
  • macOS
  • Linux
  • iOS
  • Android

From the OS Version field, select the OS version. If the rule is configured for multiple OS versions, EMS considers the endpoint as satisfying the rule if it has one of the configured OS versions installed.

The following options are available for Windows:

  • Enable latest update check: FortiClient checks if Windows OS updates were recently installed.
  • Latest update within: Configure the amount of time after the last system update was received that FortiClient considers the OS outdated. For example, if you configure this option to be 60 days, FortiClient considers the OS outdated 61 days after the most recent system update.

On-Fabric Status

  • Windows
  • macOS
  • Linux
  • iOS
  • Android

By default, the rule requires that the endpoint is on-Fabric. You can also use the NOT option to indicate that the rule requires that the endpoint is off-Fabric.

Registry Key

  • Windows

In the Key field, enter the registry path or value name enclosed in square brackets [ ]. End the path with \ to indicate a registry path, or without \ to indicate a registry value name. In the Key Name field, enter the registry key name, enclosed in double quotation marks "". From the dropdown list, select the desired comparator. In the Value field, enter the desired key value. For a dword key value, enter the value as dword:<value>. For example, if the dword key value is 1, enter dword:1 in the Value field. For a non-dword key value, enter the value enclosed in double quotation marks "".

You can also use the NOT option to indicate that the rule requires that a certain registry path or value name is not as configured in the rule.

For example, the following shows a system where Firefox is installed. In this example, the registry path is HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox. The value name is CurrentVersion, and the value data is 96.0.3 (x64 en-CA). You can configure a registry key rule to match HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox as the path, CurrentVersion as the registry value name, or the value data as 96.0.3 (x64 en-CA). The example shown configures a rule to match the value data as 96.0.3 (x64 en-CA). Note the configured rule includes square brackets around the registry path, and double quotation marks around the key name and value.

The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require certain values for registry key A, registry key B, and NOT the configured value for registry key C, then the endpoint must have both the required values registry keys A and B and not the configured value for registry key C.

Running Process

  • Windows
  • macOS
  • Linux

In the Running Process field, enter the process name. You can also use the NOT option to indicate that the rule requires that a certain process is not running on the endpoint.

The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require process A, process B, and NOT process C, then the endpoint must have both processes A and B running and process C not running.

Sandbox Detection

  • Windows
  • macOS

From the Sandbox Detection dropdown list, select the desired condition. You can require that Sandbox detected malware on the endpoint in the last seven days. You can also use the NOT option for the rule to require that Sandbox did not detect malware on the endpoint in the last seven days.

User Identity

  • Windows
  • macOS
  • Linux
  • iOS
  • Android

Under User Identity, select the following:

  • User Specified: endpoint user manually entered their personal information in FortiClient.
  • Social Network Login: endpoint user provided their personal information by logging in to their Google, LinkedIn, or Salesforce account in FortiClient. You can further select one of the following:
    • All Accounts: all endpoints where the user logged in to the specified social network account type.
    • Specified: enter a specific Google, LinkedIn, or Salesforce account. For example, you can enter joanexample@gmail.com to configure the rule to apply specifically to only that Google account. You can specify multiple social network accounts.
  • Verified User: endpoint user must be a verified user that has authenticated their connection to EMS as a member of an authorized user group. See User Management.

EMS considers the endpoint as satisfying the rule if it satisfies one of the conditions.

You can also use the NOT option for the rule to require that the endpoint user has not manually entered user details or logged in to a social network account to allow FortiClient to obtain user details.

FortiClient iOS does not support social network login with LinkedIn or Salesforce. FortiClient Android does not support social network login with Salesforce.

Vulnerable Devices

  • Windows
  • macOS
  • Linux

From the Severity Level dropdown list, select the desired vulnerability severity level. If the rule is configured for multiple severity levels, EMS considers the endpoint as satisfying the rule if it has a vulnerability of one of the configured severity levels or higher.

Security

  • macOS

Select the checkbox to require that File Vault is enabled on the endpoint. You can also use the NOT option to indicate that the rule requires that File Vault is disabled on the endpoint.

Windows Security

  • Windows

From the Windows Security dropdown list, select the desired conditions. You can require that an endpoint have one or more of the following applications enabled:

  • Windows Defender: antimalware component of Windows. Scans files to detect and remediate threats.
  • Bitlocker Disk Encryption: data protection feature that integrates with the operating system (OS) and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker enhances file and system protections and helps render data inaccessible when computers are decommissioned or recycled. See BitLocker.
  • Exploit Guard: automatically applies exploit mitigation techniques to OS processes and applications. When Exploit Guard finds a mitigation, Windows displays a notification from the Action Center. See Protect devices from exploits.
  • Application Guard: helps to prevent old and newly emerging attacks by isolating enterprise-defined untrusted sites. For example, Application Guard helps prevent untrusted Microsoft Word, PowerPoint, and Excel files from accessing trusted resources by opening untrusted files in an isolated Microsoft Hyper-V-enabled container. See Microsoft Defender Application Guard overview.
  • Windows Firewall: firewall component of Windows. Helps prevent hackers and malicious software from gaining access to the device through the Internet or a network.

You can also use the NOT option for the rule to require that the endpoint have one or more of the listed applications disabled.

The endpoint must satisfy all configured conditions to satisfy this rule.

Common Vulnerabilities and Exposures

  • Windows
  • macOS
  • Linux
  • iOS
  • Android

In the CVEs field, enter the common vulnerabilities and exposures (CVE) ID in the format CVE-xxxx-xxxxx. For example, you could enter CVE-2020-26950. You can also use the NOT option to indicate that the rule requires that a CVE is not present on the endpoint.

EMS considers the endpoint as satisfying the rule if it satisfies one of the conditions.

Firewall Threat

  • Windows
  • macOS
  • Linux
  • iOS
  • Android

In the Firewall Threat ID field, enter the firewall threat ID. You can find this ID in FortiGuard or on the Firewall Events tab of the endpoint details page. You can also use the NOT option to indicate that the rule requires that a firewall threat is not present on the endpoint.

EMS considers the endpoint as satisfying the rule if it satisfies one of the conditions.

FortiEDR

  • Windows
  • macOS
  • Linux

From the FortiEDR dropdown list, select FortiEDR is installed and running. EMS considers the endpoint as satisfying the rule if the endpoint has FortiEDR installed and running.

Related Videos

sidebar video

What's New in FortiClient EMS 7.2

  • 967 views
  • 10 months ago

Zero Trust tagging rule types

The following table describes Zero Trust tagging rule types and the operating systems (OS) that they are available for. For all rule types, you can configure multiple conditions using the + button.

Rule type

OS

Description

User in AD Group

  • Windows
  • macOS

From the AD Group dropdown list, select the desired Active Directory (AD) group. EMS considers the endpoint as satisfying the rule if the logged in user belongs to the selected AD group. The rule considers the logged-in user's group membership, not the computer's attributes.

By default, EMS performs AD group lookup, which is considered more efficient and prevents the issue where an endpoint loses all AD-related tags when it goes offline. You can also configure FortiClient to perform AD group lookup instead by enabling Evaluate on FortiClient.

In cases where the user/endpoint is a member only of a subgroup or of top and sublevel groups, EMS can apply tags for both levels.

You can use the NOT option to indicate that the rule requires that the logged in user does not belong to certain AD groups. You cannot use the NOT option to indicate that the rule requires that the logged in user does not belong to any AD group. EMS does not support a rule to dynamically group all endpoints that do not belong to a domain.

To use this option, you must configure your domain under Endpoints. See Adding endpoints using an AD domain server.

AntiVirus Software

  • Windows
  • macOS
  • Linux

From the AV Software dropdown list, select the desired conditions. You can require that an endpoint have AV software installed and running and that the AV signature is up-to-date. You can also use the NOT option for the rule to require that the endpoint does not have AV software installed or running or that the AV signature is not up-to-date. This rule applies for FortiClient AV and third-party AV software that registers to the Windows Security Center. The third-party software notifies the Windows Security Center of the status of its signatures. FortiClient queries the Windows Security Center to determine what third party AV software is installed and if the software reports signatures as up-to-date.

For Windows, this feature supports third party AV applications. For macOS and Linux, this feature can only check if FortiClient AV protection is enabled and does not recognize third party AV applications.

The endpoint must satisfy all configured conditions to satisfy this rule.

Certificate

  • Windows
  • macOS
  • Linux

In the Subject CN and Issuer CN fields, enter the certificate subject and issuer. You can also use the NOT option to indicate that the rule requires that a certain certificate is not present for the endpoint.

For Windows and macOS, FortiClient checks certificates in the current user personal store and local computer personal store. It does not check in trusted root or other stores.

For Linux, FortiClient checks root CA certificates installed on the system. For Ubuntu, FortiClient checks /etc/ssl/certs/ca-certificates.crt. For CentOS and Red Hat, FortiClient checks /etc/pki/tls/certs/ca-bundle.crt. For Linux, FortiClient does not check user certificates.

The Subject CN and Issuer CN fields do not support wildcards.

The endpoint must satisfy all conditions to satisfy this rule. For example, if the rule is configured to require certificate A, certificate B, and NOT certificate C, then the endpoint must have both certificates A and B and not certificate C.

EMS Management

  • Windows
  • macOS
  • Linux
  • iOS
  • Android

EMS considers the endpoint as satisfying the rule if the endpoint has FortiClient installed and Telemetry connected to EMS.

File

  • Windows
  • macOS
  • Linux

In the File field, enter the file path. You can also use the NOT option to indicate that the rule requires that a certain file is not present on the endpoint.

The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require file A, file B, and NOT file C, then the endpoint must have both files A and B and not file C.

Logged in Domain

  • Windows
  • macOS

In the Domain field, enter the domain name. If the rule is configured for multiple domains, EMS considers the endpoint as satisfying the rule if it belongs to one of the configured domains.

OS Version

  • Windows
  • macOS
  • Linux
  • iOS
  • Android

From the OS Version field, select the OS version. If the rule is configured for multiple OS versions, EMS considers the endpoint as satisfying the rule if it has one of the configured OS versions installed.

The following options are available for Windows:

  • Enable latest update check: FortiClient checks if Windows OS updates were recently installed.
  • Latest update within: Configure the amount of time after the last system update was received that FortiClient considers the OS outdated. For example, if you configure this option to be 60 days, FortiClient considers the OS outdated 61 days after the most recent system update.

On-Fabric Status

  • Windows
  • macOS
  • Linux
  • iOS
  • Android

By default, the rule requires that the endpoint is on-Fabric. You can also use the NOT option to indicate that the rule requires that the endpoint is off-Fabric.

Registry Key

  • Windows

In the Key field, enter the registry path or value name enclosed in square brackets [ ]. End the path with \ to indicate a registry path, or without \ to indicate a registry value name. In the Key Name field, enter the registry key name, enclosed in double quotation marks "". From the dropdown list, select the desired comparator. In the Value field, enter the desired key value. For a dword key value, enter the value as dword:<value>. For example, if the dword key value is 1, enter dword:1 in the Value field. For a non-dword key value, enter the value enclosed in double quotation marks "".

You can also use the NOT option to indicate that the rule requires that a certain registry path or value name is not as configured in the rule.

For example, the following shows a system where Firefox is installed. In this example, the registry path is HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox. The value name is CurrentVersion, and the value data is 96.0.3 (x64 en-CA). You can configure a registry key rule to match HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox as the path, CurrentVersion as the registry value name, or the value data as 96.0.3 (x64 en-CA). The example shown configures a rule to match the value data as 96.0.3 (x64 en-CA). Note the configured rule includes square brackets around the registry path, and double quotation marks around the key name and value.

The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require certain values for registry key A, registry key B, and NOT the configured value for registry key C, then the endpoint must have both the required values registry keys A and B and not the configured value for registry key C.

Running Process

  • Windows
  • macOS
  • Linux

In the Running Process field, enter the process name. You can also use the NOT option to indicate that the rule requires that a certain process is not running on the endpoint.

The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require process A, process B, and NOT process C, then the endpoint must have both processes A and B running and process C not running.

Sandbox Detection

  • Windows
  • macOS

From the Sandbox Detection dropdown list, select the desired condition. You can require that Sandbox detected malware on the endpoint in the last seven days. You can also use the NOT option for the rule to require that Sandbox did not detect malware on the endpoint in the last seven days.

User Identity

  • Windows
  • macOS
  • Linux
  • iOS
  • Android

Under User Identity, select the following:

  • User Specified: endpoint user manually entered their personal information in FortiClient.
  • Social Network Login: endpoint user provided their personal information by logging in to their Google, LinkedIn, or Salesforce account in FortiClient. You can further select one of the following:
    • All Accounts: all endpoints where the user logged in to the specified social network account type.
    • Specified: enter a specific Google, LinkedIn, or Salesforce account. For example, you can enter joanexample@gmail.com to configure the rule to apply specifically to only that Google account. You can specify multiple social network accounts.
  • Verified User: endpoint user must be a verified user that has authenticated their connection to EMS as a member of an authorized user group. See User Management.

EMS considers the endpoint as satisfying the rule if it satisfies one of the conditions.

You can also use the NOT option for the rule to require that the endpoint user has not manually entered user details or logged in to a social network account to allow FortiClient to obtain user details.

FortiClient iOS does not support social network login with LinkedIn or Salesforce. FortiClient Android does not support social network login with Salesforce.

Vulnerable Devices

  • Windows
  • macOS
  • Linux

From the Severity Level dropdown list, select the desired vulnerability severity level. If the rule is configured for multiple severity levels, EMS considers the endpoint as satisfying the rule if it has a vulnerability of one of the configured severity levels or higher.

Security

  • macOS

Select the checkbox to require that File Vault is enabled on the endpoint. You can also use the NOT option to indicate that the rule requires that File Vault is disabled on the endpoint.

Windows Security

  • Windows

From the Windows Security dropdown list, select the desired conditions. You can require that an endpoint have one or more of the following applications enabled:

  • Windows Defender: antimalware component of Windows. Scans files to detect and remediate threats.
  • Bitlocker Disk Encryption: data protection feature that integrates with the operating system (OS) and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker enhances file and system protections and helps render data inaccessible when computers are decommissioned or recycled. See BitLocker.
  • Exploit Guard: automatically applies exploit mitigation techniques to OS processes and applications. When Exploit Guard finds a mitigation, Windows displays a notification from the Action Center. See Protect devices from exploits.
  • Application Guard: helps to prevent old and newly emerging attacks by isolating enterprise-defined untrusted sites. For example, Application Guard helps prevent untrusted Microsoft Word, PowerPoint, and Excel files from accessing trusted resources by opening untrusted files in an isolated Microsoft Hyper-V-enabled container. See Microsoft Defender Application Guard overview.
  • Windows Firewall: firewall component of Windows. Helps prevent hackers and malicious software from gaining access to the device through the Internet or a network.

You can also use the NOT option for the rule to require that the endpoint have one or more of the listed applications disabled.

The endpoint must satisfy all configured conditions to satisfy this rule.

Common Vulnerabilities and Exposures

  • Windows
  • macOS
  • Linux
  • iOS
  • Android

In the CVEs field, enter the common vulnerabilities and exposures (CVE) ID in the format CVE-xxxx-xxxxx. For example, you could enter CVE-2020-26950. You can also use the NOT option to indicate that the rule requires that a CVE is not present on the endpoint.

EMS considers the endpoint as satisfying the rule if it satisfies one of the conditions.

Firewall Threat

  • Windows
  • macOS
  • Linux
  • iOS
  • Android

In the Firewall Threat ID field, enter the firewall threat ID. You can find this ID in FortiGuard or on the Firewall Events tab of the endpoint details page. You can also use the NOT option to indicate that the rule requires that a firewall threat is not present on the endpoint.

EMS considers the endpoint as satisfying the rule if it satisfies one of the conditions.

FortiEDR

  • Windows
  • macOS
  • Linux

From the FortiEDR dropdown list, select FortiEDR is installed and running. EMS considers the endpoint as satisfying the rule if the endpoint has FortiEDR installed and running.