Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 6.4.6 Administration Guide
    6.4.6
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Synchronizing FortiClient EMS tags and configurations

    Synchronizing FortiClient EMS tags and configurations

    An option under the FortiClient EMS settings on the FortiGate consolidates the setup of EMS connectors to support EMS tags. EMS tags are pulled into the FortiGate via TCP/8013 and automatically synced with the EMS server. They are converted into read-only dynamic firewall addresses that can be used in firewall policies, routing, and so on.

    Note

    You can test connectivity to the EMS on the FortiGate with the diagnose endpoint fctems test-connectivity <EMS_ENTRY_NAME> command.

    These examples presume the following have been configured in FortiClient EMS:

    • Tags have been created on the Compliance Verification > Compliance Verification Rules page.

    • There are registered users who match the defined tags that are visible on the Compliance Verification > Host Tag Monitor page.

    To configure FortiClient EMS with tag synchronization in the GUI:
    1. Configure the EMS Fabric Connector:
      1. On the root FortiGate, go to Security Fabric > Fabric Connectors.
      2. Click Create New and click FortiClient EMS.
      3. Enable Synchronize firewall addresses.

      4. Configure the other settings as needed and validate the certificate.
      5. Click OK.
    2. Go to Policy & Objects > Addresses and hover over the EMS tag to view which IPs it resolves to.
    3. Configure a firewall policy:
      1. Go to Policy & Objects > Firewall Policy and create a new policy.
      2. For the Source Address, add the EMS tag dynamic address.

      3. Configure the other settings as needed.
      4. Click OK.
    To configure FortiClient EMS with tag synchronization in the CLI:
    1. Configure the EMS Fabric Connector:
      config endpoint-control fctems
    edit "ems137"
        set fortinetone-cloud-authentication disable
        set server "172.16.200.137"
        set https-port 443
        set source-ip 0.0.0.0
        set pull-sysinfo enable
        set pull-vulnerabilities enable
        set pull-avatars enable
        set pull-tags enable
        set call-timeout 5000
        set certificate "REMOTE_Cert_1"
    next
end
    2. Verify which IPs the dynamic firewall address resolves to:
      # diagnose firewall dynamic list 
List all dynamic addresses:
FCTEMS0580226579_ems137_vuln_critical_tag: ID(118)
        ADDR(10.1.100.120)
        ADDR(10.1.100.198)

FCTEMS0580226579_ems137_winscp_tag: ID(155)
        ADDR(100.100.100.141)

FCTEMS0580226579_ems137_win10_tag: ID(182)
        ADDR(10.1.100.120)
      # diagnose firewall dynamic address FCTEMS0580226579_ems137_vuln_critical_tag
FCTEMS0580226579_ems137_vuln_critical_tag: ID(118)
        ADDR(10.1.100.120)
        ADDR(10.1.100.198)

Total dynamic list entries: 1.
Total dynamic addresses: 2
Total dynamic ranges: 0
    3. Configure a firewall policy that uses the EMS tag dynamic firewall address as a source.
    Previous
    Next

    Synchronizing FortiClient EMS tags and configurations

    Synchronizing FortiClient EMS tags and configurations

    An option under the FortiClient EMS settings on the FortiGate consolidates the setup of EMS connectors to support EMS tags. EMS tags are pulled into the FortiGate via TCP/8013 and automatically synced with the EMS server. They are converted into read-only dynamic firewall addresses that can be used in firewall policies, routing, and so on.

    Note

    You can test connectivity to the EMS on the FortiGate with the diagnose endpoint fctems test-connectivity <EMS_ENTRY_NAME> command.

    These examples presume the following have been configured in FortiClient EMS:

    • Tags have been created on the Compliance Verification > Compliance Verification Rules page.

    • There are registered users who match the defined tags that are visible on the Compliance Verification > Host Tag Monitor page.

    To configure FortiClient EMS with tag synchronization in the GUI:
    1. Configure the EMS Fabric Connector:
      1. On the root FortiGate, go to Security Fabric > Fabric Connectors.
      2. Click Create New and click FortiClient EMS.
      3. Enable Synchronize firewall addresses.

      4. Configure the other settings as needed and validate the certificate.
      5. Click OK.
    2. Go to Policy & Objects > Addresses and hover over the EMS tag to view which IPs it resolves to.
    3. Configure a firewall policy:
      1. Go to Policy & Objects > Firewall Policy and create a new policy.
      2. For the Source Address, add the EMS tag dynamic address.

      3. Configure the other settings as needed.
      4. Click OK.
    To configure FortiClient EMS with tag synchronization in the CLI:
    1. Configure the EMS Fabric Connector:
      config endpoint-control fctems
    edit "ems137"
        set fortinetone-cloud-authentication disable
        set server "172.16.200.137"
        set https-port 443
        set source-ip 0.0.0.0
        set pull-sysinfo enable
        set pull-vulnerabilities enable
        set pull-avatars enable
        set pull-tags enable
        set call-timeout 5000
        set certificate "REMOTE_Cert_1"
    next
end
    2. Verify which IPs the dynamic firewall address resolves to:
      # diagnose firewall dynamic list 
List all dynamic addresses:
FCTEMS0580226579_ems137_vuln_critical_tag: ID(118)
        ADDR(10.1.100.120)
        ADDR(10.1.100.198)

FCTEMS0580226579_ems137_winscp_tag: ID(155)
        ADDR(100.100.100.141)

FCTEMS0580226579_ems137_win10_tag: ID(182)
        ADDR(10.1.100.120)
      # diagnose firewall dynamic address FCTEMS0580226579_ems137_vuln_critical_tag
FCTEMS0580226579_ems137_vuln_critical_tag: ID(118)
        ADDR(10.1.100.120)
        ADDR(10.1.100.198)

Total dynamic list entries: 1.
Total dynamic addresses: 2
Total dynamic ranges: 0
    3. Configure a firewall policy that uses the EMS tag dynamic firewall address as a source.
    Previous
    Next