Establish device identity and trust context with FortiClient EMS
How device identity is established through client certificates, and how device trust context is established between FortiClient, FortiClient EMS, and the FortiGate, are integral to ZTNA.
Device roles
FortiClient
FortiClient endpoints provide the following information to FortiClient EMS when they register to the EMS:
-
Device information (network details, operating system, model, and others)
-
Logged on user information
-
Security posture (On-net/Off-net, antivirus software, vulnerability status, and others)
It also requests and obtains a client device certificate from the EMS ZTNA Certificate Authority (CA) when it registers to FortiClient EMS. The client uses this certificate to identify itself to the FortiGate.
FortiClient EMS
FortiClient EMS issues and signs the client certificate with the FortiClient UID, certificate serial number, and EMS serial number. The certificate is then synchronized to the FortiGate. EMS also shares its EMS ZTNA CA certificate with the FortiGate, so that the FortiGate can use it to authenticate the clients.
FortiClient EMS uses zero trust tagging rules to tag endpoints based on the information that it has on each endpoint. The tags are also shared with the FortiGate. See Endpoint Posture Check Reference for a list of the endpoint posture checks that EMS can perform.
FortiGate
The FortiGate maintains a continuous connection to the EMS server to synchronize endpoint device information, including primarily:
-
FortiClient UID
-
Client certificate SN
-
EMS SN
-
Device credentials (user/domain)
-
Network details (IP and MAC address and routing to the FortiGate)
When a device's information changes, such as when a client moves from on-net to off-net, or their security posture changes, EMS is updated with the new device information and then updates the FortiGate. The FortiGate's WAD daemon can use this information when processing ZTNA traffic. If an endpoint's security posture change causes it to no longer match the ZTNA rule criteria on an existing session, then the session is terminated.
Certificate management on FortiClient EMS
FortiClient EMS has a default_ZTNARootCA certificate generated by default that the ZTNA CA uses to sign CSRs from the FortiClient endpoints. Clicking the refresh button revokes and updates the root CA, forcing updates to the FortiGate and FortiClient endpoints by generating new certificates for each client.
Do not confuse the EMS CA certificate (ZTNA) with the SSL certificate. The latter is the server certificate that is used by EMS for HTTPS access and fabric connectivity to the EMS server. |
EMS can also manage individual client certificates. To revoke the current client certificate that is used by the endpoint: go to Endpoint > All Endpoints, select the client, and click Action > Revoke Client Certificate.
Locating and viewing the client certificate on an endpoint
In Windows, FortiClient automatically installs certificates into the certificate store. The certificate information in the store, such as certificate UID and SN, should match the information on EMS and the FortiGate.
To locate certificates on other operating systems, consult the vendor documentation.
To locate the client certificate and EMS ZTNA CA certificate on a Windows PC:
-
In the Windows search box, enter user certificate and click Manage user certificates from the results.
-
In the certificate manager, go to Certificates - Current User > Personal > Certificates and find the certificate that is issued by the FortiClient EMS.
-
Right-click on it and select Properties.
-
The General tab shows the client certificate UID and the issue and expiry dates. The Details tab show the certificate SN.
-
Go to the Certificate Path tab to see the full certificate chain.
-
Select the root CA and click View Certificate to view the details about the EMS ZTNA CA certificate.
Verifying that the client information is synchronized to the FortiGate
The following diagnose commands help to verify the presence of matching endpoint record, and information such as the client UID, client certificate SN, and EMS certificate SN on the FortiGate. If any of the information is missing or incomplete, client certificate authentication might fail because the corresponding endpoint entry is not found. More in-depth diagnosis would be needed to determine the reason for the missing records.
Command |
Description |
---|---|
# diagnose endpoint record list <ip> |
Show the endpoint record list. Optionally, filter by the endpoint IP address. |
# diagnose endpoint lls-comm send ztna find-uid <uid> |
Query endpoints by client UID. |
# diagnose endpoint lls-comm send ztna find-ip-vdom <ip> <vdom> |
Query endpoints by the client IP-VDOM pair. |
# diagnose wad dev query-by uid <uid> |
Query from WAD diagnose command by UID. |
# diagnose wad dev query-by ipv4 <ip> |
Query from WAD diagnose command by IP address. |
# diagnose test application fcnacd 7 # diagnose test application fcnacd 8 |
Check the FortiClient NAC daemon ZTNA and route cache. |
To check the endpoint record list for IP address 10.6.30.214:
# diagnose endpoint record list 10.6.30.214 Record #1: IP Address = 10.6.30.214 MAC Address = 00:0c:29:ba:1e:61 MAC list = 00:0c:29:ba:1e:61;00:0c:29:ba:1e:6b; VDOM = root (0) EMS serial number: FCTEMS8821001322 Client cert SN: 17FF6595600A1AF53B87627AB4EBEDD032593E64 Quarantined: no Online status: online Registration status: registered On-net status: on-net Gateway Interface: port2 FortiClient version: 7.0.0 AVDB version: 84.778 FortiClient app signature version: 18.43 FortiClient vulnerability scan engine version: 2.30 FortiClient UID: 5FCFA3ECDE4D478C911D9232EC9299FD … Number of Routes: (1) Gateway Route #0: - IP:10.1.100.214, MAC: 00:0c:29:ba:1e:6b, Indirect: no - Interface:port2, VFID:0, SN: FG5H1E5819902474 online records: 1; offline records: 0; quarantined records: 0