Fortinet black logo

Administration Guide

Home FortiPAM 1.0.0 Administration Guide
1.0.0
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

ZTNA user control

ZTNA user control

When EMS is set up on FortiPAM, you can only connect to FortiPAM and launch a secret from the endpoint PC with allowed ZTNA tags. The endpoint PC must install FortiClient and connect to the same EMS server.

To set up EMS in the GUI:
  1. Go to Security Fabric > Fabric Connectors.
  2. Select FortiClient EMS and click Edit.
  3. In Name, enter the EMS name.
  4. In IP/Domain name, enter the IP address or the domain name of the EMS.
  5. In HTTPS port, enter the HTTPS port for the EMS.
  6. Click OK.

    Refer to FortiClient EMS Status to check the status of the FortiClient EMS.

    If there is an error connecting to the EMS server, log in to the EMS server, authorize FortiPAM in Administration > Fabric Device, and click Accept in Verify EMS Server Certificate.

    For more information, see Fabric Connectors.

    For clients not connected to the same EMS as FortiPAM, configure another access proxy with a different VIP and client certificate disabled to launch secrets without device control successfully.

To set EMS using the CLI:
  1. In the CLI console, enter the following commands to configure an EMS:

    config endpoint-control fctems

    edit "ems_200"

    set server "10.59.112.200"

    next

    end

  2. After adding an EMS server, the CLI asks you to verify using execute fctems verify ems_200.

    example

    execute fctems verify ems_200

    Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiClient, CN = FCTEMS8822002925, emailAddress = support@fortinet.com

    Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com

    Valid from: 2022-04-25 18:17:42 GMT

    Valid to: 2038-01-19 03:14:07 GMT

    Fingerprint: 35:12:95:DA:A5:2E:20:F9:8F:99:88:75:25:BC:D8:A3

    Root CA: No

    Version: 3

    Serial Num:

    a4:35:c8

    Extensions:

    Name: X509v3 Basic Constraints

    Critical: no

    Content:

    CA:FALSE

    EMS configuration needs user to confirm server certificate.

    Do you wish to add the above certificate to trusted remote certificates? (y/n)y

    Certificate successfully configured and verified.

    If authentication is denied, log in to the EMS server and authorize FortiPAM in Administration > Fabric Device.

Using EMS tag for endpoint control

On an EMS server, you can create Zero Trust tagging rules for endpoints based on operating system versions, logged-in domains, running processes, and other criteria. EMS uses the rules to dynamically group endpoints with different tags. FortiPAM can use these ZTNA tags in firewall policy to control which endpoint has access. See ZTNA tag control example.

Previous
Next

ZTNA user control

When EMS is set up on FortiPAM, you can only connect to FortiPAM and launch a secret from the endpoint PC with allowed ZTNA tags. The endpoint PC must install FortiClient and connect to the same EMS server.

To set up EMS in the GUI:
  1. Go to Security Fabric > Fabric Connectors.
  2. Select FortiClient EMS and click Edit.
  3. In Name, enter the EMS name.
  4. In IP/Domain name, enter the IP address or the domain name of the EMS.
  5. In HTTPS port, enter the HTTPS port for the EMS.
  6. Click OK.

    Refer to FortiClient EMS Status to check the status of the FortiClient EMS.

    If there is an error connecting to the EMS server, log in to the EMS server, authorize FortiPAM in Administration > Fabric Device, and click Accept in Verify EMS Server Certificate.

    For more information, see Fabric Connectors.

    For clients not connected to the same EMS as FortiPAM, configure another access proxy with a different VIP and client certificate disabled to launch secrets without device control successfully.

To set EMS using the CLI:
  1. In the CLI console, enter the following commands to configure an EMS:

    config endpoint-control fctems

    edit "ems_200"

    set server "10.59.112.200"

    next

    end

  2. After adding an EMS server, the CLI asks you to verify using execute fctems verify ems_200.

    example

    execute fctems verify ems_200

    Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiClient, CN = FCTEMS8822002925, emailAddress = support@fortinet.com

    Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com

    Valid from: 2022-04-25 18:17:42 GMT

    Valid to: 2038-01-19 03:14:07 GMT

    Fingerprint: 35:12:95:DA:A5:2E:20:F9:8F:99:88:75:25:BC:D8:A3

    Root CA: No

    Version: 3

    Serial Num:

    a4:35:c8

    Extensions:

    Name: X509v3 Basic Constraints

    Critical: no

    Content:

    CA:FALSE

    EMS configuration needs user to confirm server certificate.

    Do you wish to add the above certificate to trusted remote certificates? (y/n)y

    Certificate successfully configured and verified.

    If authentication is denied, log in to the EMS server and authorize FortiPAM in Administration > Fabric Device.

Using EMS tag for endpoint control

On an EMS server, you can create Zero Trust tagging rules for endpoints based on operating system versions, logged-in domains, running processes, and other criteria. EMS uses the rules to dynamically group endpoints with different tags. FortiPAM can use these ZTNA tags in firewall policy to control which endpoint has access. See ZTNA tag control example.

Previous
Next