ZTNA user control
When EMS is set up on FortiPAM, you can only connect to FortiPAM and launch a secret from the endpoint PC with allowed ZTNA tags. The endpoint PC must install FortiClient and connect to the same EMS server.
To set up EMS in the GUI:
- Go to Security Fabric > Fabric Connectors.
- Select FortiClient EMS and click Edit.
- In Name, enter the EMS name.
- In IP/Domain name, enter the IP address or the domain name of the EMS.
- In HTTPS port, enter the HTTPS port for the EMS.
- Click OK.
Refer to FortiClient EMS Status to check the status of the FortiClient EMS.
If there is an error connecting to the EMS server, log in to the EMS server, authorize FortiPAM in Administration > Fabric Device, and click Accept in Verify EMS Server Certificate.
For more information, see Fabric Connectors.
For clients not connected to the same EMS as FortiPAM, configure another access proxy with a different VIP and client certificate disabled to launch secrets without device control successfully.
To set EMS using the CLI:
-
In the CLI console, enter the following commands to configure an EMS:
config endpoint-control fctems
edit "ems_200"
set server "10.59.112.200"
next
end
-
After adding an EMS server, the CLI asks you to verify using
execute fctems verify ems_200
.example
execute fctems verify ems_200
Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiClient, CN = FCTEMS8822002925, emailAddress = support@fortinet.com
Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com
Valid from: 2022-04-25 18:17:42 GMT
Valid to: 2038-01-19 03:14:07 GMT
Fingerprint: 35:12:95:DA:A5:2E:20:F9:8F:99:88:75:25:BC:D8:A3
Root CA: No
Version: 3
Serial Num:
a4:35:c8
Extensions:
Name: X509v3 Basic Constraints
Critical: no
Content:
CA:FALSE
EMS configuration needs user to confirm server certificate.
Do you wish to add the above certificate to trusted remote certificates? (y/n)y
Certificate successfully configured and verified.
If authentication is denied, log in to the EMS server and authorize FortiPAM in Administration > Fabric Device.
Using EMS tag for endpoint control
On an EMS server, you can create Zero Trust tagging rules for endpoints based on operating system versions, logged-in domains, running processes, and other criteria. EMS uses the rules to dynamically group endpoints with different tags. FortiPAM can use these ZTNA tags in firewall policy to control which endpoint has access. See ZTNA tag control example.