Technical Tip: FortiClient EMS - FortiGate FortiTelemery and FortiClient EMS
Description
This article describes a legacy method of registering FortiClient endpoints to FortiGate using a deprecated FortiTelemetry protocol.
Scope
FortiOS 6.0 and earlier, FortiClient 6.0 and earlier, FortiClient Enterprise Management System (EMS).
Solution
Important note: This article describes a method of registering FortiClient that is no longer in use in current FortiClient and FortiOS versions. It is retained here for historical reference.
FortiTelemetry changes since article original published:
- In FortiClient v6.2.0 and later, the licensing scheme for FortiClient has changed and endpoints can no longer be registered to FortiGate directly, see the reference FortiClient Endpoint Telemetry license.
- In FortiOS v6.2.3 and later as well as version v6.4.0 and later, the FortiTelemetry and CAPWAP settings have been combined into one option labelled 'Security Fabric Connection', see Technical Tip: Security fabric connection setting.
- In FortiOS v7.4.2 and later, TCP port 8013 is used to enable EMS-registered FortiClient endpoints to self-update Security Posture tag on a connected FortiGate directly, see the article Technical Tip: PCI compliance of port 8013.
- In FortiOS v7.6.3 and later, a new protocol re-using the 'FortiTelemetry' name is introduced. This protocol collects performance metrics of FortiTelemetry probes to SaaS applications, see FortiTelemetry Introduction. This protocol is independent from FortiClient and FortiClient EMS.
FortiTelemetry is used by FortiGate as part of the Cooperative Security Fabric. When enabled, it allows the FortiGate to securely communicate with FortiClient Endpoints over port 8013, and any Fortinet products located in its environment. (FortiAnalyzer, FortiManager, FortiSandbox, FortiMail, FortiAuthenticator).
FortiTelemetry is enabled by default on FortiGate, and is not a requirement for operation. It can safely be disabled if the FortiGate will not be part of the Cooperative Security Fabric.
FortiClient Endpoints always attempt registration to one of two management devices: either a FortiGate or an Enterprise Management Server (EMS).
The difference explained:
The difference explained:
- Endpoint Compliance: When enforced by a FortiGate, FortiClient Endpoints are barred from access the network if their settings do not match the Compliance rules specified in a FortiClient Compliance Profile.
- Endpoint Control: Implemented on FortiClient EMS. When FortiClient EMS is used, FortiGate should be using FortiOS is 5.4.1 or above.
To disable FortiTelemetry:
-
Go to System -> Feature Visibility -> Security Features -> Set 'Endpoint Control' to the ON position, and select 'Apply'.
- Go to Network -> Interfaces and edit any Interface that shows 'FortiTelemetry' under the 'Access' column to un-check 'FortiTelemetry', then save the settings.
VPN Tunnels:
IPsec VPN tunnels use a sub-interface, and FortiTelemetry is enabled by default. Make sure to expand the sub-interface, then edit and disable FortiTelemetry there as well.
- SSL VPN does not create a sub-interface listen on any that has been assigned.
- Go to VPN -> SSL VPN Settings. Locate 'Allow Endpoint Registration' and verify it is disabled.
- Go to Security Profiles -> FortiClient Compliance Profiles and disable 'System Compliance'.
- To discard all FortiClient Endpoints that may have been registered, open a Command Line to the FortiGate, then run the following command:
diag endpoint registration deregister all <ent>
FortiGate will reply with the following...(select 'y' to proceed)
This operation will deregister all FortiClients!
Do you want to continue? (y/n)
This operation will deregister all FortiClients!
Do you want to continue? (y/n)
Close the CLI window.
Related documents: