Technical Tip: FortiClient EMS On-Fabric detection rule based on ping probe
Description
This article describes how to configure an On-Fabric detection rule based on ping probes in FortiClient EMS and a possible loop detection issue.
Scope
FortiClient EMS.
Solution
Configuration.
In the FortiClient EMS GUI, select Endpoint Policy & Components, then on-fabric detection rules, then + add.
Input name, enable, and '+Add Rule', in Detection Type select Ping Server, and then set up IP Address, then 'Add Rule'.
 
 
Finally, in Endpoint Policy & Components -> Manage Policies, create or select the policy, enable the Off-Fabric toggle, and then select the On-Fabric Detection Rule previously created.
 
Important note: Avoid the detection Loop.
Based on the previous configuration example.
- The endpoint is out of the corporate network, and the user connects to the VPN.
- FortiGate's firewall policies allow ping communication from the VPN user to the server used in the On-Fabric detection rule, and then the ping starts to respond.
- The On-Fabric Detection Rule result is True, and FortiClient enables On-Fabric Profile.
- The Remote Access module is removed from FortiClient (yellow square).
- May VPN goes down.
- Ping probe stops responding.
- The On-Fabric Detection Rule result is False, and the Off-Fabric Profile is enabled in FortiClient.
- User reconnects to the VPN and so on.
 
If the On-Fabric detection Rule is based on a ping to an internal server, and if, when connecting a VPN, the ping begins to respond, the test result will be On-Fabric.
It is important to define whether the FortiClient VPN connection will be valid On-Fabric or if it will remain Off-Fabric.