Skip to main content
Rathan_FTNT
Staff
Rathan_FTNT
Staff
October 12, 2020

Technical Tip: Synchronizing FortiClient EMS tags and configurations

  • October 12, 2020
  • 0 replies
  • 9143 views

Description

 

This article describes how to synchronize FortiClient EMS tags and configurations.

Scope

 

A new option under the FortiClient EMS settings consolidates the setup of EMS connectors to support EMS tags.
EMS tags are pulled and automatically synced with the EMS server.

It is converted into read-only dynamic firewall addresses that can be used in firewall policies, routing, and so on.

Solution

 

Tags have been created on Compliance Verification -> Compliance Verification Rules page.
 

Stephen_G_0-1754570955866.png
 
There are registered users who match the defined tags that are visible on Compliance Verification -> Host Tag Monitor page.
 
 
To configure FortiClient EMS with tag synchronization from the GUI.
 
  1. Configure the EMS Fabric Connector:
  • On the root FortiGate, go to Security Fabric -> Fabric Connectors.
  • Select 'Create New' and select 'FortiClient EMS'.
  • Enable Synchronize firewall addresses.
 
 
  • Configure the other settings as needed and validate the certificate.
  • Select 'OK'.
 
  1. Go to Policy & Objects -> Addresses and hover over the EMS tag to view which IPs it resolves to.

  1. Configure a firewall policy:
  • Go to Policy & Objects -> Firewall Policy and create a new policy.
  • For the Source Address, add the EMS tag dynamic address.
 
 
  • Configure the other settings as needed.
  • Select 'OK'.

To configure FortiClient EMS with tag synchronization from the CLI:

Configure the EMS Fabric Connector:

 

config endpoint-control fctems
    edit "ems137"
        set fortinetone-cloud-authentication disable
        set server "172.16.200.137"
        set https-port 443
        set source-ip 0.0.0.0
        set pull-sysinfo enable
        set pull-vulnerabilities enable
        set pull-avatars enable
        set pull-tags enable
        set call-timeout 5000
        set certificate "REMOTE_Cert_1"
    next
end
 
Verify which IPs the dynamic firewall address resolves to:

diagnose firewall dynamic list
List all dynamic addresses:
FCTEMS0580-----9_ems137_vuln_critical_tag: ID(118)
ADDR(10.1.100.120)
ADDR(10.1.100.198)
FCTEMS0580-----9_ems137_winscp_tag: ID(155)
ADDR(100.100.100.141)

FCTEMS0580-----9_ems137_win10_tag: ID(182)
        ADDR(10.1.100.120)
# diagnose firewall dynamic address FCTEMS0580226579_ems137_vuln_critical_tag
FCTEMS0580-----9_ems137_vuln_critical_tag: ID(118)
        ADDR(10.1.100.120)
        ADDR(10.1.100.198)

Total dynamic list entries: 1.
Total dynamic addresses: 2
Total dynamic ranges: 0
 
Configure a firewall policy that uses the EMS tag dynamic firewall address as a source.
 
If TAGS are not syncing, refer to the following document to perform CLI debugging: ZTNA troubleshooting and debugging - FortiGate 7.0.0 new features.
Terms & ConditionsAccessibility statement