Retrieving forticlient user's public IP address via EMS?

Hello rjcou1,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Hello rjcou1,

We are still looking for someone to help you.

We will come back to you ASAP.

Regards,

Hello rjcou1,

I have found this document which can help you:

https://docs.fortinet.com/document/forticlient/7.2.3/administration-guide/708506/retrieving-user-details-from-cloud-applications

Tell us if it is not and we will continue to investigate.

Regards,

Hello

The answer to the OP's original question would be useful to me too, but the link provided by Anthony is irrelevant in my opinion.
The nicest thing would be to collect the Public IP list of FortiClients to the integrated Fortigate via the Fabric Connector in a dynamic address group ( same Device IP and MAC addresses lists)
This could obviously be used in various source IP/MAC Based Access Control based rules

link provided is irrelevant as @GaboBast1 mentioned. This would be very helpful as we can use this in many control/firewall rules.

Fort iClient public IP, which is the end user's public IP, is not visible in Forti Analyzer traffic logs. Only the private IP is displayed. Is there a reason for this?

Hi all,

I had a similar idea and have explored the options regarding this topic—specifically, implementing whitelists for SSL VPN connections based on a dynamically populated IP list. This approach leverages the FortiGate Threat Feed to pull a list of IPs hosted via HTTP/HTTPS.

As you mentioned, Fortinet EMS indeed displays the public IP of connected devices in the GUI. By utilizing browser developer tools, we can see that it is possible to pull back the JSON data for each device, which contains the field:

"public_ip_addr"

API Endpoint Example:

https://fctems.fortidemo.com/api/v1/client_users/311/details

CSV Export for Device Details

Upon further exploration of the GUI, I discovered that we can download a CSV file containing the details of connected devices

Using browser tools to inspect the web request for this download, we can identify the following endpoint:

EXPORT_URL = "https://fctems.fortidemo.com/api/v1/endpoints/export"

The file downloaded is a ZIP archive containing a CSV file, which includes the public IP addresses of the EMS-connected devices. :smiling_face_with_smiling_eyes:

Automating the Process

To automate this process, I implemented the following approach:

• Authenticate via API:
  A session cookie is obtained by authenticating with a username and password using a POST request, just as the EMS GUI does during a login.

• Request the Export File:
  With the session cookie, a GET request is made to the identified export URL. This allows us to download the ZIP file.

• Parse Public IPs:
  After unzipping the file, we parse the CSV to extract the public_ip_addr field and write the values to a text file.

Next Steps: Using the IP List

Once the public IPs are saved to a text file, you can serve this file dynamically via HTTP/HTTPS. If necessary, the service can be protected using basic authentication. This allows you to pull down the IP list dynamically and update the FortiGate address list using APIs or other means.

You can reference additional details on external threat feeds in this Fortinet Community thread.  - https://community.fortinet.com/t5/FortiGate/Technical-Tip-External-threat-list-threat-feed-blocked-via-the/ta-p/192354

Proof of Concept Script

If you're interested, I’ve created a simple proof of concept script using the Fortinet EMS public demo as a target. The credentials in the script are placeholders for your own environment, so please do not misuse this demo system.

https://github.com/luterpt/Forti-EMS-Pull-Public-Ips.git

Example Output

When you run the script, it will take the following steps to populate the public_ips.txt file:

[*] Logging in to EMS...
[*] Login success. Session cookies obtained.
[*] Downloading endpoints export...
[*] Export ZIP saved as: endpoints_export.zip
[*] Files extracted to 'exported_files'
[*] Parsing CSV: exported_files\endpoints.csv
[*] Found 20 public IP(s). Saved to public_ips.txt.

I hope this helps! Let me know if you’d like further assistance or enhancements to the script. :smiling_face_with_smiling_eyes:

I hope this helps :)

This is probably a messy way of doing things and its probably better to use the API programmatically but I don’t see any other solutions being posted so there ya go,

Cheers

Ben

---

@rjcou1 wrote:

Hello,

 

In the EMS portal you can see the public IP of each registered forticlient user (on or off VPN), it's obviously collected data. Unfortunately the API only retrieves their local network IP address. Is there anyway to fetch the public IP address of a user that is not connected to VPN? Some useful scripting that could be done. I also noticed in FortiGate the endpoints API endpoint seems to have similar data, short of a public IP address.

Just curious if anyone knew if this was doable with the tools available via FortiClient EMS.

 

EDIT:  Others have added replies and context expanding on my initial request. The idea of ingesting the active public IPs of download anime slayer all FortiClient agents (NOT connected to VPN) into a dynamic object list/group to be used for policies is spot on in what I'd ultimately like to do. There would be real value in having public policies locked down to the active public IP of all employees, provided that dynamic list is updated at a frequent interval. It would also be nice to use as a whitelist to access SSLVPN to cut down on the endless brute force attempts.

---