Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
DaleR
Staff
Staff

Created on ‎10-26-2023 10:34 PM

Article Id 281222

Technical Tip: Copy EMS Profiles to a New Server

Description

This article describes how to document the process of copying Endpoint Profiles from one FortiClientEMS server to another.
Scope FortiClient.
Solution
  1. Login with administrative privilege to the source EMS server (i.e. The server that has profiles to copy from).
  2. From GUI, navigate to Endpoint Policy & Components and select ‘Manage Policies’

 

Picture1.png

 

  1. Select the desired policy and select ‘Edit’.

 

Picture2.png

 

 

  1. Navigate to the ‘Download Profile XML’ section and select either ‘Profile XML’ or ‘Off-Fabric Profile XML’ depending on the requirements.

 

Note:

The ‘Off-Fabric Profile XML’ option will not appear if no ‘Off-Fabric’ profiles have been defined. A sample is shown below that has both options available.

 

Picture3.png

 

  1. Save the XML in an appropriate location on the local PC. By default, the name will be profile.conf. If desired, the file can be renamed so it is possible to find it easily later. This could be an issue if multiple profiles are exported from the source server (They will all be named ‘profile.conf’ by default).

 

Picture4.png

 

 

  1. Login into the destination server.
  2. Navigate to Endpoint Profiles and select one of the options (i.e. ‘Remote Access’) and select  ‘Import From File’.
  3. Complete the form as follows:
    • Provide a Name. This name will apply to all profiles imported. To separate names, import them one at a time.
    • Select the XML file that was exported in steps 5 and 6 above.
    • Optionally, select ‘Import all components’ to import all saved profiles at one time.
    • Select the profile type to be imported.It is possible to select multiple profile types to be imported.
    • Select ‘Upload’
    • All selected profiles will be imported.

Refer to the screen capture below for details:

 

Picture5.png

 

 

The result should show profiles in each category to be similar to the following ('Import all Components’ selected in this case. 'Remote Access Profiles; shown):

 

Picture6.png

 

 

  1. Verify the imported profiles have all the correct settings. These can be compared to either the source device’s settings or from the XML file that was created previously.
  • Assign and verify profiles are pushed properly to managed devices.

 

Observations:

The issue is with how the imported profiles seem to behave in the EMS GUI. If all profiles are imported, the GUI no longer shows ‘SYSTEM’ profiles to be hidden or that they are enabled when importing all.

 

When importing individually, the ‘SYSTEM’ profile will retain the behavior from the Source EMS server (i.e. enabled and hidden).

 Picture7.png

 

 

All other profiles except Malware seem to behave properly. ‘Malware’ allows to hide it, but once it has been hidden, it is not possible to un-hide the profile in the GUI. There are two workarounds to this behavior:

  1. Editing XML in EMS to restore the visibility settings.
  2. It is possible to enable then disable any feature in malware and then save the profile.

 

This issue does not seem to be apparent in EMS 7.2.2 based on initial testing.

Feedback from QA /Dev on the observed behavior offered the following explanations (not an exact copy of the comments posted):

 

Clarify some behaviors:

  • The ‘enabled button’/’display_enable’ icon is always hidden for the system profile since the system profile should always be ‘enabled’/’display_enable’.
  • The ‘enabled button’ is always hidden for the malware profile.
    • Currently, the enabled value shown in the endpoint policy page for malware actually refers to Antivirus (which is disabled). This is more of a user interface problem.
    • This does not affect FortiClient since it will read the individual feature's enabled value in the applied XML (antiransomware, antivirus, removableMediaAccess, cloudscan) configuration.
  • The ‘display_enable’ icon in the malware profile also refers to <display_antivirus>. It is unable to change due to the AV feature being disabled in the XML.

 

Proposed to make below changes to address issues identified:

 

  • When importing the system profile, the enable/display enabled value should be always set to True.
  • When importing malware profile, the enable value will be set to True if any of the sub-features is enabled (anti-ransomware, antivirus, removableMediaAccess, cloud scan)
  • When importing malware profile, display enabled value will still be the same as <display_antivirus> value in XML. But on GUI, when hovering over the display-enabled icon in the malware profile, will show a tooltip to inform the user the icon is unable to toggle due to the Antivirus feature being disabled.

 

Note: 

At this time, there is no indication of which version of the FortiClient EMS Server that will include the proposed enhancements.
352
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.