Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
btan
Staff
Staff

Created on ‎08-11-2024 04:54 AM Edited on ‎01-21-2025 04:05 AM By Moderator

Article Id 332030

Technical Tip: Correct procedure to create FortiClient EMS connector when FortiGates are in Security Fabric

Description

This article explains why certain FortiGates in the same Security Fabric show 'EMS certificate not authorized', despite already being authorized in EMS -> Administration -> Fabric Devices.

10aug-intro1.png
Scope

FortiClient EMS versions are 7.0.x and 7.2.x.
FortiGate FortiOS versions are 7.0.x, 7.2.x and 7.4.x.
Solution It is important to understand that when FortiGates are in the Security Fabric, all FortiGates must be in the Fabric first, before creating the EMS Connector in the root FortiGate.

Meaning:
  • When there is a new FortiGate required to join to existing Fabric, as well as needs EMS tag functionality, it is compulsory to delete existing FortiGates in EMS first.
  • Once all FortiGates are ready in Security Fabric (including the new FortiGate), then only proceed to create an EMS Connector in the root FortiGate.

In the case where root FortiGate is authorized with EMS, but downstream FortiGates fails to authorize the EMS certificates, follow the below verification steps:

  • Check if the Remote CA Certificate in downstream FortiGates is named the same as the root FortiGate.
  • In the below example, the downstream FortiGate's remote EMS CA certificate is different from the root FortiGate's remote EMS CA certificate.
  • Root FortiGate, the EMS CA certificate is named 'csf_CA_Cert_1'.

10aug-root-fgt1.PNG

 

  • Downstream FortiGate, the EMS CA certificate is named 'CA_Cert_1'.
     

10aug-down-fgt2.PNG

 

The different naming in the certificate causes downstream FortiGate to be unable to verify the EMS certificate.

 

The solution is to delete the existing 'CA_Cert_1' in downstream FortiGate so that it can import the correct 'csf_CA_Cert_1' from the root FortiGate again. Follow the below steps:

 

  1. Delete 'CA_Cert_1' in affected downstream FortiGates: System -> Certificates -> select 'CA_Cert_1' -> Delete -> OK.
  2. In affected downstream FortiGates, remove them from the Security Fabric, and disable the EMS connector.

  3. In EMS, Administration -> Fabric Devices -> select the root FortiGate -> Delete.

  4. In the root FortiGate, temporarily disable the EMS connector: Security Fabric -> Fabric Connector > FortiClient EMS -> Disable -> OK.

  5. In affected downstream FortiGates, rejoin to the root FortiGate's Security Fabric.

  6. In the root FortiGate, re-enable the EMS connector: Security Fabric -> Fabric Connector > FortiClient EMS -> Enable -> OK.

  7. In EMS, Administration -> Fabric Devices -> select the root FortiGate -> Authorize.

  8. Wait for 2 minutes.

  9. In downstream FortiGates, check the certificate is correctly imported as 'csf_CA_Cert_1: System -> Certificates.

  10. Now, go to Security Fabric -> Fabric Connectors -> FortiClient EMS. It should be showing 'Connected' and green now.

  11. For v7.4.4 and newer versions, if the downstream FortiGate is still not able to validate the EMS certificate, refer to Technical Tip: EMS certificate verification fails on downstream FortiGate in Security Fabric.
477
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.