Description
This article aims to clarify when FortiTelemetry should be used when coupled with a FortiClient EMS installation.
Scope
All FortiGates
FortiClient Endpoints
FortiClient Enterprise Management System (EMS)
Solution
![mforbes_security Fabric.png mforbes_security Fabric.png](/t5/image/serverpage/image-id/913i9446D0EA28FF0591/image-size/large?v=v2&px=999)
![mforbes_feature visibility.png mforbes_feature visibility.png](/t5/image/serverpage/image-id/443iF2F402514EAB1A01/image-size/large?v=v2&px=999)
![mforbes_interfaces.png mforbes_interfaces.png](/t5/image/serverpage/image-id/2263iDE1DC8157831C1DD/image-size/large?v=v2&px=999)
![mforbes_vpn.png mforbes_vpn.png](/t5/image/serverpage/image-id/290i02E20E3AFEF61D3D/image-size/large?v=v2&px=999)
![mforbes_compliance profiles 1.png mforbes_compliance profiles 1.png](/t5/image/serverpage/image-id/663i672D59C6D60758B9/image-size/large?v=v2&px=999)
![mforbes_compliance profiles 2.png mforbes_compliance profiles 2.png](/t5/image/serverpage/image-id/1937iC0BEBD81ED39DC0E/image-size/large?v=v2&px=999)
This article aims to clarify when FortiTelemetry should be used when coupled with a FortiClient EMS installation.
Scope
All FortiGates
FortiClient Endpoints
FortiClient Enterprise Management System (EMS)
Solution
FortiTelemetry is used by FortiGate as part of the Cooperative Security Fabric. When enabled, it allows the FortiGate to securely communicate with FortiClient Endpoints over port 8013, and any Fortinet products located in its environment. (FortiAnalyzer, FortiManager, FortiSandbox, FortiMail, FortiAuthenticator).
FortiTelemetry is enabled by default on FortiGate, and is not a requirement for operation and can be safely disabled if the FortiGate will not be part of the Cooperative Security Fabric.
FortiClient Endpoints always attempts Registration to one of two Management devices, either a FortiGate or an Enterprise Management Server (EMS).
What's the difference?
Endpoint Compliance - when enforced by a FortiGate, FortiClient Endpoints are barred from access the network if their settings do not match the Compliance rules specified in a FortiClient Compliance Profile.
Endpoint Control - implemented on FortiClient EMS. When FortiClient EMS is used, FortiGate should be using FortiOS is 5.4.1 or HIGHER.
To disable FortiTelemetry
1. Go to System/Feature Visibility/Security Features -> Set 'Endpoint Control' to ON position, click 'Apply'.
2. Go to Network/Interfaces -> Edit any Interface that shows 'FortiTelemetry' under the 'Access' column -> un-check 'FortiTelemetry', then save the settings.
VPN Tunnels
IPSec VPN tunnels use a sub-interface, and FortiTelemetry is enabled by default. Make sure to expand the sub-interface, edit and disable FortiTelemetry there as well.
- SSL VPN does not create a sub-interface listen on any that has been assigned.
- Go to VPN/SSL VPN Settings. Locate "Allow Endpoint Registration" and verify its disabled.
3. Go to Security Profiles/FortiClient Compliance Profiles -> Disable "System Compliance"
4. To discard all FortiClient Endpoint that may have Registered, open a Command Line to the FortiGate, then run the following command:diag endpoint registration deregister all <ent>
FortiGate will reply with the following...(select 'y' to proceed)
This operation will deregister all FortiClients!
Do you want to continue? (y/n)
Close the CLI window.
Supplementary references
__________________________________________________________________________________________________________
Security Fabric
Fortinet Security Fabric
FortiClient Compliance Guide
Security Fabric installation and audit
Cooperative Security Fabric
Labels: