Help
FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
rduggal_FTNT
Staff
Staff

Created on ‎07-30-2024 08:00 AM

Article Id 329091

Technical Tip: Identity Management integration Use case for remote users

Description This article describes how to configure User access integration between FortiEDR and FortiClient EMS to identify and restrict access from Remote users over VPN and ZTNA when a malicious activity is detected on an Endpoint.
Scope

FortiEDR 6.0+, FortiEMS 7.2+ and FGT 7.2+
Solution

This article includes 2 scenarios where business critical applications are allowed for remote access over VPN and ZTNA. Based on Classification tags when a malicious activity is detected on any Endpoint with FortiEDR Collector agent and FortiClient deployed, access to business critical applications is going to be blocked.

 

This article assumes following Prerequisites are met:

  • FortiEDR deployment includes a Jumpbox that has connectivity to the identity management server.
  • The FortiEDR Central Manager has connectivity to the Fortinet Cloud Services (FCS).
  • VPN and ZTNA Server Configuration on FortiGate

For demonstration, we are running FortiEDR Central Manager 6.2.0.0451, Core/Jump Box 6.0.1.0646, FortiClient EMS 7.4, Fortigate 7.4.4 and FortiClient 7.2.4

 

Steps 1: Adding Identity Management Connection to FortiEDR as below:

Capture.PNG

 

Note: A custom Zero Trust device tagging can be added however FortiClient EMS 7.2 or later has predefined tags for FortiEDR which is FortiEDR_Malicious, FortiEDR_Suspicious, FortiEDR_PUP, FortiEDR_Likely_Safe and FortiEDR_Probably_Good.

 

Step 2: Assign Identity Management Connector to Playbook by following below steps to assign classification tag when Malicious and Suspicious Activity is detected.

Security Settings -> Playbooks -> Select playbook -> Zero Trust device tagging -> From drop down select Identity Management Collector -> Select Malicious Classification -> Assign required collector group to it.

Capture.PNG

 

Scenario1:

We have a SSL VPN tunnel on FGT which allows access to Prod Servers as below and block access if FortiEDR_Malicious classification tag is assigned to an Endpoint.

 Capture1.PNG

 Capture2.PNG

  • A user is connected to a VPN and can access Prod Servers successfully.

Capture3.PNG

 

  • Now on same endpoint a Malicious activity is detected

Capture4.PNG

  • On EMS as per playbook configuration in above steps, a FortiEDR_Malicious classification tag is assigned to an Endpoint:

Capture5.PNG

 

  • User after Malicious classification tag cannot access the Prod Servers anymore

Capture6.PNG

 

Scenario 2:

  • We have a  ZTNA Server configured on FGT which allows corporate users to access File Server in the Prod Network

Capture7.PNG

 
  • On FortiClient we have a ZTNA destination Rule as below:

Capture9.PNG

 

  • From the below logs it can be seen that user is able to successfully access File Share over ZTNA.

Capture10.PNG

  • A malicious activity is detected on the same Endpoint by FortiEDR.
  • A FortiEDR_Malicious classification tag is assigned to an Endpoint.

 

Capture11.PNG

 

  • User from affected endpoint cannot access File Share anymore.

Capture12.PNG

 

If there are still any issues with Integrations, open a new technical support ticket for further assistance:

Support Fortinet
306
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.