FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jvaishnav
Staff
Staff
Description
This article describes the EMS connector setup.

Solution
The following examples presume the EMS certificate has already been configured.

To configure an on-premise FortiClient EMS server to the Security Fabric from the GUI:

- Go to Security Fabric -> Fabric Connectors.

- Select 'Create New' and select FortiClient EMS.

- For type, select 'FortiClient EMS'.

- Enter a name and IP address.

-Select 'OK'.


A window appears to verify the EMS server certificate:




Select 'Accept'.

The FortiClient EMS status section displays a successful connection and an authorized certificate.




To configure a FortiClient EMS Cloud server to the Security Fabric in the GUI.

- Go to Security Fabric -> Fabric Connectors.

- Select 'Create New' and select 'FortiClient EMS'.

- For Type, select 'FortiClient EMS Cloud'.

- Enter a name.

- Select 'OK'.





 
A window appears to verify the EMS server certificate.

Select 'Accept'.

The FortiClient EMS Status section displays a successful connection and an authorized certificate.

To configure an on-premise FortiClient EMS server to the Security Fabric from the CLI.
# config endpoint-control fctems
    edit "ems138"
        set server "172.16.200.138"
        set certificate "REMOTE_Cert_1"
    next
end
To configure a FortiClient EMS Cloud server to the Security Fabric from the CLI.
# config endpoint-control fctems
    edit "Cloud_EMS"
        set fortinetone-cloud-authentication enable
        set certificate "REMOTE_Cert_1"
    next
end
To verify an EMS certificate in the CLI.
# execute fctems verify ems137

        Subject:     C = CA, ST = bc, L = burnaby, O = devqa, OU = top3, CN = sys169.qa.fortinet.cm, emailAddress = xxxx@xxxxxxxx.xxx
        Issuer:      CN = 155-sub1.fortinet.com
        Valid from:  2017-12-05 00:37:57  GMT
        Valid to:    2027-12-02 18:08:13  GMT
        Fingerprint: D3:7A:1B:84:CC:B7:5C:F0:A5:73:3D:BB:ED:21:F2:E0
        Root CA:     No
        Version:     3
        Serial Num:
                01:86:a2
        Extensions:
                Name:     X509v3 Basic Constraints
                Critical: yes
                Content:
                CA:FALSE

                Name:     X509v3 Subject Key Identifier
                Critical: no
                Content:
                35:B0:E2:62:AF:9A:7A:E6:A6:8E:AD:CB:A4:CF:4D:7A:DE:27:39:A4

                Name:     X509v3 Authority Key Identifier
                Critical: no
                Content:
                keyid:66:54:0F:78:78:91:F2:E4:08:BB:80:2C:F6:BC:01:8E:3F:47:43:B1
DirName:/C=CA/ST=bc/L=burnaby/O=devqa/OU=top3/CN=fac155.fortinet.com/emailAddress=xyguo@fortinet.com
serial:01:86:A4


                Name:     X509v3 Subject Alternative Name
                Critical: no
                Content:
                DNS:sys169.qa.fortinet.cm

                Name:     X509v3 Key Usage
                Critical: no
                Content:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign, Encipher Only, Decipher Only

                Name:     X509v3 Extended Key Usage
                Critical: no
                Content:
                TLS Web Server Authentication, TLS Web Client Authentication
EMS configuration needs user to confirm server certificate.
Do you wish to add the above certificate to trusted remote certificates? (y/n)y
In case of certificate error.
Use the '# execute fctems verify <Name>' command to download the correct remote CA certificate from the EMS cloud And make sure to unset the incorrect certificate as below before running the command otherwise mismatch error will appear and the incorrect certificate will not be replaced with the correct one.
# config endpoint-control fctems
    edit "Cloud_EMS"
    unset certificate
end

Contributors