Pre-Requisites:

• VMware Workstation running EVE-NG: https://www.eve-ng.net/index.php/download/
• FortiGate KVM in EVE-NG: Technical Tip: How to install FortiGate KVM in EVE-NG

1. Download FortiClient EMS KVM images from https://support.fortinet.com -> Support -> Firmware Download -> select 'FortiClientEMS' as the product -> Download -> v7.00 -> v7.4 -> v7.4.1 -> forticlientems_vm.7.4.1.1872.qcow2.zip.
2. Utilize WinSCP to create a new folder under /opt/unetlab/addons/qemu/ and upload the zip file. The folder's naming format should follow 'fortinet-'. In the example, fortinet-FCEMS-v7_4_1 is used and 'forticlientems_vm.7.4.1.1872.qcow2' was uploaded to the folder.

3. CD into the folder using VMware Console change the file's name to virtioa.qcow2, and fix the permissions using the following commands:

root@eve-ng: cd /opt/unetlab/addons/qemu/fortinet-FCEMS-v7_4_1

root@eve-ng:/opt/unetlab/addons/qemu/fortinet-FCEMS-v7_4_1# mv forticlientems_vm.7.4.1.1872.qcow2 virtioa.qcow2

root@eve-ng:/opt/unetlab/addons/qemu/fortinet-FCEMS-v7_4_1# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

4. Deploy FortiClient EMS to the EVE-NG lab as follows:

5. Once the node has been added, 'start' the node and wait for the device to load. The credentials to log into EMS will be 'ems' for the username and 'ems' for the password.
6. Once connected to the EMS server, configure the FortiClient EMS Interface using the following commands:

sudo nano /etc/netplan/01-netcfg.yaml

network:

  version: 2

  renderer: networkd

  ethernets:

    enp0s3:

      dhcp4: no

      addresses:

        - <interface_ip><subnetmask>

      gateway4: <gateway>

      nameservers:

        addresses:

          - 8.8.8.8

          - 8.8.4.4

In the example below, the YAML file has been configured for interface 'enp0s3' (10.0.1.150) to connect to the FortiGate (10.0.1.254) and 'enp0s4' (192.168.1.100) is to connect to FortiClient EMS's Web UI  for management: 

Save the configuration and apply the changes using:

sudo netplan apply

Verify the changes. The interfaces, ens3, and ens4 have been configured with the appropriate addressing to manage and connect it to the FortiGate:

ip addr show

ems@fcems-server:~$ ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000

    link/ether 50:00:00:05:00:00 brd ff:ff:ff:ff:ff:ff

    altname enp0s3

    inet 10.0.1.150/24 brd 10.0.1.255 scope global ens3

       valid_lft forever preferred_lft forever

    inet6 fe80::5200:ff:fe05:0/64 scope link

       valid_lft forever preferred_lft forever

3: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000

    link/ether 50:00:00:05:00:01 brd ff:ff:ff:ff:ff:ff

    altname enp0s4

    inet 192.168.19.100/24 brd 192.168.19.255 scope global ens4

       valid_lft forever preferred_lft forever

    inet6 fe80::5200:ff:fe05:1/64 scope link

       valid_lft forever preferred_lft forever

ems@fcems-server:~$

With these changes, verify FortiClient EMS and reach the FortiGate:

ems@fcems-server:~$ ping 10.0.1.254
PING 10.0.1.254 (10.0.1.254) 56(84) bytes of data.
64 bytes from 10.0.1.254: icmp_seq=1 ttl=255 time=1.37 ms
64 bytes from 10.0.1.254: icmp_seq=2 ttl=255 time=1.90 ms

7. On the FortiGate, navigate to Security Fabric -> Fabric Connectors -> FortiClient EMS fill in the required information, and authorize the FortiClient EMS certificate by selecting 'Authorize':

8. Connect to the FortiClient EMS Server and authorize the FortiGate. In this example, connecting the EMS server can be accessed using https://192.168.19.100

In FortiClient EMS, navigate to Fabric & Connectors -> Fabric Devices -> Standalone devices -> Authorize:

Verify the Status on FortiGate: