FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article serves as a troubleshooting guideline when trying to connect FortiGate to SEPM for Dynamic Addresses.
On FortiGate version prior to 7.0.0, the SEPM can be using a self signed cert to connect with FortiGate.
On FortiGate version 7.0.5, FortiGate will perform a certificate validation and require the SEPM to be signed by a CA.
To configure Symantec endpoint connector on FortiGate in the CLI:
1) Create the fabric connector:
# config system sdn-connector edit "sepm-217" set type sepm set server "SEPM_IP_x.x.x.x" set username "admin" set password ********* set status enable next end
2) Create the dynamic IP address:
# config firewall address edit "sepm-ip" set type dynamic set sdn "sepm-217" set filter "ComputerName=win10-1" config list edit "10.1.100.187" next edit "10.6.30.187" next edit "172.16.200.187" next end next end
3) Add the dynamic IP address to the firewall policy:
# config firewall policy edit 1 set name "pol1" set srcintf "port2" set dstintf "port1" set srcaddr "sepm-ip" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set av-profile "default" set logtraffic all set fsso disable set nat enable next end
Gathering data and troubleshooting SEPM connectivity.
# diag sniffer packet any "port 8446" 4
# config system sdn-connector sh full end diagnose test application sepmd 1 diagnose test application sepmd 2 diag debug console timestamp enable diagnose debug application sepmd -1 diag debug enable
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.