Description
This article explains the circumstances under which an endpoint appears under matched endpoints or resolved IP addresses, using several scenarios as examples.
Scope
FortiGate.
Solution
Prerequisites:
- FortiGate is connected to the FortiClient EMS server.
- FortiClient is connected to the FortiClient EMS server.
- FortiClient EMS server is configured with ZTNA Tagging rules and FortiClient is tagged with the required ZTNA Tags.
On FortiGate, the CLI command equivalent to the 'View Matched Endpoints' option in the GUI is 'diagnose endpoint record list'.
Similarly, the command equivalent to the 'View Resolved IP Addresses' option in the GUI is 'diagnose firewall dynamic list'.
From v7.4.2, the 'diagnose endpoint record list' has been changed to 'diagnose endpoint ec-shm list'.
Considering that the FortiClient Endpoint Sharing is set to 'Only share FortiClients connected to this fabric device' by default, the following are a few example topologies where an endpoint would be displayed under both 'View Matched Endpoint' and 'View Resolved Addresses' on a particular FortiGate. See Fabric devices - FortiClient EMS administration guide
Example 1:
An endpoint is connected behind an L2 switch and the default gateway for that endpoint is the FortiGate's interface IP.
For this example, the Endpoint will be seen under both View Matched Endpoints (diagnose endpoint record list) and View Resolved Addresses (diagnose firewall dynamic list).
Example 2:
An endpoint is connected to the FortiGate via SSL VPN.
For this example, the endpoint is displayed under both View Matched Endpoints (diagnose endpoint record list) and View Resolved Addresses (diagnose firewall dynamic list).
To summarize, an endpoint would show in View Matched Endpoints (diagnose endpoint record list) on a particular FortiGate only when the endpoint's gateway IP is that FortiGate or when the endpoint is connected to that FortiGate via SSL-VPN.
Below is another example where an endpoint would be displayed only under 'View Resolved Addresses' on the FortiGate:
Example 3:
An endpoint connected behind an L3 switch or router, where the endpoint's default gateway is not the FortiGate on which the endpoint information is being checked.
When FortiClient EMS is configured with FortiClient Endpoint Sharing set to 'Share all FortiClients,' the FortiGate in this example will receive endpoint information even if the endpoint does not have this FortiGate as its default gateway.
This endpoint information is ONLY available under 'View Resolved Addresses' (using the command diagnose firewall dynamic list).
Example 4:
An endpoint connected to a different downstream FortiGate within a security fabric than the one where the endpoint information is being checked.
In this case, the downstream FortiGate will have the endpoint information in 'View Matched Endpoints' and 'View Resolved Addresses'. However, the root FortiGate will only have the endpoint information under 'View Resolved Addresses'.
On the root FortiGate:
Additionally, suppose the EMS is not configured with FortiClient Endpoint Sharing set to 'Share all FortiClients' or 'Share FortiClients connected to selected fabric devices'. In that case, the root FortiGate may not have the endpoint information in either 'View Matched Endpoints' or 'View Resolved Addresses'.
To summarize, when the endpoint’s gateway is not the FortiGate where the endpoint information is being checked, the appearance of endpoint information in the 'View Resolved Addresses' on that FortiGate depends on the 'FortiClient Endpoint Sharing' configuration in the EMS.
