Description
This article describes the configuration steps and some troubleshooting commands used when integrating FortiClient EMS with FortiNAC as a Service Connector.
Scope
FortiNAC and FortiClient EMS.
Solution
Create the key store (.keystore) in the user path (/home/admin) and import the root CA certificate that has generated the EMS certificate.
Import the CA certificate:
fortinac:~$ pwd
/home/admin
fortinac:~$ scp admin@www.eb.eu:/ca.eb.eu.crt .
admin@www.eb.eu's password:
ca.eb.eu.crt 100% 1667 137.6KB/s 00:00
--
fortinac:~$ keytool -import -trustcacerts -alias ca.eb.eu -file ca.eb.eu.crt -keystore .keystore
Enter keystore password:^8Bradford%23
Re-enter new password:
Owner: EMAILADDRESS=xxx@fortinet.com, CN=ca.eb.eu, OU=FNAC, O=Fortinet, L=Frankfurt, ST=Hesse, C=DE
Issuer: EMAILADDRESS=xxx@fortinet.com, CN=ca.eb.eu, OU=FNAC, O=Fortinet, L=Frankfurt, ST=Hesse, C=DE
Serial number: 462c802a7529521a
Valid from: Wed Jun 08 18:00:47 CEST 2022 until: Sat Jun 05 18:00:47 CEST 2032
....
Trust this certificate? [no]: yes
Certificate was added to keystore
To view the certificate, navigate to the /home/admin directory and type the following:
fortinac:~$ keytool -list -v -keystore .keystore
Enter keystore password:^8Bradford%23
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: ca.eb.eu
Creation date: Dec 21, 2023
Entry type: trustedCertEntry
Adding the EMS from GUI under Service Connectors:
Testing the connection:
After testing the connection, it will show on the logs that the certificate is imported in FortiNAC:
yams INFO :: 2023-12-21 10:36:27:643 :: #533 ::
Adding certificate
yams INFO :: 2023-12-21 10:36:27:643 :: #533 ::
Alias 9f6dc3e0-ed40-41c3-9834-d4f495862b57
yams INFO :: 2023-12-21 10:36:27:643 :: #533 ::
Printing certificate
yams INFO :: 2023-12-21 10:36:27:644 :: #533 :: Valid From Mon Aug 28 16:31:48 CEST 2023
yams INFO :: 2023-12-21 10:36:27:644 :: #533 :: Valid To Fri Feb 13 15:31:48 CET 2026
yams INFO :: 2023-12-21 10:36:27:644 :: #533 :: Subject CN=ems.eb.eu, OU=FNAC, O=Fortinet, L=Frankfurt, ST=HESSE, C=DE
yams INFO :: 2023-12-21 10:36:27:644 :: #533 :: Issuer EMAILADDRESS=xxx@fortinet.com, CN=ca.eb.eu, OU=FNAC, O=Fortinet, L=Frankfurt, ST=Hesse, C=DE
The test is successful.
From the logs of the test connection after enabling the following debugs:
diagnose debug plugin enable FortinetEMSServer
diagnose debug plugin enable MdmManager
diagnose tail output.master -F
Test connection:
yams.FortinetEMSServer FINER :: 2023-12-21 10:51:12:563 :: #487 :: message = Login successful.
yams.FortinetEMSServer FINER :: 2023-12-21 10:51:12:563 :: #487 :: FortinetEMSServer:lightWeightTesst - url = https://ems.eb.eu:4000/api/v1/system/version
yams.FortinetEMSServer FINER :: 2023-12-21 10:51:12:602 :: #487 :: cookie-name = sessionid
yams.FortinetEMSServer FINER :: 2023-12-21 10:51:12:602 :: #487 :: cookie-value = .......
yams.FortinetEMSServer FINER :: 2023-12-21 10:51:12:602 :: #487 :: cookie-name = csrftoken
yams.FortinetEMSServer FINER :: 2023-12-21 10:51:12:602 :: #487 :: cookie-value = bJJPm4Q70tPaXyHhfJMBS9WNlphUdPGO
yams.FortinetEMSServer FINER :: 2023-12-21 10:51:13:035 :: #487 :: output = {"result": {"retval": 1, "message": "System serial number retrieved successfully."}, "data": "7.2.1.0793"}
yams.FortinetEMSServer FINER :: 2023-12-21 10:51:13:035 :: #487 :: message = System serial number retrieved successfully.
yams.FortinetEMSServer FINER :: 2023-12-21 10:51:13:035 :: #487 :: version = 7.2
yams.FortinetEMSServer FINER :: 2023-12-21 10:51:13:036 :: #487 :: testConnection() retval = SUCCESS
The polling output in the logs :
yams.FortinetEMSServer FINER :: 2023-12-23 12:31:57:320 :: #482 :: output = {"result": {"retval": 1, "message": null}, "data": {"uid_offset": "FAF4CC424EA3489199C78D46891ECB45", "updated_after": "2023-12-23 02:07:29.8832064", "is_final": true, "data":.........=", "is_zipped": true, "unzipped_size": 1108}}
yams.FortinetEMSServer FINER :: 2023-12-23 12:31:57:320 :: #482 :: FortinetEMSServer:getEndpointArray - start
yams.FortinetEMSServer FINER :: 2023-12-23 12:31:57:321 :: #482 :: message = null
yams.FortinetEMSServer FINER :: 2023-12-23 12:31:57:321 :: #482 :: endpointsJson = {"FAF4CC424EA3489199C78D46891ECB45":{"client_cert_sn":"E885F10BB4498239DF9001EBE8F89823AF88511F","fct_ver":[7,0,9],"is_registered":true,"public_ip":"x.x.x.x","memory":"4095","fct_build_no":493,"user_name":"gimi","host_manufacturer":"QEMU","av_sig_ver":[0,0],"quarantined":false,"indirectly_connected":false,"mac":"00-aa-bb-6c-23-01","onnet":true,"hostname":"win10-ffm","user_info":{"user_email":"gimi@eb.eu","service":"OS","user_ext_name":"gimi"},"vuln_stats":{"high":16,"critical":8,"low":3,"scan_time":"2023-12-14 15:26:44.000","medium":14,"info":0},"vuln_scan_running":false,"vul_eng_ver":[2,32],"forticlient_id":1,"host_model":"Standard PC (i440FX + PIIX, 1996)","feature_vs":"installed","os_ver":"Microsoft Windows 10 Professional Edition, 64-bit (build 19045)","group_name":"ExtDomain","feature_vpn":"installed","ip":"10.1.3.11","av_running":false,"av_eng_ver":[0,0],"cpu":"Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz","sysinfo_update_time":"2023-12-23 02:07:29.8832064","app_sig_ver":[26,702],"fct_sn":"FCT8002521111111","domain":"eb.eu","os_type":"WIN64","online":true,"feature_fw":"installed"}}
yams.FortinetEMSServer FINER :: 2023-12-23 12:31:57:322 :: #482 :: found endpoint : EMSEndpoint:
device_id = 1
host = win10-ffm
ip_addr = 10.1.3.11
mac_addr = 00-aa-bb-6c-23-01
os_version = Microsoft Windows 10 Professional Edition, 64-bit (build 19045)
last_seen = 0
is_quarantined = false
registered = true
is_excluded = false
username = gimi
email = null
mac_list = null
vuln_stats = {"high":16,"critical":8,"low":3,"scan_time":"2023-12-14 15:26:44.000","medium":14,"info":0}
vuln_scan_status = null
Logs continue with host registration in FortiNAC:
yams.FortinetEMSServer FINER :: 2023-12-23 12:31:57:564 :: #482 :: getHostFromManagedDevice - start for MDM Device : FortiClient EMS and Managed Device : 00-aa-bb-6c-23-01
yams.FortinetEMSServer FINER :: 2023-12-23 12:31:57:565 :: #482 :: isValidMAC(00:AA:BB:6C:23:01) retval = true
yams.FortinetEMSServer FINER :: 2023-12-23 12:31:57:567 :: #482 :: isCompliant checking vuln_stats for high or critical vulnerabilities {"high":16,"critical":8,"low":3,"scan_time":"2023-12-14 15:26:44.000","medium":14,"info":0}
yams.FortinetEMSServer FINER :: 2023-12-23 12:31:57:567 :: #482 :: isCompliant found high value of 16, returning false
yams.FortinetEMSServer FINER :: 2023-12-23 12:31:57:859 :: #482 :: getHostFromManagedDevice - returning host : gimi 00:AA:BB:6C:23:01
Now, verify in FortiNAC that, after a successful poll in the MDM Server, the host is registered and marked as managed by MDM:
The host can be checked in FortiEMS under Endpoints:
The logs in FortiEMS can be checked in Administration -> Log Viewer after increasing the log level to Debug in System Settings -> Log Settings.
Note:
- The information in this FortiClient EMS Integration provides guidance for configuring integration for FortiNAC to manage devices registered using the FortiClient Endpoint Management Server (EMS) on-premise system. At this time, EMS Cloud is not supported.
- FortiNAC checks the host's vulnerability status from FortiEMS. If the host has a high or critical vulnerability, the host will be marked as MDM non-compliant. If the host has no high or critical vulnerability, the host will be marked as MDM Compliant.
Related documents:
