Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
muhammadsaad
Contributor

Created on ‎07-16-2025 04:53 AM Edited on ‎07-16-2025 05:05 AM

Assistance Required with EMS Tag and Firewall policy

Hi Team,
We have integrated the FortiGate firewall with FortiClient EMS and are currently in the process of applying posture checks, specifically focusing on enforcing Antivirus (AV) software compliance on vendor laptops.

The tags created within FortiClient EMS are being correctly pushed to both the FortiGate firewall and the FortiClient. These tags have been referenced in a firewall policy associated with remote VPN access. However, we are encountering an issue: when the VPN connection is established and the EMS tag is active, the destination resources become unreachable, despite the antivirus being installed and running properly on the vendor's workgroup laptop.

We are testing on Azure IdP user and create a separate user for the vendor.

Conversely, when the EMS tag is not applied, the destinations are reachable without any issues.

Could you please advise what might be causing this behavior and suggest possible steps to resolve it?

Thank you for your support.

739
0 Kudos
1 Solution
muhammadsaad
Contributor

Created on ‎07-27-2025 11:13 PM

The issue has been resolved. Essentially, in a remote access setup, the same tag must be applied to both the remote access profile on the EMS and the corresponding firewall policy.

View solution in original post

335
0 Kudos
17 REPLIES 17
FortiDor
New Contributor III
In response to muhammadsaad

Created on ‎07-20-2025 11:45 PM

Hi,

 

Here is the documentation to setup the registry tag in the FortiClient EMS : 

 

Capture d'écran 2025-07-21 084058.png

 

You can find the installation source of your FortiClient directly in your EMS and not only in the support portal.

 

Once the tag is evaluated by the EMS, the IP Range used by your FortiClient is shared with the FortiGate and the traffic policy allow the traffic untill the destination.

You need to check that everything is connected between your FortiClient EMS and your FortiGate with the Security Fabric to be able to work.

###
###
249
0 Kudos
muhammadsaad
Contributor

Created on ‎07-21-2025 12:07 AM

Hi @FortiDor 
The connectivity between fortigate, forticlient and EMS is working fine as we have created a remote access vpn policies on the EMS that are getting pushed and VPN is getting connected. 

As far as the regedit tag, they are related to the specific browser where as my ultimate goal is to apply the AV Software feature on all type of windows based laptop devices.

 

Below is the EMS tag created:

EMS-AV.png

241
0 Kudos
muhammadsaad
Contributor
In response to muhammadsaad

Created on ‎07-21-2025 11:22 PM

Anyone can guide?

226
0 Kudos
FortiDor
New Contributor III
In response to muhammadsaad

Created on ‎07-22-2025 12:56 PM

Seems good for me @muhammadsaad 

 

What’s the issue with the AV Tag for the Windows devices ?

I don’t understand your request 

###
###
211
0 Kudos
muhammadsaad
Contributor
In response to FortiDor

Created on ‎07-22-2025 01:11 PM

I called this tag on the firewall policy and the destination gets unreachable and similarly without this tag the destinations are reachable. We have 3rd party Symantec Antivirus (AV) that is installed and running. 

So I failed to understand why the destinations are not reachable when we called this tag on the firewall policy.

206
0 Kudos
FortiDor
New Contributor III
In response to muhammadsaad

Created on ‎07-22-2025 01:32 PM

Understood so you need to check if you seed the AV tag on your Endpoint meaning the FCT installed on your Windows device.

 

And please share the firewall policy used to better understand 

If the tag is not right evaluated that’s correct why the destination is unreachable meaning the traffic is not allow by the firewall policy 

###
###
198
0 Kudos
muhammadsaad
Contributor
In response to FortiDor

Created on ‎07-22-2025 01:52 PM

The Forticlient is installed on the windows device and tag is also visible on it. 

Without this tag, the destinations mentioned on the firewall policies are reachable and with this tag , they are unreachable. Please note we are applying the tag on the remote VPN firewall policy.

 

Below is the sample policy.

Sample Policy.png

190
0 Kudos
muhammadsaad
Contributor

Created on ‎07-27-2025 11:13 PM

The issue has been resolved. Essentially, in a remote access setup, the same tag must be applied to both the remote access profile on the EMS and the corresponding firewall policy.

336
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.