Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiTester
- FortiSwitch
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Basic FortiClient EMS questions
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basic FortiClient EMS questions
Hello team!!
I read the first 8 chapters of the "FortiClient EMS 7.4 Administrator Study Guide". After this I started to open the FortiClient Cloud, and created some different objects there. But playing with my FortiClient Cloud, before set this in production, I get some questions. Please, answer my questions or guide me to reach the answers. Sorry if there are obvious questions.
1) I configured an authentication server (Windows AD), and this is connected, but when I create a Group Assignment Rule, I cannot select a Domain Group, just workgroup group. Why? (All computers objects are in All Endpoint as "Not installed", and I am able to use Domain Groups in "Manage Deployment")
2) If I want that a group has a ZTNA application (The app is hosted in a server which is in the same site that Fortigate), I need to create 2 applications? (One for on-fabric endpoints and the another for off-fabric endpoints). If not, where do I need to point this?
3) For on-fabric endpoints, I can create on Fortigate, a rule to allow certain application, which are the diffences, between allow this traffic on Fortigate, and create a ZTNA application on FortiClient EMS?
4) Is there a way to chose sub-categories on web filter profiles in FortiClient EMS? (When I create a new profile, I just can select categories, not sub-categories)
5) What is "Deployment & Installers -> Manage Deployments" for? In the study guide, I learned that FortiClient could be deployed through GPOs, SCCM, and third party applications as in tune
Thanks in advance.
Regards
Damián
Damián Lozano
Solved! Go to Solution.
Damián Lozano
Labels:
- Labels:
-
FortiClient EMS
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Damian
- EMS does not apply group assignment rules to a domain-joined endpoint if it belongs to an imported Active Directory (AD) domain in EMS...
https://docs.fortinet.com/document/forticlient/7.4.3/ems-administration-guide/353734 - Why do you create ZTNA apps for on-fabric endpoints. You just need it for off-fabric endpoints. On-fabric endpoints should access the app via a regular firewall rule where you can use ZTNA tags if you want.
- I think after reading response 2 above you understand better the difference.
- Yes you can. Just click the plus (+) sign in front of the category and you will see its sub-categories.
- From 7.4.0 you need GPO because it is not possible to do initial deployment from EMS anymore. From 7.4.0, manage deployments is for updates/upgrades only.
AEK
AEK
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Damian
- EMS does not apply group assignment rules to a domain-joined endpoint if it belongs to an imported Active Directory (AD) domain in EMS...
https://docs.fortinet.com/document/forticlient/7.4.3/ems-administration-guide/353734 - Why do you create ZTNA apps for on-fabric endpoints. You just need it for off-fabric endpoints. On-fabric endpoints should access the app via a regular firewall rule where you can use ZTNA tags if you want.
- I think after reading response 2 above you understand better the difference.
- Yes you can. Just click the plus (+) sign in front of the category and you will see its sub-categories.
- From 7.4.0 you need GPO because it is not possible to do initial deployment from EMS anymore. From 7.4.0, manage deployments is for updates/upgrades only.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AEK, thanks a lot!!!
1) Ok, I didn't know.
2 & 3) I though I read this in the study guide, that you can use ZTNA apps for on-fabric too
4) Sorry, dumb question. I dont even try with the plus sign, hehehehe
5) It doesnt make sense to me, that FortiClient EMS could do the initial deploy of Forticlient to endpoints in any way. I though maybe this is for updates but didnt know.
You answered to me all my questions and many questions about Fortigate in the past, I think you know a lot about fortinet products.
Thanks again!
Regards,
Damián
Damián Lozano
Damián Lozano
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Damian
2&3) Yes technically you can us ZTNA app for on-fabric, but I think it doens'nt make sense because ZTNA app is intended for secure remote access and intended to replace SSL VPN.
Happy to help. Actually I work a lot on integrating security solutions, especially Fortinet. That could be the reason.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great!!
That's most probably the reason, hehehehehe.
Thank you a lot!
Regards,
Damián
Damián Lozano
Damián Lozano
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Sorry, I just add 2 new questions.
1) Is this possible to authenticate AD users with 2FA without any other appliance than Fortigate and FortiClient EMS?
I found this article, but I dont have "Security Fabric > Settings", I think this is because we dont have security fabric (we does not have FortiManager or FortiAnalyzer)
2) In this case, when will the credentials be authenticated? When FortiClient connects to EMS?
Thanks in advance.
Regards,
Damián
Damián Lozano
Damián Lozano
Labels
-
FortiGate
10,241 -
FortiClient
2,082 -
FortiManager
868 -
5.2
687 -
FortiAnalyzer
663 -
5.4
638 -
FortiSwitch
562 -
FortiAP
543 -
FortiClient EMS
531 -
6.0
416 -
IPsec
372 -
FortiMail
363 -
5.6
362 -
SSL-VPN
356 -
FortiNAC
260 -
6.2
251 -
Fortiweb
247 -
FortiAuthenticator v5.5
234 -
SD-WAN
181 -
FortiAuthenticator
160 -
FortiGuard
159 -
5.0
152 -
Firewall policy
131 -
6.4
128 -
FortiGate-VM
114 -
FortiCloud Products
114 -
FortiGateCloud
112 -
FortiSIEM
110 -
FortiToken
107 -
Wireless Controller
94 -
Customer Service
87 -
High Availability
80 -
FortiProxy
75 -
ZTNA
71 -
Routing
70 -
Fortivoice
69 -
VLAN
69 -
FortiEDR
68 -
DNS
67 -
SAML
65 -
FortiADC
64 -
Authentication
62 -
BGP
62 -
Certificate
58 -
RADIUS
57 -
FortiSandbox
53 -
SSO
53 -
FortiLink
52 -
LDAP
52 -
FortiExtender
51 -
NAT
50 -
4.0MR3
49 -
FortiDNS
43 -
VDOM
41 -
Application control
41 -
Interface
40 -
Logging
40 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
Virtual IP
37 -
FortiConnect
34 -
Web profile
34 -
FortiWAN
33 -
FortiPAM
33 -
SSL SSH inspection
32 -
FortiConverter
28 -
FortiGate v5.2
27 -
Automation
27 -
Static route
25 -
Traffic shaping
24 -
SSID
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
22 -
SNMP
22 -
API
22 -
System settings
22 -
WAN optimization
20 -
FortiMonitor
19 -
OSPF
19 -
Security profile
17 -
Web application firewall profile
17 -
Web rating
17 -
FortiDDoS
16 -
FortiSOAR
16 -
FortiAP profile
16 -
IP address management - IPAM
16 -
Admin
15 -
Proxy policy
15 -
FortiGate v5.0
14 -
FortiCASB
14 -
IPS signature
14 -
Explicit proxy
13 -
Traffic shaping policy
13 -
Intrusion prevention
13 -
FortiManager v4.0
12 -
RMA Information and Announcements
12 -
NAC policy
12 -
Port policy
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Fabric connector
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
DNS filter
10 -
Trunk
10 -
Users
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
FortiDeceptor
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Authentication rule and scheme
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
FortiScan
6 -
DLP sensor
6 -
DoS policy
6 -
VoIP profile
6 -
Vulnerability Management
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
File filter
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Virtual wire pair
1 -
Lacework
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2431 | |
| 1304 | |
| 778 | |
| 561 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.