I installed an EMS server (6.4.3) for the customer. More or less everything works, but:
1) how to force FG (6.4.3) to see FortiClients connected to VPN? I have the EMS Fabric connector set up and working. In the SSL VPN Monitor I see a client connected, but FortiClient Monitor is empty. In the EMS Administration Guide I see:
FortiOS only receives endpoint information and enforces compliance for directly connected endpoints. Directly connected endpoints are the ones that have FortiGate as the default gateway.
So should I understand that if the FortiClient is not connected directly to any FG interface (and ssl.root is not a valid interface?), there is no chance that the FG will know about it? Shouldn't the EMS server send client information? I tried:
config system interface
set allowaccess fabric
Must set ip as fabric is enabled. object set operator error, -118 discard the setting
Command fail. Return code 1
Do I understand correctly that it is necessary to set the IP address on the ssl.root interface?
2) I am not able to synchronize dynamic groups between EMS and FG. On the EMS, the client is correctly tagged, the tag is transferred to the FG, but without an IP or MAC record. "Unresolved dynamic address: FCTEMSxxxxxxxx"