I am confused about the enforcement benefits by integrating Fortigate with EMS.
As per NSE training, the fabric agent sent telementry to FortiAnalyzer, then FAZ report indication of compromise to Fortigate, then fortigate request the EMS to quantine the end point.
Why not just the EMS takes the action from itself to quarantine an infected endpoint?
Secondly: when configuring Endpoint compliance profile in a FG policy to enforce a certain web profile: does this mean that the endpoint will make the web filtering itself? in other words if this security policy has already a web filter profile : then webfiltering inspection will happen twice (once on the Endpoint and once on the Fortigate)
The indicator of compromise is a function that is licensed specifically on the analyzer, and it takes data from the logs and checks against their curated lists. The analyzer will then alert the fortigate that an endpoint IP is likely compromised. The reason for the indirect notification path is likely because there are existing 2-way communication between the firewalls and the EMS systems so just use the existing paths rather than create new methods. A more direct approach is probably better, and maybe they should eventually work on it, but it probably doesn't exist on its own now.
The on-client web filter can be turned off if it detects that it is on a network with a fortigate. There is an option in the web filter tab of a profile on EMS to use "client web filtering when on-net" or something like that. If you set the on-net detection rules properly, the client web filter will turn off and use whatever web filter you have at your network perimeter. When it detects it's no longer on-net, it will turn on the local web filter and use whatever policy is set in the EMS.
The on-net detection isn't 100% bulletproof and in theory can be tricked if someone knows the parameters you have set, but it's an option.
CISSP, NSE4
KimoAnalyzer wrote:You would use On Fabric Detection Rules to turn off Forticlient Web Filter when the client is behind the Fortigate, and turn it on when they are offsite. Thus no double filtering.
Secondly: when configuring Endpoint compliance profile in a FG policy to enforce a certain web profile: does this mean that the endpoint will make the web filtering itself? in other words if this security policy has already a web filter profile : then webfiltering inspection will happen twice (once on the Endpoint and once on the Fortigate)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.