Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KimoAnalyzer
New Contributor

Fortigate integration with EMS

I am confused about the enforcement benefits by integrating Fortigate with EMS.

 

As per NSE training, the fabric agent sent telementry to FortiAnalyzer, then FAZ report indication of compromise to Fortigate, then fortigate request the EMS to quantine the end point.

 

Why not just the EMS takes the action from itself to quarantine an infected endpoint? 

 

Secondly: when configuring Endpoint compliance profile in a FG policy to enforce a certain web profile: does this mean that the endpoint will make the web filtering itself? in other words if this security policy has already a web filter profile : then webfiltering inspection will happen twice (once on the Endpoint and once on the Fortigate)

2 REPLIES 2
Kenundrum
Contributor III

The indicator of compromise is a function that is licensed specifically on the analyzer, and it takes data from the logs and checks against their curated lists. The analyzer will then alert the fortigate that an endpoint IP is likely compromised. The reason for the indirect notification path is likely because there are existing 2-way communication between the firewalls and the EMS systems so just use the existing paths rather than create new methods. A more direct approach is probably better, and maybe they should eventually work on it, but it probably doesn't exist on its own now.

The on-client web filter can be turned off if it detects that it is on a network with a fortigate. There is an option in the web filter tab of a profile on EMS to use "client web filtering when on-net" or something like that. If you set the on-net detection rules properly, the client web filter will turn off and use whatever web filter you have at your network perimeter. When it detects it's no longer on-net, it will turn on the local web filter and use whatever policy is set in the EMS.

The on-net detection isn't 100% bulletproof and in theory can be tricked if someone knows the parameters you have set, but it's an option.

CISSP, NSE4

 

CISSP, NSE4
jpm1111
New Contributor II

KimoAnalyzer wrote:
 

Secondly: when configuring Endpoint compliance profile in a FG policy to enforce a certain web profile: does this mean that the endpoint will make the web filtering itself? in other words if this security policy has already a web filter profile : then webfiltering inspection will happen twice (once on the Endpoint and once on the Fortigate)

You would use On Fabric Detection Rules to turn off Forticlient Web Filter when the client is behind the Fortigate, and turn it on when they are offsite. Thus no double filtering.

Labels
Top Kudoed Authors