Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiMax_it
Contributor

Many questions for the Forticlient EMS 7.0.7

Hi everybody,
i tried a trial of #ForticlientEMS on premis to evaluate the product and then bought a license, but now that I really have to use it i have encountered several problems. I try to expose my questions, anyone who can help me even for just one of these I would be very grateful! :)

1) Is there a way to understand from the telemetry if the Forticlient (7.0.7) is connected in VPN (IPSec or SSL) to the Fortigate? I currently use the server in standalone mode, so it doesn't interact with the Fortigate.

2) I have set up a telemetry connection key on the server. I would like to create Forticlient installations that do not contain the key so that it is always to be entered manually after the first installation on the PC. When I create the installations I see the "Auto Registration" field enabled, but during the creation I am not asked if you want to enable this option or not.

FortiMax_it_0-1664069455087.png

3) I have the server which is under NAT, so the ethernet interface has a private IP. This setting creates problems for me in creating invitations because I cannot select the public IP as the server:

FortiMax_it_2-1664069954874.png
In EMS Settings I added the public IP of the internet line as IP listening for telemetry, so why can't I put it in the invitations too?

4) I want to block Ipsec VPN attempts from clients that do not meet certain requirements and I have created, with the Zero Trust Tagging Rules, a very simple rule that for now verifies if the client has Windows 10. In setting the VPN I connected the rule by putting it in the Permit state. The PC, which is Windows 10, is properly tagged and goes into the VPN.
The problem comes now: if in the advanced setting of the VPN I put the Tag in the forbidden state:

FortiMax_it_3-1664071135919.png

and I try to connect in VPN, rightly I do not connect and the notification appears on the PC. However, if, as in my case, I have enabled the Login Before Logon with automatic connection, when the PC is turned on, the computer connects to the VPN! If I then log into the Windows user and disconnect the VPN (which was activated), the Forticlient returns to work regularly because if I try to connect it informs me that I cannot connect. Therefore it appears that the Zero Trust Tagging Rules are not checked at PC startup. I also created the diagnostic file from Forticlient and actually there is no connection log which, when the PC was turned on, had to be prohibited. This is a big problem for me. I also tried to set the <use_legacy_vpn_before_logon> parameter to 1 and I also tried the Forticlient 7.0.6 but nothing changes. Now i use these settings:

FortiMax_it_0-1664116437290.png

 

One thing I noticed (I don't know if it can be connected in some way) is that until I log in with the Windows user the antivirus status is not detected in the client status:

FortiMax_it_4-1664071725044.png


I have many other questions but for now I will stop at the most urgent ones. I haven't opened a ticket in Fortinet yet because they would surely tell me, as already happened, "For each ticket only one question", so I start by writing here on the Forum. And if some Fortinet technician would like to write me for the details I would be happy, otherwise I will subsequently open a ticket for each question as requested.

1 Solution
Jean-Philippe_P
Moderator
Moderator

Hello  FortiMax_it, 

 

After investigating, it would be better to raise a single TAC support ticket so we can answer you accordingly.

 

In this case, there is a need for a remote session and it does not fit all environments. By opening a TAC support ticket we will help you regarding your specific environment.

 

Kindest regards,

 

Jean-Philippe - Fortinet Community Team

View solution in original post

2 REPLIES 2
Jean-Philippe_P
Moderator
Moderator

Hello

 

Thank you for using the Community Forum.

 

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

 

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Moderator
Moderator

Hello  FortiMax_it, 

 

After investigating, it would be better to raise a single TAC support ticket so we can answer you accordingly.

 

In this case, there is a need for a remote session and it does not fit all environments. By opening a TAC support ticket we will help you regarding your specific environment.

 

Kindest regards,

 

Jean-Philippe - Fortinet Community Team
Labels
Top Kudoed Authors