Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortyFred
New Contributor

EMS Basic Questions

We have inherited a project with limited experience with Fortigate VPN and EMS, so please bear with me. Our network team quit, so the servers guys (us) have to take it over.

 

The customer of ours is under the impression that having EMS will enable automated Forticlient software updates - they believe that once EMS is in place their end users (around 500) will be able to automagically have their endpoints update the Forticlient software. Since we do not know for sure, I'm asking if anyone can identify this statement as pie in the sky thinking, or as "yeah, that's what its for, you're on the right track, deploy EMS, its awesome!". I'm reading over previous EMS posts here, and I'm seeing various struggles with managing the client. I'm not seeing anyone saying the client automatic maintenance and management and deployment is seamless and easy - one of this customers engineers says the Cisco AnyConnect Client seamlessly has auto updating, so they think they're going to get that with Fortinet Client and EMS.

 

Our Fortigates host many customers, not just this one that wants EMS. Our Firmware is only at FortiOS v6.2.4 build1112 (GA) and we've been told that the EMS software fabric objects cannot be deployed on this version. So, we have to upgrade our firmware to appease this one client - yes, I realize we should update our firmware asap, regardless. But my point is, without Fortinet expertise, upgrading firmware right now is not HOT on our to do list until we backfiill Fortinet expertise (anyone want a side job?)

 

Does EMS supply this magical transparent, software client update that the customer is expecting, and we should jump though many hoops and tinkering POC to provide EMS to them, knowing that they don't want ANY other feature - Web Filtering, A/V etc. They only want the auto client updating, nothing else. It is even worth it to deploy EMS for just client updates? Thanks for your time and suggestions.

4 REPLIES 4
Fullmoon
Contributor III

Hi,

 

let me share my little know how on this product and understanding how update works. If somebody find my statement incorrect then I stand corrected.

FortiEMS is kind a straight forward interms of installation and deployment. In regards to update, similar to other endpoint security, the used of Centralize Console is to centrally management policies, settings, including update and etc... endpoints having forticlient installed should pull "automatically" updates from the EMS server.

Screenshot below shows the EMS settings where client should get update and its interval.

 

Fortigate Newbie

Fortigate Newbie
FortyFred

Do people manage the client completely outside of Intune or SCCM? That is my customer's goal. Is this goal 100% covered?

 

Has anything changed in 3 years <?> - https://forum.fortinet.com/FindPost/161132

andre_dasilva
New Contributor

Yeah, If the users are inside the network it will able to update. 

fcb

Aside from a nasty bug here and there, EMS is a wonderful product that will save you and your customer about two months of work every year. Here's how it's been explained to me and I see no reason to believe that this excerpt from another post is wrong:

 

A lot of this will depend on how you will install to an endpoint that has never had FTC installed on it before or in other words how you will "deploy" it. Once the initial FortiClient installation has been completed (installed for the the first time) it will from that point forward use TCP.8013 for EVERYTHING that it needs to do when interacting from server to client (which it really doesn't do) and from Client to Server (client checks in on an interval) which is how it's done exclusively once the initial deployment is complete. If I've missed something here, or am wrong, or if Fortinet's advice to setup the split DNS was wrong or not as secure as it should be, someone please enlighten me. I've been concerned with this topology for some time but this thing has yet to let me down

So as seen previously once you have FTC installed it's a piece of cake to do all of this, and much more:

 

1. Complete AV/AM/RansomWare protection with Sandbox capability and removable device (USB drive) control.

2. Robust Web Filtering capabilities (with SSL inspection) that follows the machine instead of the user

3. Application Firewall that will rival any you will ever find.

4. Preconfigured VPN tunnel with IPSEC or SSL VPN capabilities - It's so easy for me to change a tunnel now and then have each client reach out to the server to get the new settings.

5. Vulnerability Scanning with automatic Windows and Third Party Patching capabilities (this alone is worth a ton)

6. Control dozens of system Settings on the Endpoint including robust logging (syslog or FortiManager).

7. Robust SSO and User Identity configurations.

8. Certificate management and installations onto the Endpoint

9. An unbelievable Software Inventory of every endpoint with FTC installed.

10. Quarantine Management

11. On-Net and Off-Net Profiles with extremely simple requirements for upgrading endpoints to the latest version.

12. With code base 6.4, Endpoint Compliance and Quarantine based on machine rules (i.e.: if no or not updated AV don't allow access to network or my favorite "If a member of Admins Active Directory Group, allow access to Gmail and allow endpoint to SSH through the Edge and allow access to the file server but do not allow access to the DMZ and all done via an AD group.)

 

The list goes on and on and on but don't let anyone ever tell you that this is not one of the baddest products to ever hit the market. A single pane of glass to manage essentially every aspect of an endpoint including what rules sets it is to follow when traversing the FortiGate driven network or what version of Notepad++ is allowed. It's unbelievable what this thing can actually do IF you are already drinking the Fortinet Kool-Aid. Anyone out there to disagree?

 

 

Labels
Top Kudoed Authors