FortiClient EMS Course Notes

FortiClient EMS Course Notes
Forticlient (EMS)
ForiClient (FC)
FortiClient
EMS Course FortiGate(FG)
Notes
FortiAnalyzer(FAZ)
Installation Packages
Forticlient (EMS)
Forticlient (EMS)
Features
Benefits
Components
Vulenrability Management
EDR
Forticlient (EMS)
Features
FortiClient EMS shares device status information through
ZTNA telemetry
FortiClient EMS is the management server that centrally

configures and monitors FortiClient endpoints.
Provisions & Manages FCs
Groups FCs based on ZTNA tagging rules

Forticlient (EMS)
Benefits
Remote deployment of FC S/W to Windows PCs
Updating endpoint user profiles regardless of location
Administer FC connections (status, accept, block and

disconnect)
Manages and monitors outdated FC version

Forticlient (EMS)
Components
FC EMS
EMS Database
FortiClient
Webfilter Extension
ZTNA
Forticlient (EMS)
FC EMS
Manages FC on endpoints
Manages FC Webfilter in connected Google Chromebook

Forticlient (EMS)
Manages FC Webfilter in c...

Console: manages security profiles, FC and chromebook
Server: secure communication b/w:

Forticlient (EMS)
Server: secure communica...

endpoint and console
chromebook and Google Admin Console

Forticlient (EMS)
EMS Database
Stores security profiles & events
Stores user info. from Google Admin Console for

Chromebook
As part of EMS, SQL server Database is installed
You can backup/Restore with same DB version ONLY

Forticlient (EMS)
You can backup/Restore w...

You must backup / restore DB with password protection
You must wait for restored DB to reload before using it

Forticlient (EMS)
FortiClient
Ensforces security & protection on endpoints
Runs on server, PCs and Laptops

Forticlient (EMS)
Webfilter Extension
Communicates with EMS to enforce web filtering on
Chromebooks
You must enable Fortiproxy to use web filter
Can be enabled for on/off-fabric endpoints
You can select site categories from Fortiguard

Forticlient (EMS)
Rate IP address:
Filters URL & resolve IP address at same time and select required action
FC can rate site by URL & IPS separately
Provides additional security by Fortiguard
Configure actions when Fortiguard is unavailable

Forticlient (EMS)
Exclusion List:
Has higher priority than site categories
Can be configured for URL / URL types
Actions available: allow, block and monitor
Violations:
Forticlient (EMS)
Violations:
List of all violated Fortiguard categories when actions are
block/warn
List all exclusion list when action is block only.

Forticlient (EMS)
ZTNA
ZT Telemetry / FC Telemetry
Telemetry Data
ZTNA Server: Defines access proxy VIP and real servers

that client will connect to
ZTNA Rule:
Forticlient (EMS)
ZT Telemetry / FC Telemetry
Shows connectivity b/w FC & EMS
Used to manually connect/disconnect FC to EMS
FC can use gateway to connect FC to EMS using:
ZTNA Telemetry Compliance

Forticlient (EMS)
FC can use gateway to con...

IP Address
FQDN
Invitation Codes
Forticlient (EMS)
ZTNA Telemetry Compliance

Depends on EMS and FortiOS
To be compliant, you must have all 3:

Forticlient (EMS)
To be compliant, you must...

FC must be 7.0.2+ or 7.2.0
EMS must be 7.2.0
FortiOS must be 7.2.0
No mix is allowed
Forticlient (EMS)
Telemetry Data
This data is sent to EMS
All info are used to understand endpoint workload to better

protect it
It consists of :
Forticlient (EMS)
It consists of :
H/W info (macOS)
S/W info (OS version)
Users Credentials (User name, Avatar, Hostname)
Vulnerability scanning info
Workload
Forticlient (EMS)
ZTNA Rule:
It is proxy policy which enforces access control
Applies security profiles to protect traffic
Redirects the client requests to the access proxy

Forticlient (EMS)
ZTNA IP/MAC-based Acces...

Only for on-fabric connection
Does not use access proxy
Uses ZTNA tags for access control

Forticlient (EMS)
Vulenrability Management
An administrator is required to maintain a software vulnerability on the
endpoints, without showing the feature on the FortiClient dashboard. Click the
hide icon on the vulnerability scan tab
Managed by EMS
FC performs VUS on endpoints
One-click to install patches and resolve Vulnerability

Forticlient (EMS)
EDR
Prevents Post-Execution Suspicious activities
Detect, Respond and Remediate
Next-Generation AV (Pre-Execution Protection PEP) and

Vulenrability Patch
Application Control to block outdated/unwanted

applications
Forticlient (EMS)
Users Administration
Admin User
Forticlient (EMS)
Admin User
Manages permissions, approvals, discovery and
deployment of FC
Configure user privileges/permissions on all

Windows/LDAP servers/users
Initially, No password for admin
Two types of Admin accounts

Forticlient (EMS)
Two types of Admin accounts

Local admin (EMS)
Windows Users (Local host server)
LDAP Users (AD)

Forticlient (EMS)
Roles of Administrators
Super admin
Standard admin
Endpoint admin
Restricted admin
All roles are derived from 3 categories

Forticlient (EMS)
All roles are derived from ...

Endpoint permissions
Policy permissions
Settings permissions
Forticlient (EMS)
Users Settings
Inactivity timeout (default 30 min)
Inactive/disabled users for days can be activated by super

admin
Max. password age: Time to change password(only built in

users & EMS)
Forticlient (EMS)
Fabric Devices
Shows authorized FGs in FSF
You can either authorize/deny
Only if EMS is part of FSF
Devices Roles:
Forticlient (EMS)
Devices Roles:
Device identity & trust are integrated to ZTNA
Identity is established via client certificate
Trust is established b/w the following:

Forticlient (EMS)
Trust is established b/w th...

FC: provides endpoint info: ( device info, login users,
security posture
EMS: Issue & sign FC certificate and sync it to FG using

tagging rules for FC
FG: sync FC info with EMS

Forticlient (EMS)
FG: sync FC info with EMS

When FC device info changes, EMS updates FG
WAD daemon uses device info to process ZTNA traffic

Forticlient (EMS)
EMS Operation Modes:

Stand-alone Mode:
EMS Integrated Mode with Security Fabric

Forticlient (EMS)
Stand-alone Mode:
EMS provisions endpoints
Endpoints connect ZT telemetry to EMS to receive

configuration info from EMS as policies
EMS sends ZTNA tagging rules to FCs
EMS uses results to dynamically group endpoints in EMS

Forticlient (EMS)
EMS Integrated Mode with ...

FC ZTNA telemetry connects to EMS to receive
configuration info as part of endpoints polciies
EMS connects to FG to participate in FSF & send

endpoints info to FG
FCs receive device certificate from EMS to encrypt and

tunnel TCP/HTTPS traffic via HTTPS to FG (FG version
7.2.0+
Forticlient (EMS)
FG uses EMS dynamic end...

Build dynamic FG policies (ver. 7.0.2+)
Adjust policies based on these dynamic groups

Forticlient (EMS)
EMS Settings:
Shared EMS Settings:
EMS Settings:
Endpoints Settings:
EMS Server Certificate:
EMS Custom Messages:

Forticlient (EMS)
Shared EMS Settings:

Hostname, IP, FQDN, Remote Hostname/ports, Management IP, pre-
defined hostname, endpoint control, web server,ZTNA certificate
Shared among all endpoints
Default port for EMS remote access is TCP 443

Forticlient (EMS)
EMS Settings:
Howendpoints connect to EMS
Listen port, FC download URL, enforce user verification, login banner
Default listening port for telemetry is 8013
Default listening port for Chromebook is 8443

Forticlient (EMS)
Endpoints Settings:
Timeout values:
Telemetry connection key is must
Signature DB updatate
Cloud services: linkedin, google, salesforce, user avatar
If you choose info log type, you will get all types from
Forticlient (EMS)
Timeout values:
Keepalive =60s, offline=5 days, EMS
license=45 days, Delete=30 days,
Deauthrozed user inactivity=30 days
Forticlient (EMS)
EMS Server Certificate:

Default: cannot be deleted or used with other types
Uploaded: comes in .pem, .der, .pkcs12 formats
ACME: Free sSL certificate for ACME protocols
FortiCare: Cannot be deleted, used when renewal of

existing certificate. Preferred than defalut
Forticlient (EMS)
Services use Certificates:

Web server: port 443, 10443, 8015
Endpoint control: port 8013
Chromebook: port 8443

Forticlient (EMS)
Web server certiificate vali...

If certificate is valid, connection is allowed.
If not valid:
Forticlient (EMS)
If not valid:
If action is warn, and user allows connection, FC will
connect to EMS and remember action.
IF action is warn, and the user denies, each time FC will

display warnning message
Forticlient (EMS)
EMS Custom Messages:

Web filter messages:
Add company logo
Only superadmin can enable/disable Features on EMS

Forticlient (EMS)
Web filter messages:

Blacklisted page, blocked page, warning
page, warning FG inaccessible page,
Blocked FG inaccessible page
Forticlient (EMS)
EMS in Multi-Tenancy:
Benefits:
Features:
Site Admin:
Site-Level License:
Forticlient (EMS)
Benefits:
Granular access to multiple sites for mutiple admins with
separate endpoints data & config info for each site
Site data is not shared
Up to 500 sites
Fabric connection must use FQDN to connect to EMS

including default site.
Forticlient (EMS)
Features:
You must enable "Manage Multiple Customer Site" option
All previuosly created admins become admins for default site

except default admin
Dashboard display:
New site are created from global settings

Forticlient (EMS)
Dashboard display:
Global settings for all sites
Default settings for original instance

Forticlient (EMS)
Site Admin:
Site Admin is a new role for site-level
Can access assigned sites only
No global site access
He is superadmin for his site
Can access site-level license & settings

Forticlient (EMS)
Site-Level License:
ZT license
Next Generation endpoint security

Forticlient (EMS)
EMS High Availability:

Active-Passive mode:
Fail-over Options:
Forticlient (EMS)
Active-Passive mode:
Both primary & secondary servers same remote DB in
separate server
Endpoints connected to primary EMS, when failed,

endpoints go to secondary after promoting sec to prim
Forticlient (EMS)
Fail-over Options:
DNS Round-Robin:
HA Load-Balancer:
Forticlient (EMS)
DNS Round-Robin:
Same Hostname to multiple EMS servers with different IPs
EMS must configure FQDN
Endpoints must point to DNS server with Round-robin
FCEMS service runs on primary EMS server only.

Forticlient (EMS)
HA Load-Balancer:
Uses FG to route traffic to EMS
using VIP, real IPs/Ports, LB,
health check
Forticlient (EMS)
Endpoints Management in EMS:

EMS synchs AD domain workgroups but not back to AD
FC registration happens when FC telemetry connects to EMS IP

address
Endpoints can be viewed from EMS "Endpoints> All endpoints menu
Endpoints Actions on EMS:

Forticlient (EMS)
Endpoints can be viewed f...

Not installed: # of endpoints do not have FC s/w installed
Not registered: # of endpoints not connected to EMS
Out-of-synch: # out of sync policies
Security risk: # with security risk / compromized
Quarantined: # quarantined endpoints

Forticlient (EMS)
Endpoints Actions on EMS:

AV Vulenrability scan on next telemetry comm.
Patch VUL on FC
Upload log files to EMS
Run diagnose tool on FC and share result with EMS
Quarantine, connect, disconnect, exceclude from

Forticlient (EMS)
For Android, use

invitation codes and...
Invitation code/QR-Code include hostname/ip
(must), port#, connection key for EMS
Forticlient (EMS)
EMS automatically groups ...

Installer ID
IP address
OS platform: Win/macOS...
ForiClient (FC)
ForiClient (FC)
FC Features:
FC General Info:
Components
Quarantined Files in FC:
Quarantine Automation
ForiClient (FC)
FC Features:
FortiClient provides features such as antivirus, web filtering,
firewall, vulnerability scan, and VPN.
Cannot participate in FSF
Connects to EMS to pull policies (in FSF)
Enforce EP compliance & awareness

ForiClient (FC)
Connects to EMS to pull p...

Priority
Necessity
ForiClient (FC)
FC General Info:
Types of AV scanning
FC automatically luanches & connects to EMS after

installation
Manually enter EMS IP address/Invitation code to connect to

EMS
FC can remember connection keys

ForiClient (FC)
Types of AV scanning
Quick Scan
Full Scan
Custom Scan
ForiClient (FC)
Quick Scan
Runs the rootkit detection engine to detect & remove
rootkits
Only scans .exe, .dll and drivers currently running

ForiClient (FC)
Full Scan
rootkits
Performs full system scan of all files, .exe,.dll and drivers.

ForiClient (FC)
Performs full system scan ...

Scan removable media if present
Scan network drives
Default is monthly
ForiClient (FC)
Custom Scan
rootkits
User <directory> name to enter full path of folder on your

local HDD to scan
ForiClient (FC)
Manually enter EMS IP add...

When instructed to forget IP address, FC does not use it to
automatically rejoin the EMS network
To join another EMS network, you must disconnect from old

EMS to join new EMS or disable FC and un-install
ForiClient (FC)
Malware Protection in FC
Includes AV protection, anti-malware, cloud-based malware protection,
anti-exploit and removable media access
In AV, when botnet protection feature is enabled, FC monitors & compares

network traffic on compromized system with known C&C servers and block
them
Real-time Protection (RTP) is tightly integrated with Windows to monitor

local/remote files (downloaded, saved, run, copied, renamed, opened, written
to. By default, real-time protection is disabled
ForiClient (FC)
FC automatically disables ...

OS server detected
Exchange server detected
SQL server detected

ForiClient (FC)
Anti-exploit Detection: Sig...

Protects vulnerable endpoints from unknown exploit attacks
and zero-day attacks
Protects from memory-based attacks and drive-by

download attacks
ForiClient (FC)
Network Support
FC supports IPSec & SSL VPN
FC supports MFA with FortiToken
FC allows multiple VPN profiles
FC can connect to EMS before login to Windows AD

account
ForiClient (FC)
FC supports IPSec & SSL VPN

Can be configured on FC console
Use EMS to proivision VPN config.

ForiClient (FC)
FC allows multiple VPN profiles

Can be basic
Or Advanced
ForiClient (FC)
Or Advanced
Redundant IPSec VPN
Priority based VPN
Supported in both Windows/Mac

ForiClient (FC)
To Connect to VPN, you ne...

VPN Name from FC console
User name/Password
Either Corporate/Personel VPNs

ForiClient (FC)
Components
Application Firewall
ForiClient (FC)
Application Firewall
Uses IPS protocol decoder to detect & analyze apps traffic
even on non-standard ports
Traffic rules, which control apps traffic on FG or EMS based on

categories or application, can be pushed to managed FC
Application F/W settings are read-only on FC console

ForiClient (FC)
Quarantined Files in FC:

Quarantined files on FC are sent to EMS
Allowlisted & restored quarantined files on EMS can be

done on next telemetry
FC console can not restore / delete quarantined files
FortiClient vulnerability scan is a feature that detects and

fixes security issues on the endpoints.
ForiClient (FC)
Quarantine Automation
AS Fabric agent, FC can integrate w/ security fabric
automated responses to contain incidents
Based on IoC verdicts, EMS & FG can automate process of

qurantineing suspicious endpoints
Quarantineing Benefits:
For automation, you need : FG, FAZ, EMS and FC

ForiClient (FC)
AS Fabric agent, FC can in...

Provides endpoints info
Run VA scan & patching
Identify risky endpoints
Provide application inventory

ForiClient (FC)
Quarantineing Benefits:
Containing threats & icnidents
Controlling outbreaks
ForiClient (FC)
Endpoints Deployment on EMS:

EMS 7.2.0 no longer support initial deployment using AD
Instead, you must use the following:
Deployment Package Setup Types

ForiClient (FC)
Instead, you must use the ...

MS SCCM
MS GPO
MDM
Email with install URL to end users

ForiClient (FC)
MS SCCM Create custom

deployment
pacakage (.MSI
file)
MS GPO
ForiClient (FC)
MDM
Intune: All platforms
Vmware MD: MacOS only

ForiClient (FC)
Email with install URL to end users

Create custome dep. package on EMS
Create invitation code on EMS
Send email/sms to end user inclduing:

ForiClient (FC)
Send email/sms to end use...

Invitation code
Installer package
ForiClient (FC)
Deployment Package Setup Types

Basic Features
Advanced Features
ForiClient (FC)
Basic Features
ZT Telemetry (enabled by default)
Secure Access Arch. components
Vulnerability Scan
APT
ForiClient (FC)
Advanced Features
AV, Anti-exploit, anti-ransomeware,app
f/w, SSOMA, cloud-based malware
outbreak detection
ForiClient (FC)
Endpoints Profiles:
Assigned/default profiles can not be deleted
Eye-icon feature:
Default profile:
Google Chromebook Profile:
Remote Access Profile:

ForiClient (FC)
Eye-icon feature:
Used for inspecting user traffic without their knowledge
Supports: Remote access, ZTNA destination, Web filter,

VUS, malware protection, Sandbox and Firewall
ForiClient (FC)
Default profile:
Created in EMS during installation
Provide effective level of protection
Applied to any group in EMS
Support Win, macOS, Linux and Chromebook
Applied to groups only

ForiClient (FC)
Google Chromebook Profile:

Support Web filter by categories
Blacklist/Allowlist can be added
Supports safe search:
Only Web filter & system settings tabs available

ForiClient (FC)
Supports safe search:

Blocks in-appropriate or explicit images from search results
Adult Sites
Supports Google, Yahoo and Bing search engines

ForiClient (FC)
Remote Access Profile:

Enable/disable VPN
Supports IPsec/SSL VPN
You can add VPN Tunnel
You can enable//disable option to connect/disconnect

ForiClient (FC)
Web Filter Profile:

From FG/FM to EMS
From XML file to EMS

FortiGate(FG)
Features
FortiGate(
FortiPAM(PAM)
FG)
SAML SSO
FortiGate(FG)
Features
Provides network & security
Uses verification rules & endpoints info from EMS to dynamically adjust
security policies
When using FM, FG communicates b/w EMS & FM
Firewall policies
FortiGate(FG)
Firewall policies
Applies security profiles to protect traffic using ZTNA
Configurations on FG for remote users
The firewall policy matches and redirects client requests to the

access proxy VIP
ZTNA Policies:
FortiGate(FG)
ZTNA Policies:
Full ZTNA Policy: Firewall policy matches and redirects
client requests to the access proxy VIP
Simple ZTNA Policy

FortiGate(FG)
FortiPAM(PAM)
Features
FortiGate(FG)
Features
A privileged access management solution
It's role-based access
Provides audit, security options for privileged users

(Admins).
FortiGate(FG)
SAML SSO
Use FG as IdP to login to EMS
Only use SAML SSO feature
EMS does not support FortiAuthenticator or any IdP
Allows admin to login to multiple FGs , FMs with single sign on

FortiGate(FG)
Use FG as IdP to login to EMS

Outline
Central Topic
Questions
FortiAnalyzer(FAZ)
Features
FAZ IOC Flows:

FortiAnaly
FortiManager (FM)
zer(FAZ)
FortiSandbox(FSB)
Logging
FortiAnalyzer(FAZ)
Features
Provides network & security
Receives logs & windows host events directly from EMS-connected

endpoints
Uses logs to run reports.
Receives other FGs data from EMS

FortiAnalyzer(FAZ)
FAZ IOC Flows:

When Melicious site are detected, FC sends logs to FAZ
FAZ discovers IOC and notifies FG
FG identifies connected endpoints and notifies EMS
EMS sends quarantine message to endpoints
Endpoint quarantined itself and notifies EMS & FG

FortiAnalyzer(FAZ)
FortiManager (FM)
Features
FortiAnalyzer(FAZ)
Features
Controls management for managed FGs
Can monitor managed endpoints from multiple FGs

FortiAnalyzer(FAZ)
FortiSandbox(FSB)
Features
FortiAnalyzer(FAZ)
Features
Analyzes new, old unknown, udetected viruses samples
real-time
Receives logs & windows host events directly from EMS-

connected endpoints
Sends files once scanned
If is not detected & .exe, it runs in Windows VM and monitored.

FortiAnalyzer(FAZ)
Logging
AV, App F/W, VPN, Web filter, Updates, VUS scanning logs
Status:
You can export/clear logs (.log)
By default, logging is disabled in FM. You must enable it

manually
FortiAnalyzer(FAZ)
Status:
Emergency: system is unstable
Alert: Immediate action required
Critical: Functionality affected
Warning
Information (default)
FortiAnalyzer(FAZ)
Logs contain logs & softw...

S/W installed
Sent to EMS & FAZ only first time

FortiAnalyzer(FAZ)
You must have :

FC
EMS
FAZ or FM
License with FAZ cloud entitlements

FortiAnalyzer(FAZ)
Log Viewer:
View or download EMS logs (.zip
format)
FortiAnalyzer(FAZ)
Forensic Analysis:
Requires Forensic Analysis license
Generated Statuses:
FortiAnalyzer(FAZ)
Generated Statuses:
Pending: request initiated and waiting to be assigned to
analyst
In-progress: analyst is working on it
Complete: Analysis is completed and results shared in .pdf
Failed: Analyst could not connect to endpoint

FortiAnalyzer(FAZ)
Cancelled:
Analyst needs more info about endpoint
FC EMS admin cancelled request

FC Installations
Installation
EMS Licenses
Packages
SASE Licenses
FC Installations
Stand-alone
Using AD GPO
VPN ONLY Installation
FortiPAM/FC Stand-alone
Stand-alone
Windows
MacOS
Linux
Windows
/quite: install in quite mode + log
/passive: Un-attended install, slow progress
/norestart : No restart after install
/promptrestart: prompts for restart if needed
/forcerestart: always restart

MacOS
Online tool to download s/w and install
Using AD GPO
GPO is used to install/uninstall
Create OU, GPO to push installation
Create shared folder with permissions to host .MSI & MST

packages
copy .MSI/MST to installation folder

Upgrade Push from

EMS
Schedule upgrade dialog to allow users to upgrade for max of
24 hours with 15 mins window
VPN ONLY Installation

Freed download for VPN connectivity only
You cannot use with SSOMA
If SSOMA+VPN is needed, you must license for EMS

FortiPAM/FC Stand-alone
Requires ZTNA tunnel access to PAM server or FortiPAM without EMS
Does not any features of the standard FCPAM
Internet Access is required for EMS server Installation
Minimum of 200 FC (recommended)

EMS Licenses
Supports Win, macOS, Android, Linux and Chromebook
EMS-License is per-seat: if user logs out for 30 days,

license can be utilized for another user
EPP License
ZTNA License
EPP License
Full license with all features in FC:
ZTNA, AV, Anti-ransome, CBM,
Application F/W, SI, APT, Sandbox
ZTNA License
Support fabric agent, telemetry, security
posture via ZTNA tags, remote access,
VUS, Webfilter, threat protection and USB
device control
Chromebook License
For one user
EMSE Installation Package...

FC EMS
MS SSQL server 2017 express edition
Apache http server
ClientdownloadPort is 10443
RemoteManagmentPort is 443
Reasons for Uninstalling EMS

Migrating EMS on-prem to another
There is a conflict with other apps
Performing fresh installation

Access EMS
https://localhost (locally)
https://FQDN-server-name (remotely)
Registering to EMS via Invi...

Used to connect FC to EMS
For Linux, IOS, Android, no deplyment package needed
When endpoints do not automatically register to EMS after installation
If SMTP is enabled, you can email invitation codes in bulk or individual

(prefered indvidiual)
SASE Licenses
Protects on/off campus users when
connected to internet using the same FG
access policies. (Subscription Only)
FortiSASE ISA
FortiSASE ISA
Features
FortiSASE ISA
Features
Security-as-a-Service-Internet Security Access
Deploye via Forticlient SASE
Scaleable cloud based platform
Allows customer to extend FWaaS, IPS, DLP,DNS, SWG,

Sandboxing off-fabric remote access
Forticlient Security Fabric(FSF)
Features
Has 4 Editions
Features
Endpoints visibility through telemetry
Ensurce all fabric components have unified view of endpoints for

tracking & awareness, compliance and reporting
Secure remote remote connectivity via

Secure remote remote con...

ZTNA Tagging
Secure VPN Tunnels

Has 4 Editions
ZTNA
EPP/ATP
Managed Service
Chromebook
ZTNA
An access control method that uses client device identification and
authorization and ZTNA tags to provide role-based access to apps of
on/off fabric users
Granular Access to endpoints
You can configure ZT tags, conditions and policies on EMS
EMS shares ZT tags info with FG using security fabric integration

Device Verification
Verification Rules Criteria
EMS groups endpoints based on ZTNA tags
FG uses groups to create dynamic F/W policies

Verification Rules Criteria

Certificate
Login Domain
Files present
Registry Keys
ZTNA Destination
ZTNA destination create non-VPN secure encrypted
connection to applications
FC uses FG as HTTPS gateway using digital certificate

from EMS using FC UID
FG is used as local proxy gateway
FG is uses UID to identify endpoints

FG checks and
allow/deny access
If allowed by admin, ZTNA destination
can be configured on FC itself:
If allowed by admin, ZTNA ...

Rule Name
Destination (IP/Port, FQDN)
Proxy gateway (IP/Port)
Mode: default Transparent
Encryption b/w FC/FG

EPP/ATP
All ZTNA licenses - AV,Anti-malware,Anti-exploit
Cloud malwaredetection,application firewall, software inventory
APT through FC cloud Sandbox
FortiClient comprehensive endpoint protection helps to safeguard

systems from advanced security threats, such as malware.
Managed Service
Initial FC cloud provisioning with customer to setup cloud enviornment
Endpoint onboarding
Security Fabric setup & Integration
Vulnerability monitoring
Chromebook
Manages one Google Chromebook user
If more users license is needed, EMS borrows from fabic

agent license
Unified Orgnization Security Policy
Unified Orgnization Security Policy
An organization security policy provides full understanding
view of security policies defined in the organization
Used to manage endpoints seurity for Windows,

macOSplatforms
Thank you

FortiClient EMS Course Notes

Uploaded by

Copyright:

Available Formats

FortiClient EMS Course Notes

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiClient EMS Course Notes

Uploaded by

Copyright:

Available Formats

FortiClient EMS Course Notes

FortiClient EMS is the management server that centrally

Provisions & Manages FCs

Groups FCs based on ZTNA tagging rules

Updating endpoint user profiles regardless of location

Administer FC connections (status, accept, block and

Manages and monitors outdated FC version

Manages FC Webfilter in connected Google Chromebook

Manages FC Webfilter in c...

Server: secure communication b/w:

Server: secure communica...

chromebook and Google Admin Console

Stores user info. from Google Admin Console for

As part of EMS, SQL server Database is installed

You can backup/Restore with same DB version ONLY

You can backup/Restore w...

You must wait for restored DB to reload before using it

Runs on server, PCs and Laptops

You must enable Fortiproxy to use web filter

Can be enabled for on/off-fabric endpoints

You can select site categories from Fortiguard

FC can rate site by URL & IPS separately

Provides additional security by Fortiguard

Configure actions when Fortiguard is unavailable

Can be configured for URL / URL types

Actions available: allow, block and monitor

List all exclusion list when action is block only.

ZTNA Server: Defines access proxy VIP and real servers

Used to manually connect/disconnect FC to EMS

FC can use gateway to connect FC to EMS using:

ZTNA Telemetry Compliance

FC can use gateway to con...

ZTNA Telemetry Compliance

To be compliant, you must have all 3:

To be compliant, you must...

EMS must be 7.2.0

FortiOS must be 7.2.0

All info are used to understand endpoint workload to better

S/W info (OS version)

Users Credentials (User name, Avatar, Hostname)

Vulnerability scanning info

Applies security profiles to protect traffic

Redirects the client requests to the access proxy

ZTNA IP/MAC-based Acces...

Does not use access proxy

Uses ZTNA tags for access control

FC performs VUS on endpoints

One-click to install patches and resolve Vulnerability

Detect, Respond and Remediate

Next-Generation AV (Pre-Execution Protection PEP) and

Application Control to block outdated/unwanted

Configure user privileges/permissions on all

Initially, No password for admin

Two types of Admin accounts

Two types of Admin accounts

Windows Users (Local host server)

LDAP Users (AD)

All roles are derived from 3 categories

All roles are derived from ...