Endpoint Protection with FortiClient EMS
Today, solutions aimed at controlling and protecting end devices are gaining popularity quite quickly. Today we want to show you one of these solutions – FortiClient Enterprise Management Server: we will look at the system requirements, installation process and basic configuration.
FortiClient Enterprise Management Server is a centralized server designed to manage FortiClient applications installed on controlled workstations. It allows you to distribute the necessary FortiClient settings (antivirus, web filtering, telemetry, control of removable devices) to all workstations connected to it.
To install it you need:
Microsoft Windows Server 2008 R2 or newer
64 bit dual core processor 2 GHz (or 2 vCPU);
4 GB RAM (8 or more recommended);
40 GB of free space;
Gigabit (10/100 / 1000baseT) Ethernet adapter;
Internet access;
Lack of other installed services.
Internet access is required during installation. After successful installation, it is optional. At run time, it is used to get various updates and signatures for the security engines.
You can find the installation file at Fortinet technical support website (account required). Or you can refer to us…
We have already deployed Windows Server 2019 and downloaded the file required for installation. Let’s launch it.
We are offered to read the license agreement. Introduce yourself, put a tick and run the installation. Installation is performed on behalf of the administrator, so you will need his credentials (if you are logged on to the server not under an administrative account). The installation will then begin.
It usually lasts about 15 minutes. After successfully completing the installation, you will see the following window:
Let’s start the installed EMS. We are immediately offered to enter a username and password. By default, the login is adimn, there is no password.
After logging in, you are prompted to create a new password that suits certain requirements. After creating a password and logging in, we will see the following message:
We are interested in trial licenses. Therefore, we click on the Try free button. To obtain licenses, you need a valid FortiCloud account. If it is not there, you can follow the Sign up now link and create it.
After entering the credentials and verifying them, we have information about the obtained trial license:
The trial license includes 10 licenses for the FortiClient software, a cloud sandbox subscription and endpoint protection mechanisms (antivirus, IPS, web filtering, etc.).
After we have activated the trial licenses, we go to the main page. Add all machines from the existing domain to the FortiClient EMS inventory. To do this, go to the menu Endpoints -> Domains -> Add a domain and enter the required data:
The added domain will appear in the left menu with all devices that are registered in it:
Now go to Endpoint Profiles -> Manage Profiles -> Add. Here you will see many settings – antivirus, web filter, vulnerability scanner, VPN, and so on. Let’s configure a profile for computers in the domain:
In Malware settings, we have enabled antivirus and removable media control. In the system parameters, we have activated the sending of information about the programs installed on the computer. You can customize the profiles at your discretion, the functionality is quite large here.
After the profile has been created, you need to determine which computers it will bind to. To do this, you need to create a leaf node policy. But before that, we will write a list for telemetry – we will indicate the FortiGate address in it, this is necessary so that FortiClient from end nodes transmit various information about the node state to FortiGate. Let’s go to the menu Telemetry Gateway Lists -> Manage Telemetry Gateway Lists -> Add. The creation menu looks like this:
This requires the sheet name, the current EMS address, and the FortiGate address in the Notify FortiGate field.
Now we can set up the policy. To do this, go to the Endpoint Policy -> Manage Policies -> Add field:
Here we have selected a domain computer group. In the Endpoint Profile field, you must specify the previously created profile. In the Telemetry Gateway List field, write the telemetry sheet specified earlier.
Now we will create our own installer with the functionality we need. In the example, I’ll distribute it manually, but this can also be done using AD Group Policy.
Let’s go to the field Manage Installers -> Deployment Packages -> Add. Here we have a five-point installer configuration.
At the first stage, you should select the type of installer and its version. The official installer and the latest version from the 6.2 branch are suitable for us (at the time of this writing, 6.2.6). Also check the box next to the option – Keep updated to the latest patch.
Click on the Next button and go to the second stage. Here you need to write the name of the installer. Let’s call it Domain Installer and move on to the third stage:
Here you can select the functionality that will be present in this installer. We will leave a check mark on the Security Fabric Agent and additionally enable the antivirus. Click Next:
Here we activate automatic registration and go to the last stage:
The last step is to install telemetry. This completes the creation of the installer. After that, this installer will appear in the menu with a link where you can download it. If necessary, the settings for the location of the installers can be changed in the System Settings -> Server -> EMS Settings menu:
Let’s go to the working machine and click on the link specified in the Manage Installers -> Deployment Packages menu:
Here you need to download and install the msi file suitable for your system (x64 or x86). After that, launch the installer (administrator rights are required) and install FortiClient. We start it and go to the Fabric Telemetry menu, specifying the address of the EMS server.
After the computer connects to EMS, it will be displayed on the server panel as connected and will take one of 10 trial licenses. Let’s go to the menu Endpoints -> All Endpoints and select the connected client:
In this window, you can see information about the connected machine, as well as the profiles that are applied to it. Using the Scan button from the menu, you can run antivirus scan as well as vulnerability scan. After the scan is completed, you can see its results:
The basic setup is complete. Now, by manipulating profiles and other settings, you can manage the security of end nodes as you need. In addition, we will show how Compliance is configured. This configuration allows you to send data about end nodes to FortiGate and delimit their access to different networks based on their states. Go to the Compliance Verification Rules -> Add field. We get to the Compliance settings menu. First, let’s create the rule itself, to do this, click on the Add Rule button:
It is possible to configure various rules for Windows, iOS, Mac, Linux, Android. Most of the rules exist for Windows. Here you can check the installed antivirus software, OS version, running process and much more:
As an example, we will create a rule that will determine whether the domain test.local is logged in from a connected machine. Thus, if the machine is connected to a domain, on FortiGate we can give it extended access to networks, and if not, minimal access. An example of setting is shown in the figure below:
Click on the Save button and go back to the original rule. Let’s name the rule itself and create a tag. To do this, enter its name in the Tag Endpoint As field:
We save the created rule. You can try to create a tag yourself that will mark work nodes with a specific version of the OS. Now let’s look at the settings of the connected machine:
As you can see, two tags are now attached to the machine: indomain and windowstenonhost. The second tag indicates that the connected machine is running Windows 10.
Now let’s move on to the settings from the FortiGate side. The first step is to configure the connection to the FortiClient EMS. First, you need to allow the administrative connection for the Security Fabric objects from the FG side. Let’s go to the Network -> Interfaces menu and select the port through which the connection to EMS will be made. In our case, this is port2. Open its settings and in the Administrative Access section, put a tick in front of the Security Fabric Connection item, click OK:
Next, go to the Security Fabric -> Fabric Connectors menu. Find FortiClient EMS in the list of connectors. Enter the IP address of the EMS server and click Apply & Refresh. If everything went well, the number of tags created on the FortiClient EMS should appear in the User / Groups field.
Almost ready. Now we will write a policy that allows users logged into the domain to access the Internet. To do this, go to the Policy & Objects -> IPv4 Policy tab and create a new policy:
All settings are standard, only in the Source field you need to select a range of addresses (you can select all), as well as a user group that will access the Internet. In our case, this is the IN_DOMAIN group. Everything is ready, all that remains is to configure the necessary security profiles and save the policy.
This is how Compliance works between FortiGate and FortiClient EMS. We tried to analyze the simplest examples, but in fact there are many more scenarios for using this solution.
If you have any questions or need help with testing – write us…