- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiTelemetry for remote users
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiTelemetry for remote users
What do people do for telemetry for remote users? Do you allow it to directly connect from the outside interface or do you require a VPN session?
For example- if you allow a direct EMS connection (through a port forward) and fortitelemetry to a fortigate on an external interface you could ensure that clients will always receive profile updates because they will always be phoning home when online. The issue is that you are opening potential holes for exploitation in the perimeter.
The other option i see is requiring a VPN connection to receive profile updates and dump cached logs. Then it's only internal traffic hitting the boxes, but you lose the near realtime functionality.
Is there some other method i'm not thinking of?
I'm working on deploying forticlient to remote devices (not internal ones) for VPN access and endpoint control/compliance and wondering what others are doing.
CISSP, NSE4
CISSP, NSE4
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently we restrict access to EMS across the VPN. Which obviously poses some challenges, namely as we migrate our users from the old VPN to FortiClient. In some cases, we end up having the user manually configure one of the VPN profiles to get connected to EMS and receive the rest of the profiles.
My big concern is dealing with upgrades of FCT for users who are entirely remote - if something were to go wrong, I can't fix it remotely.
I asked FTAC about the communication between EMS and clients, and was told its all encrypted via SSL over TCP-8013, but I haven't been able to confirm that myself. If I am able to confirm all traffic is encrypted natively between EMS and client, we will probably open it up to the Internet at large.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as the SSL question, it definitely does. My vulnerability scanner has detected that it's using the built-in Fortinet Factory cert on the firewall and another self signed one issued to support@fortinet.com in EMS.
There doesn't appear to be a way to change which cert is being used on the fortigate side and i haven't imported any valid certs to EMS to try it there yet.
I have the same concert with remote users, which is why i'm trying it with the external access on to start with. Unfortunately it seems flaky no matter what i do. Clients end up in a state that makes them unusable with relative ease. I've been working on making a rock solid setup for the past 2 weeks with versions 5.4.x and 5.6.x and haven't really been able to get anything to work correctly 100% of the time. I almost want to just dump the EMS and create the profiles manually using XML.
CISSP, NSE4
CISSP, NSE4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So for anyone who tries this in the future- top tip!
DO NOT use the same IP address for telemetry and the VPN gateway. Actually, pretty much don't use the VPN gateway IP address for anything else external facing that a VPN user might want to use.
I was using the same IP for the EMS telemetry port forward as the VPN gateway. There is a quirk with the way that the ipsec client works where it creates a funky static route to the gateway to tunnel the traffic. This causes any traffic going to that address that is not explicitly ipsec traffic to get sent with the source address of your local network adapter with no NAT. The device on the other end won't know how to route back to the source IP and drop the traffic.
I see why this is designed that way- and I'm surprised I've never been in a situation where I run into this before.
CISSP, NSE4
CISSP, NSE4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to understand what you're seeing.
The FortiClient VPN client is creating a static route on the users machine to the *public* IP of the VPN gateway?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is an example routing table (obfuscated of course)
In this example, 1.2.3.4 is the external address of the VPN gateway (fortigate).
192.168.1.100 is the VPN client and 192.168.1.1 is its gateway to the internet.
172.16.254.10 is the VPN tunnel address handed out to the client, 172.16.254.11 is the tunnel gateway (from fortigate)
10.10.10.0 and 10.10.11.0 are accessible networks as defined in the VPN config in the split tunneling example
normal destination mask gateway interface metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 10
no split tunneling (all traffic to VPN) destination mask gateway interface metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 11 0.0.0.0 0.0.0.0 172.16.254.11 172.16.254.10 1 1.2.3.4 255.255.255.255 192.168.1.1 192.168.1.100 10
with split tunneling (internet stays local, only remote traffic to VPN) destination mask gateway interface metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 10 1.2.3.4 255.255.255.255 192.168.1.1 192.168.1.100 10 10.10.10.0 255.255.255.0 172.16.254.11 172.16.254.10 1 10.10.11.0 255.255.255.0 172.16.254.11 172.16.254.10 1
As you can see- no matter which split tunneling config you choose, the vpn client throws a specific route to the VPN gateway (with an equal/better metric) to explicitly go out the local interface. There is something happening with the tunneling where if anything is destined for that address that isn't IPsec encapsulation, it will end up going through the tunnel but with an outgoing address of the local address instead of the VPN tunnel address. This makes it so that the return path for those packets doesn't work if the client is behind a NAT.
I may have some of the details wrong, but that is the observed behavior. I got the response that this is by design from TAC.
CISSP, NSE4
CISSP, NSE4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You were able to confirm that TCP-8013 is running inside of an SSL session? We scanned EMS with Nessus and get no info back for that port. I watched TCP-8013 traffic for awhile, and only see keep-alive type traffic, no actual data.
I am working on standing up a test client so I can connect fresh to EMS and watch that traffic, see if the payload is encrypted.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can now confirm that the fortitelemetry traffic (default on 8013) is inside an SSL session. I'm currently working on a ticket with TAC where the current theory is that there is some problem with the SSL communication between my clients and fortigate preventing telemetry from connecting.
CISSP, NSE4
CISSP, NSE4
Related Posts
- Root Cause of Red Down Arrow... 101 Views
- FortiClient and T-Mobile 187 Views
- EMS cloud: Registration attempt by Endpoint... 684 Views
- Native l2tp ipsec remote access vpn 196 Views
- Static ipsec remote access ip 162 Views
Labels
-
FortiGate
6,507 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
71 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.