Hot!EMS 6.4.3 client monitor & tag update

Author
Jirka
Gold Member
  • Total Posts : 184
  • Scores: 7
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
2021/02/27 12:30:34 (permalink) 6.4
0

EMS 6.4.3 client monitor & tag update

Hello,

I installed an EMS server (6.4.3) for the customer. More or less everything works, but:
 
1) how to force FG (6.4.3) to see FortiClients connected to VPN? I have the EMS Fabric connector set up and working. In the SSL VPN Monitor I see a client connected, but FortiClient Monitor is empty. In the EMS Administration Guide I see:
 
FortiOS only receives endpoint information and enforces compliance for directly connected endpoints. Directly connected endpoints are the ones that have FortiGate as the default gateway.
 
So should I understand that if the FortiClient is not connected directly to any FG interface (and ssl.root is not a valid interface?), there is no chance that the FG will know about it? Shouldn't the EMS server send client information? I tried:
config system interface
edit ssl.root
set allowaccess fabric
but
Must set ip as fabric is enabled. object set operator error, -118 discard the setting
Command fail. Return code 1
Do I understand correctly that it is necessary to set the IP address on the ssl.root interface?
 
 2) I am not able to synchronize dynamic groups between EMS and FG. On the EMS, the client is correctly tagged, the tag is transferred to the FG, but without an IP or MAC record. "Unresolved dynamic address: FCTEMSxxxxxxxx"

 
 
Thank you.

Jirka
 
post edited by Jirka - 2021/02/27 12:35:42

Attached Image(s)

#1
rrmueller
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/12/31 07:09:30
  • Status: offline
Re: EMS 6.4.3 client monitor & tag update 2021/04/05 11:32:41 (permalink)
0
same issue, looks like the telemetry only works when the SSLVPN client is up, even though telemetry shows connected to the EMS without the SSLVPN.
 
I also find that it's a coin toss to whether I get the DHCP IP address given by the SSLVPN or the endpoint network interface handed off from a home router (192.169.x.x).
 
We are running 6.4.3 EMS, 6.4.1 FortiClient(its seems to work, as 6.4.3 was broken) and 6.4.4 FortiOS.
 
Has anyone figured out how to make these tags actually work, or is there a set of versions that work properly.
 
Working properly would be (to me)...
 
On SSLVPN or not, proper telemetry for the interface connected to telemetry (might be hardwired, might be WIFI), both the IP address and MAC address.  When connected to SSLVPN, the IP address should be the IP address handed off by the SSL VPN
 
rm
#2
Magion
Bronze Member
  • Total Posts : 48
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/08/20 01:06:02
  • Status: offline
Re: EMS 6.4.3 client monitor & tag update 2021/04/06 01:32:23 (permalink)
0
sigmasoftcz
In the EMS Administration Guide I see:
FortiOS only receives endpoint information and enforces compliance for directly connected endpoints. Directly connected endpoints are the ones that have FortiGate as the default gateway.
 
So should I understand that if the FortiClient is not connected directly to any FG interface (and ssl.root is not a valid interface?), there is no chance that the FG will know about it? Shouldn't the EMS server send client information? I



If I remember correctly I read that with the current versions the client no longer communicates directly with FGT, but all communication goes through EMS.
#3
rrmueller
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/12/31 07:09:30
  • Status: offline
Re: EMS 6.4.3 client monitor & tag update 2021/04/06 07:49:30 (permalink)
0
Yes, that is correct, the clients talk to EMS, EMS talks to FGT...after 6.2
 
The part about the FGT having to be the GW is a bit mysterious.
 
I have half of my endpoints showing up on the FGT in a tag (diag firewall dyn list) that have SSLVPN DHCP addresss (ie. they are connected via SSL VPN) and the other half are 'home' internet IP's (these are NOT connected via SSLVPN or by any other means have the FGT as a GW).
 
EMS clearly reports IP, MAC, Public IP...etc...for those endpoints that show up on FGT with 'home' ip address, none of these have anything to do with IP or MAC's from the FGT...yet they show up in the tag on the FGT...
 
 
#4
rrmueller
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/12/31 07:09:30
  • Status: offline
Re: EMS 6.4.3 client monitor & tag update 2021/04/06 13:15:20 (permalink)
0
It gets better...but in the wrong direction!
 
So, given that the tags in the FGT 'supposedly' only attract endpoints (IP/MAC addresses) that have the FGT as their gateway...that results in every single device that is logged into the VPN to have the exact same MAC address, yet different DHCP IP addresses.
 
It's as if the Firewall developers, don't talk to the VPN developers and neither of them talk to the FortiClient developers and the guys from the EMS development team live on Mars...what a disaster for a product that could be so cool...oh well, maybe it's just time to send it back since it clearly doesn't work.
 
All I want is to be able to identify specific endpoints in FGT policies so I can send them down different paths.  To do that I'd have to create a tag for each endpoint, not an impossible job, but it sucks with a lot of endpoints.
#5
Jump to:
© 2021 APG vNext Commercial Version 5.5