EMS 6.4.3 client monitor & tag update | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB
Fuse
- Fuse Fortinet User Community

Mark Thread UnreadFlat Reading Mode ❐

Hot!EMS 6.4.3 client monitor & tag update

Author Post Essentials Only Full Version
Jirka Gold Member Total Posts : 184 Scores: 7 Reward points: 0 Joined: 2014/07/09 11:34:53 Location: Czech Republic Status: offline 2021/02/27 12:30:34 (permalink) 6.4 0 EMS 6.4.3 client monitor & tag update Hello, I installed an EMS server (6.4.3) for the customer. More or less everything works, but: 1) how to force FG (6.4.3) to see FortiClients connected to VPN? I have the EMS Fabric connector set up and working. In the SSL VPN Monitor I see a client connected, but FortiClient Monitor is empty. In the EMS Administration Guide I see: FortiOS only receives endpoint information and enforces compliance for directly connected endpoints. Directly connected endpoints are the ones that have FortiGate as the default gateway. So should I understand that if the FortiClient is not connected directly to any FG interface (and ssl.root is not a valid interface?), there is no chance that the FG will know about it? Shouldn't the EMS server send client information? I tried: config system interface edit ssl.root set allowaccess fabric but Must set ip as fabric is enabled. object set operator error, -118 discard the setting Command fail. Return code 1 Do I understand correctly that it is necessary to set the IP address on the ssl.root interface? 2) I am not able to synchronize dynamic groups between EMS and FG. On the EMS, the client is correctly tagged, the tag is transferred to the FG, but without an IP or MAC record. "Unresolved dynamic address: FCTEMSxxxxxxxx" Thank you. Jirka post edited by Jirka - 2021/02/27 12:35:42 Attached Image(s) #1 FortiClient, FortiGate 4 Replies Related Threads
rrmueller New Member Total Posts : 7 Scores: 0 Reward points: 0 Joined: 2020/12/31 07:09:30 Status: offline Re: EMS 6.4.3 client monitor & tag update 2021/04/05 11:32:41 (permalink) 0 same issue, looks like the telemetry only works when the SSLVPN client is up, even though telemetry shows connected to the EMS without the SSLVPN. I also find that it's a coin toss to whether I get the DHCP IP address given by the SSLVPN or the endpoint network interface handed off from a home router (192.169.x.x). We are running 6.4.3 EMS, 6.4.1 FortiClient(its seems to work, as 6.4.3 was broken) and 6.4.4 FortiOS. Has anyone figured out how to make these tags actually work, or is there a set of versions that work properly. Working properly would be (to me)... On SSLVPN or not, proper telemetry for the interface connected to telemetry (might be hardwired, might be WIFI), both the IP address and MAC address. When connected to SSLVPN, the IP address should be the IP address handed off by the SSL VPN rm #2
Magion Bronze Member Total Posts : 48 Scores: 4 Reward points: 0 Joined: 2019/08/20 01:06:02 Status: offline Re: EMS 6.4.3 client monitor & tag update 2021/04/06 01:32:23 (permalink) 0 sigmasoftcz In the EMS Administration Guide I see: FortiOS only receives endpoint information and enforces compliance for directly connected endpoints. Directly connected endpoints are the ones that have FortiGate as the default gateway. So should I understand that if the FortiClient is not connected directly to any FG interface (and ssl.root is not a valid interface?), there is no chance that the FG will know about it? Shouldn't the EMS server send client information? I If I remember correctly I read that with the current versions the client no longer communicates directly with FGT, but all communication goes through EMS. #3
rrmueller New Member Total Posts : 7 Scores: 0 Reward points: 0 Joined: 2020/12/31 07:09:30 Status: offline Re: EMS 6.4.3 client monitor & tag update 2021/04/06 07:49:30 (permalink) 0 Yes, that is correct, the clients talk to EMS, EMS talks to FGT...after 6.2 The part about the FGT having to be the GW is a bit mysterious. I have half of my endpoints showing up on the FGT in a tag (diag firewall dyn list) that have SSLVPN DHCP addresss (ie. they are connected via SSL VPN) and the other half are 'home' internet IP's (these are NOT connected via SSLVPN or by any other means have the FGT as a GW). EMS clearly reports IP, MAC, Public IP...etc...for those endpoints that show up on FGT with 'home' ip address, none of these have anything to do with IP or MAC's from the FGT...yet they show up in the tag on the FGT... #4
rrmueller New Member Total Posts : 7 Scores: 0 Reward points: 0 Joined: 2020/12/31 07:09:30 Status: offline Re: EMS 6.4.3 client monitor & tag update 2021/04/06 13:15:20 (permalink) 0 It gets better...but in the wrong direction! So, given that the tags in the FGT 'supposedly' only attract endpoints (IP/MAC addresses) that have the FGT as their gateway...that results in every single device that is logged into the VPN to have the exact same MAC address, yet different DHCP IP addresses. It's as if the Firewall developers, don't talk to the VPN developers and neither of them talk to the FortiClient developers and the guys from the EMS development team live on Mars...what a disaster for a product that could be so cool...oh well, maybe it's just time to send it back since it clearly doesn't work. All I want is to be able to identify specific endpoints in FGT policies so I can send them down different paths. To do that I'd have to create a tag for each endpoint, not an impossible job, but it sucks with a lot of endpoints. #5

Jump to:

© 2021 APG vNext Commercial Version 5.5