FortiEMS Multitenancy with FortiGate and ZTNA

FortiClientEMS Initial Configuration

• • Go to System settings -> EMS settings -> enable the Multi-tenancy button down the bottom:

• • Up the top right, click on the drop-down and then click on Configure Sites:

    • If you can't see Configure Sites as an option, you may need to click on Global first and then the Configure Sites option will appear.

• Edit the site which has the licenses assigned. In my instance, there were 3 licenses assigned to the Default site, because I am using the free perpetual trial licenses. Then, reduce the Default site licenses quantity to free up licenses for other sites. 

• In my lab, I created 2 new sites called LAB1 and LAB2, as you can see below.

• When you create a site, you can allocate the licenses to them if there are any licenses not yet allocated to any site.

• Here is what the license allocations look like once I assigned a license to each site:

At this point I also referred to: https://docs.fortinet.com/document/fortigate/7.6.5/administration-guide/704318/forticlient-multi-tenancy 

Connect FortiGate to FortiEMS

• My scenario is:

  • I have one FortiGate (let's call it FortiGate #1) with multiple VDOMs. 

  • I also have another FortiGate firewall (FortiGate #2) which does not have VDOMs enabled. 

  • I want a VDOM on FortiGate #1 to connect to the EMS server and register against an EMS site called LAB1.

  • Similarly, I want FortiGate #2 to connect to the EMS server and register against site LAB2. 

• If using VDOMs: Go to each of your VDOMs that you want to connect to FortiEMS and add the below configuration. 

  • If you don't do this, the FortiEMS Fabric Connector configuration will be grayed out in the GUI.

config endpoint-control settings

    set override enable

end

Add the FortiEMS Fabric Connector, and authorize it

• When you are using multitenancy mode on FortiEMS, you must use a FQDN for the "IP/Domain name" when setting up the Fabric Connector on FortiGate. The FQDN needs to have the tenant ID included. In my example, I set up a site called LAB1, therefore the tenant ID is LAB1. So my FortiGate needs to connect to lab1.ems01-shaunlab.com

  • This is also outlined in: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Fixing-error-EMS-refused-connection-due-to/ta-p/304570

• My "IP/Domain name" to connect to is lab1.ems01-shaunlab.com  which resolves to 10.1.100.20 being the EMS server. I had to create a DNS Database entry on the FortiGate for this to work, but you could just set up a public DNS record for it in the real world, assuming the fabric connector will run over the internet.

Now go to FortiEMS and choose the LAB1 tenant, there is a popup waiting for you to authorize the connection:

Go back to FortiGate and click refresh:

Now it is connected.

Click the tick box as shown below: 

Set a FQDN for your EMS server

• It is best practice to use a FQDN when it comes to FortiClient connecting to EMS.

• To allow FortiClient to connect to EMS via a FQDN , go to the Global site -> System Settings -> EMS Settings -> "Use FQDN" here I supplied ems.shaunlab.com.

Create FortiClient Installer

Firstly I changed the Cloud Region from North America (which is default) to Asia:

On the left hand menu, go to Deployment & Installers -> FortiClient Installer -> Add (in the top right). Create the installer:

• If you don't see the Repackaged Installer Files option like shown below, it means your EMS server does not have internet access.

For the features on the next screen I only enabled the following features, because I am only doing VPN and ZTNA, and I may want to do SSOMA at some stage:

• Secure Access Architecture Components

• Single Sign-On Mobility Agent

• Zero Trust Network Access

For the remaining options in the installer wizard I enabled desktop and start menu shortcuts, then finished the wizard.

Change Installer URL

Then I went to the Global site so I could change the Installer Address:

Now back to the LAB1 site, I can now click on the link here to access the FortiClient installer which I have just created:

Then install it on the PC:

Upon startup, this appeared. Need to find out what to do about this:

• To connect FortiClient to FortiEMS, we are going to use an invitation code. This is a secure configuration to ensure that only devices with the invitation code can connect to your EMS server (and then be allowed to initiate SAML authentication). But before we can do that, we need to set up SAML authentication so users can authenticate themselves...

  • https://docs.fortinet.com/document/forticlient/7.4.3/ems-administration-guide/002758/invitations 

SAML Configuration

Add a new SAML configuration as shown below:

Log into Azure and create an Enterprise Application:

Copy the URLs from EMS across to Azure like so:

and then copy the URLs from Azure into EMS:

Download the base64 cert and import it into EMS, then save the config:

Finally, add users or groups to the Enterprise Application:

Invitation

Add a new Invitation config (now that we have a SAML Config we can choose):

Copy the (very long) invitation code:

FortiClient - Enrollment into EMS

Paste the invitation code into FortiClient:

Complete user authentication. This is where the end user provides their own credentials.

Now the connection has completed:

Let's have a look at the new computer enrolled into EMS:

Security Posture Tag

I have created a generic tag to say that the computer has been enrolled into EMS, but also has Defender running, is Windows 11, and Telemetry is up and running:

On FortiClient if you want the ability to see which Security Posture Tags are applied, you can enable it as shown below. 

• This is not essential because you can see which Security Posture Tags are applied to each computer's FortiClient directly from the EMS server under Endpoints -> All Endpoints.

Now go to your FortiClient and click on the profile pic to show the screen where you can find the Security Posture Tags showing. As you see below, my FortiClient has the Compliant_Device tag applied:

Share all FortiClients

I needed to set this option to "Share all FortiClients" before the endpoint MAC and IP addresses would synchronise down to the FortiGate:

Firewall Policy with ZTNA tag

In my lab I am running FortiGate 40F on version 7.6.4, which is a 2GB model. There is a special condition for 2GB models described here: https://docs.fortinet.com/document/fortigate/7.6.0/new-features/430326/ztna-tags-on-2-gb-entry-level-platforms-in-ip-mac-based-access-control-7-6-3

So on the firewall policy where I want to match based on the "Compliant Device" ZTNA tag, I need to configure this under the policy first:

config firewall policy

    edit <id>

        set ztna-status enable

        set ztna-ems-tag EMS1_ZTNA_Compliant_Device 

    next

end

After you do this, the ZTNA tag configuration appears in the GUI in the Firewall Policy:

You have the option to use IP Tag and MAC Tag. 

• IP Tag - matches the machine based on its IP address

• MAC Tag - matches the machine based on its MAC address

At this point I can access the internet, matching firewall policy named ZTNA_internet (shown above). As soon as this Tag disappears, the machine will no longer match on ZTNA_internet.

Connecting FortiGate #2 to EMS site LAB2

Following the same steps above, we can connect FortiGate #2 to EMS site LAB2. 

FortiGate #2 and FortiClient running on each computer behind FortiGate #2 connects to the EMS server over the internet. 

Below are the firewall policies created on the FortiGate hosting access to the EMS server:

Other miscellaneous notes I came across along the way

• To change the FortiClient repository url, log in to the VM via SSH or console and run:

  • ems@fcems-server $> config set console --fileserver.port=60443

• To change the GUI management port, log in to the VM via SSH or console and run:

  • ems@fcems-server $> config set console --https.port=4343

• Original source: https://community.fortinet.com/t5/FortiClient/Technical-Tip-How-to-change-FortiClient-download-and-management/ta-p/380387 

Troubleshooting

These commands can be used on FortiGate to view the information received from EMS:

• diagnose firewall dynamic list < --- Shows you a list of all MAC and IP addresses received from EMS, along with their posture tags

• diagnose endpoint ec-shm list < --- A more comprehensive output of the MAC and IP addresses received from EMS, with lots of other information about the PC.

• https://docs.fortinet.com/document/forticlient/7.4.5/ems-administration-guide/366887/matched-endpoints-and-resolved-addresses