Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
mforbes
Staff
Staff

Created on ‎02-21-2018 03:00 PM

Article Id 196232

Technical Tip: FortiClient EMS - FortiGate FortiTelemery and FortiClient EMS

Description
This article aims to clarify when FortiTelemetry should be used when coupled with a FortiClient EMS installation.
Scope
All FortiGates
FortiClient Endpoints
FortiClient Enterprise Management System (EMS)

Solution
FortiTelemetry is used by FortiGate as part of the Cooperative Security Fabric.  When enabled, it allows the FortiGate to securely communicate with FortiClient Endpoints over port 8013, and any Fortinet products located in its environment. (FortiAnalyzer, FortiManager, FortiSandbox, FortiMail, FortiAuthenticator).

FortiTelemetry is enabled by default on FortiGate, and is not a requirement for operation and can be safely disabled if the FortiGate will not be part of the Cooperative Security Fabric. 

mforbes_security Fabric.png

FortiClient Endpoints always attempts Registration to one of two Management devices, either a FortiGate or an Enterprise Management Server (EMS).

What's the difference?

Endpoint Compliance - when enforced by a FortiGate, FortiClient Endpoints are barred from access the network if their settings do not match the Compliance rules specified in a FortiClient Compliance Profile.
Endpoint Control - implemented on FortiClient EMS.  When FortiClient EMS is used, FortiGate should be using FortiOS is 5.4.1 or HIGHER. 


To disable FortiTelemetry

1.  Go to System/Feature Visibility/Security Features  ->  Set 'Endpoint Control' to ON position, click 'Apply'.

mforbes_feature visibility.png

2.  Go to Network/Interfaces -> Edit any Interface that shows 'FortiTelemetry' under the 'Access' column ->  un-check 'FortiTelemetry', then save the settings.

VPN Tunnels
IPSec VPN tunnels use a sub-interface, and FortiTelemetry is enabled by default.  Make sure to expand the sub-interface, edit and disable FortiTelemetry there as well.
  • SSL VPN does not create a sub-interface listen on any that has been assigned.
  • Go to VPN/SSL VPN Settings. Locate "Allow Endpoint Registration" and verify its disabled.
mforbes_interfaces.png

mforbes_vpn.png
3.  Go to Security Profiles/FortiClient Compliance Profiles  ->  Disable "System Compliance" 
mforbes_compliance profiles 1.png


mforbes_compliance profiles 2.png
4. To discard all FortiClient Endpoint that may have Registered, open a Command Line to the FortiGate, then run the following command:

diag endpoint registration deregister all  <ent>

FortiGate will reply with the following...(select 'y' to proceed)

This operation will deregister all FortiClients!
Do you want to continue? (y/n)

Close the CLI window.
Supplementary references
__________________________________________________________________________________________________________
Security Fabric

Fortinet Security Fabric

FortiClient Compliance Guide

Security Fabric installation and audit

Cooperative Security Fabric









6330
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.