Description
This article describes how to troubleshoot FortiGate endpoint records information with EMS server for VPN users.
Scope
FortiGate.
Solution
To support this feature, the FortiClient, FortiGate and FortiEMS server must be version 6.4.0 or above.
With VPN, the VPN daemon collects the FortiClient-UID and FortiGate requests a TAG for that FortiClient-UID from the EMS server using a JSON API.
- First verify if the FortiGate is able to connect with EMS server successfully, using below command.
diagnose endpoint fctems test-connectivity <name>
- Check if the FortiGates receives a FortiClient-UID through the VPN daemon by running these commands:
diag deb app ssl -1 (for sslvpn)
diag deb app ike -1 (for ipsec)
diag endpoint filter show-large-data yes
diag deb app fcnac -1
[240:root:24]Will add auth policy for policy 148 for user SUMIT_THAPA:SSL-VPN-GROUP
[240:root:24]Add auth logon for user SUMIT_THAPA:SSL-VPN-GROUP, matched group number 1
[ec_ems_queue_vpn_client_act:281] VPN client change: 0, uid:F06E0BF328C6BC354CC4AEE36EAxxxxx,
intf:wan1, vdom:root, ip:10.0.6.1, sn:FGTXXXXXXXXXX
[fcems_recv_req_epoll:1463] called.
[240:root:0][fcems_recv_req:1431] called.
RCV: LCP Configure_Request id(1) len(10) [Magic_Number 707F9975]
[240:root:0][ec_rec_set_sslvpn_conn:736] called (FTCL UID F06E0BF328C6BC354CC4AEE36EAxxxxx).
SND: LCP Configure_Request id(1) len(10) [Magic_Number 32AC1EA3]
[ec_rec_add:790] called (FTCL UID F06E0BF328C6BC354CC4AEE36EAxxxxx)
- The FortiGate API call to the EMS server for FTCL UID F06E0BF328C6BC354CC4AEE36EAxxxxx:
[ JSON API Call for F06E0BF328C6BC354CC4AEE36EAxxxxx ]
__debug_process_call:1028] Call report-tags through EMS EMS_SERVER_NAME was successful.
[ec_ems_ez_prep_for_call_ex:1020] referer: https://<EMS_IP>
[ec_ems_ez_prep_for_call_ex:1052] API URL: https://<EMS_IP>/api/v1/report/fct/sysinfo <-------- API HTTP Request URL
[ec_ems_ez_prep_for_call_ex:1056] Added to header: "Content-Type: application/json"
[ec_ems_ez_prep_for_call_ex:1065] request_body:
"""
{"sn_list":
"uid_offset":"F06E0BF328C6BC354CC4AEE36EAxxxxx"} <------ JSON Body FTCL UID
"""
[__debug_submit_call_result:393] SUCCESS! Call to report-sysinfo-set API for EMS EMS_SERVER_NAME was
successfully submitted.
[188:root:0]total sslvpn policy count: 6
[fcems_rest_api_retrieve_calls:1163] Call retrieve attempt. EMS: EMS_SERVER_NAME, code: 0,0,0.
[fcems_rest_api_process_report_call:1108] reply:
"""
- The final JSON Response packet from the EMS server.
[ec_ems_json_reply_general_check:302] called (EMS SN FCTEMS000XXXXX). <---- Receiving endpoint information.
[fcems_json_unzip:274] unzipped:
"""
{"F06E0BF328C6BC354CC4AEE36EAxxxxx":{"forticlient_id":65,"fct_ver":[6,4,4],"onnet":true,"online":true,"quarantined":false,"is_sslvpn":true,"av_running":false,
"vuln_scan_running":false,"gateway_interface":"wan1","vdom":"root","fgt_sn":"FGTXXXX","ip":"10.1.12.3","mac":"x.x.x.x.x.x"
,"mac_list":
,"os_type":"AOS00","group_name":"Other Endpoints","user_name":"Sumit Thapa"}
"""
- Check the endpoint records in FortiGate using the following command.
diagnose endpoint record list
As of FortiOS 7.4.2, 'diagnose endpoint record list' has been changed to 'diagnose endpoint ec-shm list'.
In non-VPN users' cases, note that the FortiOS only receives endpoint information and enforces compliance for directly connected endpoints, directly connected endpoints are the ones that have FortiGate as the default gateway.
Related document:
FortiOS dynamic policies - FortiClient EMS administration guide.
