Skip to main content
LabFound
  1. Fortinet/

Connecting FortiGate with EMS and Syncing tags

·
Fortigate Forticlient Ems Ztna
Table of Contents

This guide explains how to integrate FortiGate with FortiClient EMS to share endpoint information and security posture tags for ZTNA enforcement. It walks through configuring the EMS fabric connector, authorizing the connection, creating and synchronizing security posture tags, and verifying tagged endpoints across FortiGate, EMS, and FortiClient.

Tested using FortiOS v7.6.4 and EMS v7.4.4

1. Connecting FortiGate and EMS
#

FortiGate can keep endpoint device information and security posture tags updated through the communication with the EMS. For this to happen, the configuration of a fabric connector is required.

  1. Go to Security Fabric > Fabric Connectors, click on FortiClient EMS and select Edit:
EMS Fabric Connected disabled on FortiGate
  1. Under EMS1 section, change the Status to Enabled, then define the EMS properties:
  • Name - you can set the any name you want to identify the EMS
  • IP/Domain name
  • HTTPS port
FortiClient EMS connector configuration on FortiGate
  1. Select OK to apply changes.

Accept the EMS certificate presented to FortiGate that will be used for the communication with the EMS:

Verify EMS certificate Fabric connector on FortiGate
The certificate presented by the EMS to FortiGate is defined under System Settings > EMS Settings using the Webserver certificate option. A different certificate can be used by first uploading one on EMS under System Settings > EMS Server Certificates.
  1. A new pop-up window appears, select Authorize:
Authorize EMS Fabric connector on FortiGate

A new browser window shows up with the IP/doman and port of the EMS details previously specifying. Login using the EMS credentials:

Login for authorizing EMS Fabric connector on FortiGate

Set the status to Authorize and then click on Save:

Authorize EMS Fabric connector on FortiGate verification

Alternatively, the FortiGate connection request can be accepted from EMS GUI console going to Fabric & Connectors > Fabric Devices:

EMS Fabric Device FortiGate in pending status

Using the Edit icon for this entry allows to define the capabilities, i.e. shared tags and FortiClient endpoint sharing. These are the default settings:

  • Tag Types Being Shared: Security Posture Tags
  • FortiClient Endpoint Sharing (for IP/Mac NAC use only): Only share FortiClients connected to this fabric device (Recommended)
Configuring EMS tag type sharing to FortiGate

Check additional configuration information here: FortiClient 7.4.4 EMS Administration Guide - Fabric and also FortiClient 7.4.4 EMS Administration Guide - Matched endpoints and resolved addresses

  1. Back to the FortiGate window, the FortiClient EMS connector status should change to Connected:
EMS Fabric Connector authorized on FortiGate
  1. Confirm FortiGate connectivity on EMS by going to Fabric & Connectors > Fabric Devices. The status should have check icon:
EMS Fabric Device FortiGate in authorized status
For HA clusters, the secondary node will be automatically accepted some seconds later after the first node was approved. Both nodes will be listed under a section “HA cluster managed by FG…”.
EMS Fabric Devices - FortiGate in High Availability

From FortiGate CLI, some troubleshooting commands can be used to verify EMS connectivity after the connector configuration:

  • Verify FortiGate - EMS connectivity:
# diag endpoint fctems test-connectivity 1
Connection test was successful.

The ID of the EMS is 1 in this example.

  • Show EMS connectivity information:
# diag test application fcnacd 2
EMS context status:


FortiClient EMS number 1:
        name(id): EMS(1) confirmed: yes
        is global: true
        interface vdom: root
        fetched-serial-number: FCTEMS8825007278
        fetched-tenant-id: 00000000000000000000000000000000
        user-data:
                verified capabilities: true
                verified identity: true
        interface-selection-method: 0
        verify-peer-method: 3
        ztna-public-key:0x7f317f430d20
Websocket status: connected, oif: 0

2. Configuring Security Posture Tags
#

The security posture tags provide posture checks on endpoints based on their information. This allows to enforce policies when trying to access a resource through ZTNA. These tags are shared with the connected FortiGate.

Following, some sample tags with different purposes are created. The displaying of security tags in FortiClient is activated and then the tagging is verified from both EMS and FortiClient:

Tag for Vulnerability Severity Level
#

To configure a security posture tag that verifies if the endpoint has a high or critical vulnerability (detected by EMS’s Vulnerability Scan security profile) follow these steps:

  1. On FortiClient EMS GUI console, navigate to Security Posture Tags > Tags:
Create new security posture tag on FortiClient EMS
  1. Set a name for the tag, and a user notification message related to the tag. Then click on Add Rule:
Create new security posture tag on FortiClient EMS
  1. Select the OS (Windows in this example), then set the Rule Type to Vulnerable Devices and the Severity Level to High or higher which defines the minimum vulnerability level (low/medium/high/critical) to apply the tag. Then select Save:
Create new security posture tag rule on FortiClient EMS
  1. Select Save one more time:
Create new security posture tag on FortiClient EMS

The security posture tag should now be listed:

Security posture tag list on FortiClient EMS

Tag for Verifying EMS Management
#

To configure a security posture tag that verifies if the the endpoint has FortiClient installed and Telemetry is connected to EMS follow these steps:

  1. On FortiClient EMS GUI console, navigate to Security Posture Tags > Tags.
  2. Set a name for the tag, and a user notification message related to the tag. Then click on Add Rule.
  3. Select the OS (Windows in this example), then set the Rule Type to EMS Management and Managed to FortiClient installed and Telemtry connected to EMS. Then select Save:
Create new security posture tag rule on FortiClient EMS for verifying EMS management
  1. Select Save one more time:
Security posture tag on FortiClient EMS for verifying EMS management

The security posture tag should now be listed:

Security posture tag list on FortiClient EMS

Configure the Displaying of Security Posture tags in FortiClient
#

For troubleshooting purposes it is recommended to display the Security Posture tags in FortiClient interface. This is enabled on a per-profile basis. To enable that follow this procedure:

  1. Go to Endpoint Profiles > System settings, and Edit the desired profile:
Editing system settings profile on FortiClient EMS
  1. With Advanced visibility, enable the Show Security Posture Tag on FortiClient GUI option, then select Save:
Show Security Posture tag on FortiClient GUI - FortiClient EMS System Settings profile

Verifying Security Posture Tagging
#

The Security Posture Tagging on endpoints can be reviewed from multiple places:

  1. From the FortiClient GUI:

Select the user icon, the security posture tags are listed:

Security posture tags visible on FortiClient
  1. From the EMS, go to Endpoints > All Endpoints click on the desired endpoint and search for the Security Posture Tags property:
Security Posture tag endpoint details on FortiClient EMS
  1. From the EMS, go to Security Posture Tags > Tag Monitor. Here you can check the list of endpoints for each tag:
Tag monitor on FortiClient EMS
  1. From FortiGate GUI/CLI. On GUI, go to Policy & Objects > ZTNA > Security Posture Tag. Hover over the desired tag and two different options are available:
  • View matched endpoints (equivalent command on CLI: diagnose endpoint ec-shm list)
  • View resolved addresses (equivalent command on CLI: diagnose firewall dynamic list)
FortiGate Security Posture tags received from EMS

The endpoint information shown on FortiGate, including the assigned tags depends on some factors.

According to Technical Tip: Understanding When FortiGate Displays Endpoint Information under ZTNA-Matched Endpoints and Resolved IP Address Fields in the GUI and CLI, an endpoint may be listed under both View matched endpoints and View resolved addresses lists, one of them, or neither of them. This depends if the endpoints is using the FortiGate as gateway, or connected via SSL-VPN, or connected to a downstream FortiGate in the security fabric.

Also check when an endpoint is present on each list in the following documentation: FortiClient 7.4.4 EMS Administration Guide - Matched endpoints and resolved addresses. “When FortiClient performs ZTNA connection, Resolved addresses is not populated with the endpoint’s IP or MAC address. Matched endpoints is populated with the endpoint’s information when FortiClient performs ZTNA connection.”

  • View matched endpoints output example:
Matched Endpoint details for a security posture tag on FortiGate

Equivalent CLI command output:

# diagnose endpoint ec-shm list
Record #0:
	IP Address = 10.0.1.2
	MAC Address = 02:09:0f:00:01:02
	MAC list = 
	VDOM = root (0)
	TOKEN VDOM =  (-1)
	EMS serial number: FCTEMS8825007278
	EMS tenant id: 00000000000000000000000000000000
	Client cert SN: 1D3D0710258CF569961291DF259F6333B9540EF9
	Public IP address: 148.230.50.82
	Quarantined: no
	Online status: online
	Registration status: registered
	On-net status: off-net
	Gateway Interface: port1
	FortiClient version: 7.4.4
	AVDB version: 1.0
	FortiClient app signature version: 35.125
	FortiClient vulnerability scan engine version: 3.11
	FortiClient UID: 9A016B5A6E914B42AD4168C066EB04CA
	Host Name: WIN10-01
	OS Type: WIN64
	OS Version: Microsoft Windows 10 Professional Edition, 64-bit (build 19045)
	Host Description: 
	Domain: fortiad.info
	Last Login User: tsmith
	Owner: 
	Host Model: Standard PC (i440FX + PIIX, 1996)
	Host Manufacturer: QEMU
	CPU Model: Intel Xeon Processor (SapphireRapids)
	Memory Size: 8191
	AV Feature: 1
	FW Feature: 1
	WF Feature: 1
	AS Feature: 0
	VS Feature: 1
	VN Feature: 1
	Last vul message received time: Wed Nov 26 16:43:21 2025
	Last vul scanned time: Wed Nov 26 23:31:44 2025
	Last vul statistic: critical=2, high=63, medium=31, low=2, info=0
	Avatar fingerprint: 
	Avatar source username: 
	Avatar source email: 
	Avatar source: OS
	Phone number: 
	Number of Routes: (1)
			Gateway Route #0:
					- IP:10.0.1.2, MAC: 02:09:0f:00:01:02, VPN: no
					- Interface:port1, VDOM:root (0), SN: FGVM02TM25006449
  • View resolved addresses output example:
Resolved address details on FortiGate

Equivalent CLI command output:

# diagnose firewall dynamic list

...
CMDB name: EMS1_ZTNA_all_registered_clients
TAG name: all_registered_clients
EMS1_ZTNA_all_registered_clients: ID(70)
        ADDR(10.0.1.2)  <-----------------------------------
Total IP dynamic range blocks: 0.
Total IP dynamic addresses: 1. 

CMDB name: EMS1_ZTNA_Vulnerable-Device
TAG name: Vulnerable-Device
EMS1_ZTNA_Vulnerable-Device: ID(311)
        ADDR(10.0.1.2)  <-----------------------------------
Total IP dynamic range blocks: 0.
Total IP dynamic addresses: 1. 

CMDB name: EMS1_ZTNA_Telemetry-Connected
TAG name: Telemetry-Connected
EMS1_ZTNA_Telemetry-Connected: ID(495)
        ADDR(10.0.1.2)  <-----------------------------------
Total IP dynamic range blocks: 0.
Total IP dynamic addresses: 1.
...