DO NOT REPRINT

© FORTINET

FortiClient EMS
Lab Guide
for FortiClient EMS 7.0
DO NOT REPRINT
© FORTINET
Fortinet Training

https://training.fortinet.com

Fortinet Document Library

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Network Security Expert Program (NSE)

https://training.fortinet.com/local/staticpage/view.php?page=certifications

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Feedback

Email: [email protected]

9/21/2021
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

Network Topology 5
Lab 1: Introduction 6
Lab 2: FortiClient EMS and FortiClient Installation 7
Exercise 1: Installing FortiClient EMS 8
Install FortiClient EMS Using an Installation File 8
Access the FortiClient EMS GUI and Install the License 10
Exercise 2: Installing FortiClient 13
Install FortiClient Using a Custom Installer File From FortiClient EMS 13
Lab 3: FortiClient EMS Configuration 17
Exercise 1: Accessing the GUI and Creating a FortiClient EMS Administrator 18
Access the FortiClient EMS GUI 18
Create a New FortiClient EMS Administrator 20
Exercise 2: Configuring FortiClient EMS System Settings 22
Configure Server Settings 22
Configure Log Settings 23
Configure Login Banner Settings 23
Exercise 3: Creating an Endpoint Group and a Group Assignment Rule, and
Running Scans 25
Create an Endpoint Group for a Windows Workgroup 25
Create a Group Assignment Rule for Windows Endpoints 26
Run Antivirus and Vulnerability Scans on a Registered Endpoint 27
Exercise 4: Enabling the Security Fabric to Trigger Automatic Quarantine 32
Verify FortiClient Log Settings 32
Enable the Security Fabric on the Root FortiGate 33
Lab 4: FortiClient Deployment Using FortiClient EMS 44
Exercise 1: Creating an Installer for Deployment 45
Create a FortiClient Installer for Deployment 45
Exercise 2: Adding Endpoints to FortiClient EMS 48
Add Endpoints Using an AD Domain Server 48
Exercise 3: Creating a Deployment Package to Install FortiClient 50
Create a Deployment Package to Install FortiClient 50
Lab 5: FortiClient Provisioning Using FortiClient EMS 52
Exercise 1: Creating and Assigning an Endpoint Profile for Deployment 53
DO NOT REPRINT
© FORTINET
Create an Endpoint Profile on FortiClient EMS 53
Create a Profile to Deploy FortiClient 53
Enable the Web Filter Feature in the Endpoint Profile 53
Provision a VPN in the Endpoint Profile 56
Create an Endpoint Policy to Assign the Endpoint Profile 57
Exercise 2: Testing the FortiGuard Web Filter 60
Verify FortiGuard Connectivity 60
Identify Web Filter Categories 60
Review a FortiGuard Category-Based Web Filter 63
Test the Web Filter 65
Verify a Web Filter Exclusion List 66
Test the Web Exclusion List 67
Exercise 3: Understanding Antivirus Protection and Vulnerability Scans 68
Verify AntiVirus Protection Settings 68
Test the Antivirus Real-Time Configuration 69
Run an On-Demand Vulnerability Scan 70
Lab 6: Zero Trust Network Access 72
Exercise 1: Configuring ZTNA Tags, Tagging Rules, and Features 74
Verify the Connection Between FortiClient, FortiClient EMS, and FortiGate 74
Configure FortiClient EMS ZTNA Tagging Rules 76
Enable the ZTNA Feature and Verify That ZTNA Tags Are Synced 80
Exercise 2: Configuring a Basic HTTPS Access Proxy With SSL Certificate-
Based Authentication 81
Configure a Basic HTTPS Access Proxy With Certificate-Based Authentication 81
Test Remote Access to the HTTPS Access Proxy 85
Understand the Behavior of the set empty-cert-action Option 89
Exercise 3: Configuring an HTTPS Access Proxy With User Authentication
and ZTNA Tags 91
Configure an Authentication Rule 92
Apply the User Group and ZTNA Tag to a ZTNA Rule 93
Test Remote Access to the HTTPS Access Proxy With User Authentication 94
Verify the Behavior When the Security Posture Changes on the Endpoint 97
Exercise 4: Configuring and Testing Compliance Rules to Create Dynamic
Groups and Policies 99
Create a Firewall Policy 99
Test Endpoint Access Using the IP/MAC Filtering ZTNA Firewall Policy 100
Lab 7: Diagnostics and Troubleshooting 104
Exercise 1: Running Diagnostic Tools 105
Run the FortiClient Diagnostic Tool 105
Run the FortiClient EMS Diagnostic Tool 108
DO Network
NOTTopology
REPRINT
© FORTINET
Network Topology

FortiClient EMS 7.0 Lab Guide 5

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 1: Introduction

There is no lab associated with Lesson 1.

6 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 2: FortiClient EMS and FortiClient Installation

In this lab, you will examine FortiClient EMS and FortiClient installation.

Objectives
l Install FortiClient EMS on a Windows AD server
l Apply a FortiClient EMS license
l Install FortiClient on a Windows endpoint

Time to Complete
Estimated: 25 minutes

Prerequisites
Before beginning this lab, you must make sure that the installer file from the EMS deployment package is available
on the desktop of the FortiClient-Laptop VM, in the Resources folder.

FortiClient EMS 7.0 Lab Guide 7

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Installing FortiClient EMS

In this exercise, you will install FortiClient EMS on the AD server.

For this exercise, we have provided a FortiClient EMS installation file and license. In a
real environment, you should not install FortiClient EMS on a Windows server that is
hosting AD or any other services.

Install FortiClient EMS Using an Installation File

You will install FortiClient EMS using an installer file.

To install FortiClient EMS using an installer file

1. On the AD Server VM, on the desktop, click Resources > Installation Files.
2. Open the FortiClientEndpointManagementServer_7.0.1.0103_x64.exe file to launch the installation
window.
3. Click Run.

4. Accept the license agreement, and then click Install to start the installation.

8 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Installing
REPRINT FortiClient EMS Install FortiClient EMS Using an Installation File

© FORTINET

The setup wizard installs FortiClient on the host machine. By default, the FortiClient EMS files are installed in
the C:\Program Files\Fortinet\FortiClient folder.

5. After the FortiClient EMS installation is complete, click Close.

FortiClient EMS 7.0 Lab Guide 9

Fortinet Technologies Inc.
DO Access
NOT REPRINT
the FortiClient EMS GUI and Install the License Exercise 1: Installing FortiClient EMS

© FORTINET
Access the FortiClient EMS GUI and Install the License

You will access the FortiClient EMS GUI, create an administrator password, and install the license.

To access the FortiClient EMS GUI and create an administrator password

1. On the AD Server VM, click the FortiClient EMS icon on the desktop to launch the application.

2. Click Sign in, and then log in to the FortiClient EMS GUI with the username admin and no password.

FortiClient EMS prompts you to configure an administrator password.

10 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Installing
REPRINT FortiClient EMS Access the FortiClient EMS GUI and Install the License

© FORTINET
3. Type Password123 in the New Password and Confirm Password fields to meet the password requirement, and
then click Submit to save the password.

To install the FortiClient EMS license

1. Log in to the FortiClient EMS GUI with the username admin and password Password123.
A warning for the EMS license appears.

2. Click X to close the window.

3. On the Dashboard > License Information widget, click Config License.

4. In the License Source field, click File Upload, and then click Browse to select the license file in the Desktop >
Resources > Installation Files folder.

FortiClient EMS 7.0 Lab Guide 11

Fortinet Technologies Inc.
DO Access
NOT REPRINT
the FortiClient EMS GUI and Install the License Exercise 1: Installing FortiClient EMS

© FORTINET

5. Click Upload to activate the new license.

6. On the FortiClient EMS GUI, click Dashboard > Status to see the license information.

12 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Installing FortiClient

In this exercise, you will install FortiClient on the FortiClient-Laptop VM.

From version 6.2.0 or later, FortiClient must be used with FortiClient EMS. FortiClient
must connect to FortiClient EMS to activate its license and become provisioned by the
endpoint profile that the administrator configured in FortiClient EMS. For this exercise,
we have provided a deployment package file from FortiClient EMS. You cannot use
FortiClient features until FortiClient is connected to FortiClient EMS and licensed.

After installation, FortiClient will be managed by FortiClient EMS, and all security
profiles have been configured to perform lab tasks.

Install FortiClient Using a Custom Installer File From FortiClient EMS

You will install FortiClient using an installer file from FortiClient EMS.

To install FortiClient using the installer file from FortiClient EMS

1. On the FortiClient-Laptop VM, on the desktop, open the Resources folder.
2. Run the FortiClientSetup_7.0.0_x64.exe file to start the FortiClient installation.

3. Accept the license agreement, and then click Next to start the installation.

FortiClient EMS 7.0 Lab Guide 13

Fortinet Technologies Inc.
DO Install
NOT REPRINT
FortiClient Using a Custom Installer File From FortiClient EMS Exercise 2: Installing FortiClient

© FORTINET

By default, the FortiClient files are installed in the C:\Program Files\Fortinet\FortiClient\ folder.

4. Click Next to continue.

5. Click Install.

14 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Installing
REPRINT FortiClient Install FortiClient Using a Custom Installer File From FortiClient EMS

© FORTINET

The setup wizard installs FortiClient on the host machine.

6. After the FortiClient installation is complete, click Finish.

FortiClient EMS 7.0 Lab Guide 15

Fortinet Technologies Inc.
DO Install
NOT REPRINT
FortiClient Using a Custom Installer File From FortiClient EMS Exercise 2: Installing FortiClient

© FORTINET

FortiClient downloads all the signature databases to get up-to-date. It may take some time before the
download completes and FortiClient is available for you to configure other options. However, you can
continue with the lab steps as the download process runs in the background.

7. On the FortiClient-Laptop VM, in the system tray, right-click the FortiClient icon.
8. Click Open FortiClient Console to open the FortiClient GUI.

Allow some time for FortiClient to get all of its configuration from FortiClient EMS.

16 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 3: FortiClient EMS Configuration

In this lab, you will examine the FortiClient EMS configuration.

Objectives
l Access the FortiClient EMS GUI
l Explore the dashboard and view system information
l Create an administrator
l Configure system settings
l Create an endpoint group
l Run a vulnerability scan on an endpoint

Time to Complete
Estimated: 65 minutes

Prerequisites
Before beginning this lab, you must finish the previous lab.

FortiClient EMS 7.0 Lab Guide 17

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Accessing the GUI and Creating a FortiClient
EMS Administrator

In this exercise, you will access the FortiClient EMS GUI, and then create a new administrator account.

Access the FortiClient EMS GUI

You will access the FortiClient EMS GUI, by either launching the application or using a browser.

To access the FortiClient EMS GUI by launching the application

1. On the AD Server VM, click the FortiClient EMS icon to launch the application.
2. Log in to the FortiClient EMS GUI with the username admin and password Password123.
3. Locate the System Information widget, and then write down the software version that appears in the Version
field.
You should see the following details:

To access the FortiClient EMS GUI using a browser

1. Continuing on the AD Server VM, on the desktop, open Firefox.
2. In the address bar, type https://localhost to access the FortiClient EMS GUI.
3. Click Advanced > Accept the Risk and Continue to accept the self-signed certificate.

18 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Accessing
REPRINTthe GUI and Creating a FortiClient EMS Administrator Access the FortiClient EMS GUI

© FORTINET

4. Log in to the FortiClient EMS GUI with the username admin and password Password123.
5. Click Dashboard > Status to confirm the FortiClient EMS serial number.
6. Locate the License Information widget, and then write down the serial number that appears in the Serial Number
field.

You can also access the FortiClient EMS GUI using the server host name
https://<server_name>.

Tip: You can get the <server_name> by running ipconfig /all on the server.
The Host Name appears under Windows IP Configuration. If you cannot
access the FortiClient EMS remotely, make sure that you can ping <server_name>,
by adding it to the DNS entry or the Windows host file.

7. Navigate to Endpoint Policy & Components, and then you will see CA Certificates.
Here, you can upload and manage certificates that can be used for EMS HTTPS access.

FortiClient EMS 7.0 Lab Guide 19

Fortinet Technologies Inc.
DO Create
NOT a New FortiClient EMS
REPRINT
Administrator
Exercise 1: Accessing the GUI and Creating a FortiClient EMS
Administrator

© FORTINET
Create a New FortiClient EMS Administrator

To log in to FortiClient EMS, you require a user administrator account. You will create both a super administrator
and a limited access account.

To create a new FortiClient EMS administrator account

1. On the pane on the left side of the screen, click Administration > Administrators.
You will see an entry with the name admin, source Builtin, and role Super Administrator.

2. Click Add to create a Windows based user administrator account.

A new window opens.

3. In the Add user window, in the User source section, select Create a new user, and then click Next.

4. In the configuration window, configure the following settings:

Field Value

User EPadmin

Role Endpoint Administrator

5. Click Next.
6. In the Password and Confirm Password fields, type Fortinet123.

20 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Accessing the GUI and Creating a FortiClient EMS
REPRINT
Administrator
Create a New FortiClient EMS
Administrator

© FORTINET

7. Click Finish to create a new administrator account.

8. Click the admin icon on the right side of the EMS GUI, and then select Sign out.

9. Log back in with the username EPadmin and password Fortinet123.

Under Endpoint Profiles, you will see View Profiles instead of Manage Profiles.

Stop and think!

When you log in with the username EPadmin, why do you see only View Profiles under Endpoint
Profiles?

This user account has limited permissions and is not allowed to access endpoint profile management. The
Endpoint Administrator role that this user account is assigned to allows only read-only permissions to the
Settings Permissions category. This is the category that allows access to Endpoint Profiles.

FortiClient EMS 7.0 Lab Guide 21

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring FortiClient EMS System Settings

In this exercise, you will configure the following FortiClient EMS system settings:
l Server settings
l Log settings
l Login banner settings

Configure Server Settings

In EMS Settings, you can configure settings, such as the host name, the FQDN, and remote access. You will
configure the FQDN to access the FortiClient EMS server, using the configured FQDN.

To configure the FQDN on FortiClient EMS

1. On the AD Server VM, log in to the FortiClient EMS GUI with the username admin and password Password123.
2. Click System Settings > EMS Settings.
3. In the Shared Settings section, in the Listen on IP field, select 10.0.1.100, select the Use FQDN checkbox, and
then in the FQDN field, type myemsserver.com.
4. Select the Remote HTTPS access checkbox to enable remote access.

5. Click Save to apply the changes.

6. On the FortiClient-Laptop, open Firefox, type the URL https://myemsserver.com, and then accept the self-
signed certificate to access the FortiClient EMS server.

The FortiClient-Laptop host file has been modified to make myemsserver.com

accessible.

22 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT FortiClient EMS System Settings Configure Log Settings

© FORTINET
Configure Log Settings

In Log Settings, you can configure the log level, and the number of days that you want to keep logs, events, and
alerts before they are cleared. You will change the Log level setting.

To configure log settings

1. On the FortiClient EMS GUI, click System Settings > Log Settings.
2. In the Log level field, verify that Info is selected.

3. Click Administration > Log Viewer to view the logs.

Configure Login Banner Settings

In EMS Settings, you will configure a disclaimer message that appears before a user logs in to FortiClient EMS.

To configure login banner settings

1. Continuing on the FortiClient EMS GUI, click System Settings > EMS Settings.
2. In EMS Settings, select the Enable login banner checkbox, and then in the Message field, type Property of
Fortinet lab. Unauthorized access is strictly prohibited..

FortiClient EMS 7.0 Lab Guide 23

Fortinet Technologies Inc.
DO Configure
NOTLogin REPRINT
Banner Settings Exercise 2: Configuring FortiClient EMS System Settings

© FORTINET

3. Click Save to apply the changes.

4. Log out as admin from the FortiClient EMS GUI, and then close the application.
5. Open the FortiClient EMS GUI again.
A Disclaimer appears.

6. Click Accept to go to the login screen.

24 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Creating an Endpoint Group and a Group
Assignment Rule, and Running Scans

In this exercise, you will create an endpoint group and a group assignment rule, and run antivirus and vulnerability
scans on endpoints. Endpoint management enables FortiClient EMS to perform various actions and run scans.

Create an Endpoint Group for a Windows Workgroup

You will create individual groups for Windows workgroup endpoints on FortiClient EMS.

To create a group for a Windows workgroup

1. On the AD Server VM, open the FortiClient EMS GUI, and then click Endpoints > Workgroups.
By default, all the workgroup endpoints are in the Other Endpoints group.

2. Click All Groups > Other Endpoints to view the registered endpoints.

3. In the Workgroups drop-down list, right-click All Groups, and then click Create group.

4. In the Create group field, type Windows Endpoints.

FortiClient EMS 7.0 Lab Guide 25

Fortinet Technologies Inc.
DO Create
NOT
Windows
a Group Assignment Rule for
REPRINT
Endpoints
Exercise 3: Creating an Endpoint Group and a Group Assignment Rule,
and Running Scans

© FORTINET

5. Click Confirm to create the group.

Create a Group Assignment Rule for Windows Endpoints

FortiClient EMS can use group assignment rules to automatically place endpoints into custom groups, based on
the installer ID, IP address, OS, or AD group of the endpoints. You will create a group assignment rule based on
OS.

To create a group assignment rule

1. On the FortiClient EMS GUI, click Endpoints > Group Assignment Rules.
2. On the pane on the right, click Add to create a new rule.
3. In the pop-up window, configure the following settings:

Field Value

Type OS

OS Windows (W must be uppercase or this will not work)

Group Windows Endpoints

Enable Rule (Enabled)

4. Click Save to add a new group assignment rule.

5. On the pane on the right, click Run Rules Now to add Windows endpoints to the new group.

26 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT
Rule,
3: Creating an Endpoint Group and a Group Assignment
REPRINT
and Running Scans
Run Antivirus and Vulnerability Scans on a
Registered Endpoint

© FORTINET
FortiClient EMS automatically places endpoints that do not apply to a group
assignment rule into the Other Endpoints group.

Run Antivirus and Vulnerability Scans on a Registered Endpoint

FortiClient EMS endpoint management can run scans on managed clients. Before you can run an AV scan, you
must change the endpoint profile on FortiClient EMS.

To run scans, FortiClient, which is installed on the FortiClient-Laptop VM, must

connect to FortiClient EMS. Click ZERO TRUST TELEMETRY, ensure that the
FortiClient status is Connected, and then click the menu icon beside the Disconnect
button, and ensure that it shows a FortiClient EMS IP address of 10.0.1.100.

To enable antivirus protection for the default endpoint profile

1. On the AD Server VM, open the FortiClient EMS GUI, and then click Endpoint Profiles > Manage Profiles.
2. Select the Default profile, and then click Edit.
3. On the Malware tab, enable AntiVirus Protection, and then leave the other settings at their default values.

4. Click Save to apply the settings.

FortiClient EMS 7.0 Lab Guide 27

Fortinet Technologies Inc.
DO Run
NOT Antivirus and Vulnerability Scans on a
Registered REPRINT
Endpoint
Exercise 3: Creating an Endpoint Group and a Group Assignment
Rule, and Running Scans

© FORTINET
After the Default profile is synced, on the FortiClient-Laptop VM, MALWARE PROTECTION appears on the
FortiClient GUI.

Stop and think!

Why wasn't MALWARE PROTECTION available on FortiClient?

The Default endpoint profile doesn't have the malware protection feature enabled by default. To enable AV,
click the AntiVirus Protection button.

To run antivirus and vulnerability scans on a registered endpoint

1. On the AD Server VM, continuing on the FortiClient EMS, on the pane on the left, click Endpoints > All
Endpoints.
You will see the registered client.

2. Beside the registered client, select the checkbox to highlight the registered client.
The following options appear: Scan, Patch, Move to, and Action.

3. Click Scan, and then click Quick AV Scan.

The scan starts after the endpoint sends the next keepalive packet.

28 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT
Rule,
3: Creating an Endpoint Group and a Group Assignment
REPRINT
and Running Scans
Run Antivirus and Vulnerability Scans on a
Registered Endpoint

© FORTINET

4. Click X to close Scan Complete and FortiClient Scan Progress windows.

5. Continuing on the FortiClient EMS GUI, click Scan > Vulnerability Scan to perform a vulnerability scan.

The scan starts, and it will finish after the endpoint resyncs or sends the next keepalive packet.

FortiClient EMS 7.0 Lab Guide 29

Fortinet Technologies Inc.
DO Run
NOT Antivirus and Vulnerability Scans on a
Registered REPRINT
Endpoint
Exercise 3: Creating an Endpoint Group and a Group Assignment
Rule, and Running Scans

© FORTINET

6. Click X to close the scan window after the scan is finished.

Vulnerability information appears on the FortiClient console, similar to the following example:

7. Click the CRITICAL vulnerability level box to see the details.

30 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT
Rule,
3: Creating an Endpoint Group and a Group Assignment
REPRINT
and Running Scans
Run Antivirus and Vulnerability Scans on a
Registered Endpoint

© FORTINET

You can also click > to see more details about the applications.

FortiClient EMS 7.0 Lab Guide 31

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 4: Enabling the Security Fabric to Trigger
Automatic Quarantine

In this exercise, you will enable the Fortinet Security Fabric to trigger automatic quarantine, based on indicators of
compromise (IOC) on FortiAnalyzer.

Verify FortiClient Log Settings

To identify compromised hosts, FortiClient must send logs to FortiAnalyzer. You will verify the FortiClient log
settings.

To verify FortiClient log settings

1. On the AD Server VM, log in to the FortiClient EMS application.
2. Click Endpoint Profiles > Manage Profiles, select Default, and then click Edit.
3. On the System Settings tab, in the Log section, ensure that Upload Logs to FortiAnalyzer/FortiManager,
Upload UTM Logs, Upload System Event, and Upload Security Event are enabled.
4. Set IP Address/Hostname to 10.0.1.250, Upload Schedule to 1 minute, and Log Generation Timeout to 60
seconds.

32 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Enabling
Quarantine
the Security Fabric to Trigger Automatic
REPRINT Enable the Security Fabric on the Root
FortiGate

© FORTINET
If you are using a browser to access FortiClient EMS, you must enable Advanced view
settings on the FortiClient EMS Endpoint Profiles page.

5. Click Save to finish.

Enable the Security Fabric on the Root FortiGate

You will configure the Security Fabric and enable telemetry on the FortiGate internal interface.

To configure the Security Fabric and enable telemetry on the root FortiGate
1. On the AD Server VM, open Firefox, type the FortiGate IP address 10.0.1.254, and log in with the username
admin and password password.
2. On the FortiGate GUI, click Security Fabric > Fabric Connecters.
3. Select Security Fabric Setup, and then click Edit.
4. In the Security Fabric Settings section, click Enabled.

5. Click Serve as Fabric Root.

A new window opens.

6. In the FortiAnalyzer Settings section, configure the following settings:

Field Value

IP address 10.0.1.250

Upload option Real Time

7. Click Test Connectivity.

A warning appears indicating that HQ-FortiGate isn’t yet authorized on FortiAnalyzer.

This authorization is configured on FortiAnalyzer in a later step.

FortiClient EMS 7.0 Lab Guide 33

Fortinet Technologies Inc.
DO Enable
NOT the Security Fabric on the Root
FortiGate REPRINT Exercise 4: Enabling the Security Fabric to Trigger Automatic
Quarantine

© FORTINET
8. Click OK.
9. When the Verify FortiAnalyzer Serial Number warning appears, click Accept.
10. When the FortiAnalyzer status warning appears, click Close because you will configure this in a later step.
11. Configure the following settings:

Field Value

Fabric name fortinet

Allow other Security Fabric devices to join enable

port3

Management port Use Admin Port

Your configuration should look like the following example:

12. Click OK.

13. Click OK to confirm.
14. Open Firefox, type https://10.0.1.250, and then log in with the username admin and password password
to authorize FortiGate on FortiAnalyzer.
15. Click X to close the FortiAnalyzer setup window.
16. In Device Manager, in the upper-right, click Unauthorized Devices.

34 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Enabling
Quarantine
the Security Fabric to Trigger Automatic
REPRINT Enable the Security Fabric on the Root
FortiGate

© FORTINET
17. Select the HQ-FortiGate device, click Authorize, and then click OK to complete the authorization.
18. On the HQ-FortiGate GUI, click Security Fabric > Fabric Connectors.
19. Click FortiAnalyzer Logging, and then click Edit.
In the FortiAnalyzer Status section, the Connection status is Connected.

To enable the FortiClient EMS Connector

1. Continuing on the FortiGate GUI, click Security Fabric > Fabric Connectors.
2. In the list, select FortiClient EMS Cloud, and then at the top, click Edit.

3. In the New Fabric Connector window, select FortiClient EMS, and then configure the following settings:

FortiClient EMS 7.0 Lab Guide 35

Fortinet Technologies Inc.
DO Enable
NOT the Security Fabric on the Root
FortiGate REPRINT Exercise 4: Enabling the Security Fabric to Trigger Automatic
Quarantine

© FORTINET
Field Value

Name EMSServer

IP/Domain name 10.0.1.100

4. Click OK, and then click Accept to accept the certificate and save the settings.

36 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Enabling
Quarantine
the Security Fabric to Trigger Automatic
REPRINT Enable the Security Fabric on the Root
FortiGate

© FORTINET
5. On the FortiClient EMS GUI, click Administration > Fabric Devices.
6. On the right side, select FortiGate, and then click Authorize.
7. On the AD Server desktop, click PuTTY, double-click HQ-FortiGate, and then log in with the username admin and
password password.
8. Run the execute fctems verify EMSServer CLI command.
9. On the FortiClient EMS GUI, on the Administration > Fabric Devices page, select FortiGate again, and then click
Edit.
10. In the edit window, select the Share tag info from all FortiClients checkbox, and then click Save to apply the
changes.

For this lab, the FortiClient EMS certificate is already trusted by FortiGate. When you
configure a new connection, you must install the FortiClient EMS CA certificate on
FortiGate before you authorize. Otherwise, you will see the following status:

For more information, see FortiOS 7.0.1 Administration Guide.

To enable Security Fabric automation and create a new stitch

1. Continuing on the FortiGate GUI, click Security Fabric > Automation.
2. Select the predefined default stitch Compromised Host Quarantine, and then click Edit.
3. In the automation stitch window, select Enable, leave other settings as default, and then click OK to save the
settings.

FortiClient EMS 7.0 Lab Guide 37

Fortinet Technologies Inc.
DO Enable
NOT the Security Fabric on the Root
FortiGate REPRINT Exercise 4: Enabling the Security Fabric to Trigger Automatic
Quarantine

© FORTINET

The stitch, trigger, and action are enabled for an IOC compromised host.

To configure firewall policies on FortiGate

1. Continuing on the HQ-FortiGate GUI, click Policy & Objects > Firewall Policy.
2. Click Create New, and then configure the following policy settings to allow traffic to pass from LAN(port3) to
port1:

Field Value

Name IOC_Policy

Incoming Interface LAN(port3)

Outgoing Interface port1

Source FortiClient-Laptop

Destination all

Schedule always

Service ALL

38 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Enabling
Quarantine
the Security Fabric to Trigger Automatic
REPRINT Enable the Security Fabric on the Root
FortiGate

© FORTINET
Field Value

Action ACCEPT

Inspection Mode Proxy-based

NAT <enable>

IP Pool Configuration Use Outgoing Interface Address

Web Filter monitor-all

SSL/SSH Inspection certificate-inspection

Log Allowed Traffic All Sessions (greyed out)

3. Click OK.
4. Drag and drop the IOC_Policy policy above the Full_Access policy.

To run a security rating on FortiGate

1. Continuing on the HQ-FortiGate GUI, click Security Fabric > Security Rating.
2. On the Security Posture page, click Run Now to update the ranking.

To verify the FortiAnalyzer license includes the IOC service

1. On the AD Server VM, open a browser, and then type the 10.0.1.250 IP address.
2. On the login page, enter the username admin and password password.
3. Click System Settings, and then in the License Information widget, check the status of the FortiGuard
Indicators of Compromise Service license.

FortiClient EMS 7.0 Lab Guide 39

Fortinet Technologies Inc.
DO Enable
NOT the Security Fabric on the Root
FortiGate REPRINT Exercise 4: Enabling the Security Fabric to Trigger Automatic
Quarantine

© FORTINET

To test automatic quarantine triggered by IOC detection

1. In the lab menu, on the FortiClient-Laptop VM, click Console access method under Services to access
FortiClient-Laptop using console.

Reason for using console access is that when FortiClient is quarantined, you may not be able to access
FortiClient-Laptop using RDP.

If lab menu shows any other VM, then use the Go back option in the lab menu to return
to the lists of VMs and then select FortiClient-Laptop from the list.

40 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Enabling
Quarantine
the Security Fabric to Trigger Automatic
REPRINT Enable the Security Fabric on the Root
FortiGate

© FORTINET
2. Click the Ctrl+Alt+Delete button on the upper-right conrner, so you can enter a password.
3. Enter the password password to log in to Windows using the console connection.
4. On the FortiClient-Laptop VM, open Firefox, and then type the URL www.google.com.
5. Open a new browser tab, and then type http://195.22.28.198.
This IP address is blocked by the FortiClient malicious websites category.

6. Continuing on the AD Server VM, on the FortiAnalyzer GUI, click SOC > FortiView > Compromised Hosts.
The endpoint appears in the window.

7. Double-click the host to see details.

8. Continuing on the FortiClient-Laptop VM, log in to the FortiGate GUI.

9. Click Dashboard > Users & Devices, and then scroll down and click the Quarantine widget to view it.
You will see that the endpoint has been quarantined.

FortiClient EMS 7.0 Lab Guide 41

Fortinet Technologies Inc.
DO Enable
NOT the Security Fabric on the Root
FortiGate REPRINT Exercise 4: Enabling the Security Fabric to Trigger Automatic
Quarantine

© FORTINET

The result on your FortiGate may not match the lab example above.

10. Click Log & Report > Events > System Events to view the logs. You may need to change log source from
FortiAnalyzer to local disk in the upper-right corner.

11. FortiClient will show the quarantine screen. FortiClient is blocking all communication, except to the EMS.

The endpoint is blocked at the client network device level.

42 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Enabling
Quarantine
the Security Fabric to Trigger Automatic
REPRINT Enable the Security Fabric on the Root
FortiGate

© FORTINET
To remove the client from the compromised hosts list, on the FortiAnalyzer GUI, click
SOC > Fortiview. To clear the host, click Threats > Compromised Hosts, click ACK
to acknowledge the host, and then write some text. This will also clear the host from
FortiGate.

12. On the AD Server VM, log in to the FortiClient EMS GUI, and then select Endpoints > All Endpoints.
13. In the right pane, select FortiClient-Laptop, click Action, and then click Unquarantine to allow internet
access to the endpoint.

14. Return to the FortiClient-Laptop VM.

15. Try to ping FortiGate, the EMS server, and google.com.
Your traffic should now be allowed.

FortiClient EMS 7.0 Lab Guide 43

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 4: FortiClient Deployment Using FortiClient EMS

In this lab, you will learn about the deployment of FortiClient on endpoints, using FortiClient EMS.

Objectives
l Create a FortiClient installer
l Add endpoints to FortiClient EMS from Windows AD
l Create and manage a deployment package

Time to Complete
Estimated: 20 minutes

Prerequisites
Before beginning this lab, you must finish the previous lab.

44 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Creating an Installer for Deployment

In this exercise, you will create an installer for endpoint deployment.

Create a FortiClient Installer for Deployment

You will create an installer for deploying FortiClient on endpoints.

To create an installer
1. On the AD Server VM, log in to the FortiClient EMS GUI.
2. In the pane on the left, click Deployment & Installers > FortiClient Installer, and then click +Add to open a new
window.
3. In the Version tab, keep the default settings for Installer Type and Release, in the Patch field, select 7.0.1, and
then click Next.

4. In the General tab, in the Name field, type FortiClient-Version-7.0, and then click Next.
5. In the Features tab, under Basic Security Features, select the Secure Access Architecture Components and
Vulnerability Scan checkboxes, and then under Additional Security Features, select the Malware, Web
Filtering, and Application Firewall checkboxes.

FortiClient EMS 7.0 Lab Guide 45

Fortinet Technologies Inc.
DO Create
NOT REPRINT
a FortiClient Installer for Deployment Exercise 1: Creating an Installer for Deployment

© FORTINET

6. Click Next.
7. In the Advanced tab, select the Enable desktop shortcut and Enable start menu shortcut checkboxes, and
then keep the default values for the other settings.

46 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Creating
REPRINT
an Installer for Deployment Create a FortiClient Installer for Deployment

© FORTINET

8. Click Next.
9. In the Telemetry tab, notice that it shows that FortiClient will be managed by <EMS hostname and FQDN
address>.
10. Click Finish to add the deployment package to FortiClient EMS.
The installer appears on the Deployment & Installers > FortiClient Installer pane.

FortiClient EMS automatically connects to the FortiGuard Distribution Network (FDN)

to provide access to the FortiClient installers, which you can use with FortiClient EMS
deployment packages. If a connection to FDN is not available, or you want a custom
installer, you must manually download a FortiClient installer, and then upload it to add
it to FortiClient EMS.

FortiClient EMS 7.0 Lab Guide 47

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Adding Endpoints to FortiClient EMS

In this exercise, you will add AD endpoints to the EMS server.

Add Endpoints Using an AD Domain Server

You will manually import endpoints from an AD server. You will import and synchronize information about
computer accounts with an LDAP or LDAPS service. You will also add endpoints by identifying the endpoints that
are part of an AD domain server.

To add endpoints using an AD domain server

1. On the AD Server VM, log in to the FortiClient EMS GUI.
2. In the pane on the left, click Endpoints > Manage Domains, and then click +Add to open the Domain window.
3. In the IP address/Hostname field, type 10.0.1.100, and then keep the default values for Port and
Distinguished name.
4. In the Bind type section, select Regular, and then configure the following settings:

Field Value

Username ADadmin

Password password

5. Click Test to check the connectivity.

6. Perform one of the following tasks:

l If the test is successful, select Save to save the new domain.
l If the test is not successful, correct the information, and then test the settings again.

48 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Adding
REPRINT
Endpoints to FortiClient EMS Add Endpoints Using an AD Domain Server

© FORTINET

You can add the entire domain or an organizational unit (OU) from the domain. After
you import endpoints from an AD server, you can edit the endpoints. These changes
are not synchronized back to the AD server.

FortiClient EMS 7.0 Lab Guide 49

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Creating a Deployment Package to Install
FortiClient

In this exercise, you will create a deployment package to install FortiClient on AD endpoints.

Create a Deployment Package to Install FortiClient

You must add a FortiClient installer to the FortiClient EMS deployment package to install FortiClient. You will
select the installer that you created in exercise 1.

To create a profile to deploy FortiClient

1. On the FortiClient EMS GUI, click Deployment & Installers > Manage Deployment.
2. Click +Add to open a new profile window.
3. In the Name field, type AD-Deployment.
4. In the Endpoint Groups field, click Edit, and then select trainingAD.training.lab.
5. Ensure that the Action field is set to Install.
6. In the Deployment Package field, select FortiClient-Version-7.0.

50 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Creating
REPRINT
a Deployment Package to Install FortiClient Create a Deployment Package to Install FortiClient

© FORTINET
7. Enable Start at a Scheduled Time, and then specify the installation start time, which should be five minutes from
the current time.
8. Disable Reboot when no users are logged in, and then keep the default values for all other settings.
9. In the Username field, type Administrator, and then in the Password field, type password.
10. Enable Enable the Deployment.
11. Click Save.
The deployment package appears on the Deployment & Installers > Manage Deployment page.

This deployment installs FortiClient on the AD Server VM. After this exercise, wait until
FortiClient installs, updates signatures, and then connects to the EMS server.

FortiClient EMS 7.0 Lab Guide 51

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 5: FortiClient Provisioning Using FortiClient EMS

In this lab, you will learn about using FortiClient EMS to provision FortiClient on endpoints.

Objectives
l Create an endpoint profile
l Enable the web filter and antivirus features
l Configure a VPN tunnel
l Create a policy to assign a new endpoint profile to an AD domain or workgroup endpoints

Time to Complete
Estimated: 35 minutes

Prerequisites
Before beginning this lab, you must finish the previous lab.

52 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Creating and Assigning an Endpoint Profile for
Deployment

In this exercise, you will create an endpoint profile and assign the profile to endpoints. You will also configure a
security profile and provision a VPN. After you complete provisioning, the configuration is pushed to FortiClient
endpoints by FortiClient EMS.

Create an Endpoint Profile on FortiClient EMS

To push the configuration to FortiClient endpoints, you must create an endpoint profile. The endpoint profile has
profile references that enable and disable FortiClient features and deployment.

To create an endpoint profile on FortiClient EMS

1. On the FortiClient EMS GUI, click Endpoint Profiles > Manage Profiles.
2. Click Add to open a new profile window.
3. In the Profile Name field, type Fortinet-Training.
4. Click VPN and Vulnerability Scan.
These settings are enabled by default.

5. Click Save to save the endpoint profile.

Create a Profile to Deploy FortiClient

You must add a FortiClient installer to the FortiClient EMS before you can select an endpoint profile. You will
select the installer that you created in Lab 4—Exercise 1.

Enable the Web Filter Feature in the Endpoint Profile

You can enable and disable security features, such as web filter, malware (antivirus), and application firewall in
endpoint profiles.

To enable the web filter feature in the endpoint profile

1. Continuing on the FortiClient EMS GUI, click Endpoint Profiles > Manage Profiles, select Fortinet-Training,
and then click Edit.

FortiClient EMS 7.0 Lab Guide 53

Fortinet Technologies Inc.
DO Enable
NOT
Profile
the Web Filter Feature in the Endpoint
REPRINT Exercise 1: Creating and Assigning an Endpoint Profile for
Deployment

© FORTINET
2. On the Web Filter tab, in the General section, enable Web Filter, and then keep Enable WebFiltering on
FortiClient set to Always On.
3. In the Site Categories section, beside Bandwidth Consuming, click + to expand the list.
4. In the list, beside Streaming Media and Download, select Block.

5. In the list, beside Internet Telephony, select Warn.

6. In the Exclusion List section, change the action to Allow, type www.mp3.com, and then leave the other settings
at the default values.

54 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Creating and Assigning an Endpoint Profile for
REPRINT
Deployment
Enable the Web Filter Feature in the Endpoint
Profile

© FORTINET

7. Click Save.

To enable the antivirus feature in the endpoint profile

1. Continuing on the Endpoint Profiles screen, click the Malware tab.
2. Enable AntiVirus Protection, ensure that Real-Time Protection is enabled, and then leave all other settings at
the default values.

3. Click Save to apply the changes.

FortiClient EMS 7.0 Lab Guide 55

Fortinet Technologies Inc.
DO Provision
NOTa VPN REPRINT
in the Endpoint Profile Exercise 1: Creating and Assigning an Endpoint Profile for Deployment

© FORTINET
Provision a VPN in the Endpoint Profile

You will provision the VPN settings. The VPN profile is applied to FortiClient when the profile installs on the
endpoint.

To provision a VPN in the endpoint profile

1. On the VPN tab, enable VPN, and then disable all options except Minimize FortiClient Console on Connect in
the General section.
2. On the SSL VPN tab, configure the following settings:

3. On the VPN Tunnels tab, click Add Tunnel, keep the VPN type set to Manual (default selection) , and then click
Next.
4. In the next window, configure the following settings:

Field Value

Name Student-SSL VPN

Type SSL VPN

Remote Gateway 10.0.1.254

Port 10443

Prompt for Username (Enable)

56 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Creating and Assigning an Endpoint Profile for
REPRINT
Deployment
Create an Endpoint Policy to Assign the Endpoint
Profile

© FORTINET
5. Click Add Tunnel to save the VPN profile.
6. Click Save.

To disable disconnect from the EMS

1. Click the System Settings tab.
2. In the Endpoint Control section, enable Disable Disconnect.

3. Click Save to apply the changes.

Create an Endpoint Policy to Assign the Endpoint Profile

After creating the profile, you must create an endpoint policy to assign the profile to domains or workgroups. When
you create an endpoint policy to assign the profile to domains or workgroups, the profile settings are automatically
pushed to the endpoints in the domain or workgroup.

If you do not assign a profile to a specific domain or workgroup, the default profile is automatically applied to the
domain or workgroup.

To create an endpoint policy

1. On the FortiClient EMS GUI, click Endpoint Policy & Components > On-fabric Detection Rules > Add.
2. In the On-Fabric Rule Set window, in the Name field, type On-Fabric.
3. In the Rule section, click Add Rule.
4. In the Add New Rule window, select Detection Type as Local IP/Subnet and type 10.0.1.0/24 in the IP
Range field.

FortiClient EMS 7.0 Lab Guide 57

Fortinet Technologies Inc.
DO Create
NOT
Profile
an Endpoint Policy to Assign the Endpoint
REPRINT Exercise 1: Creating and Assigning an Endpoint Profile for
Deployment

© FORTINET
5. Click Add Rule, and then click Save to add the on-fabric detection rule.

6. On the Endpoint Policy & Components menu, select Manage Policies > Add.
7. In the Endpoint Policy window, in the Endpoint Policy Name field, type Training.
8. In the Endpoint Groups field, click Edit, select trainingAD.training.lab and All Groups, and then click Save.
9. In the Profile field, select Fortinet-Training in the profiles list.
10. In the Profile (Off-Fabric) field, select Default in the profiles list.
This profile applies when the endpoint is off-fabric. You cannot select the same endpoint profile for the on-
fabric and off-fabric status.

11. In the On-Fabric Detection Rules field, select On-Fabric in the drop-down list.
12. Ensure that Enable the Policy is enabled.
13. Keep the other settings at the default values, and then click Save to add the endpoint policy.
The endpoint policy should have the following settings:

58 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Creating and Assigning an Endpoint Profile for
REPRINT
Deployment
Create an Endpoint Policy to Assign the Endpoint
Profile

© FORTINET
The endpoint profile is assigned to the endpoint policy. After FortiClient is deployed on the endpoints and the
endpoints are connected to FortiClient EMS, you can update the endpoints by editing the associated profiles.

14. On the FortiClient-Laptop VM, in the system tray, right-click the FortiClient icon.
15. Click Open FortiClient Console to show the VPN profile.

16. Verify that FortiClient is connected to EMS and all configurations are enabled on the endpoint.

FortiClient EMS 7.0 Lab Guide 59

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Testing the FortiGuard Web Filter

In this exercise, you will test the configuration (WF profile) that you defined in the previous exercise. You will
examine the FortiClient web filter, based on FortiGuard categories, by making sure that FortiClient can contact the
FortiGuard servers.

Then, you will review a category-based web filter security profile on FortiClient and inspect the HTTP traffic.

Finally, you will test different actions taken by FortiClient, according to website categories that you configured in
the previous exercise.

Verify FortiGuard Connectivity

You will verify connectivity to FortiGuard Distribution Servers (FDS) from the FortiClient host machine. FDS is
required because it handles URL categorization. FortiClient takes action to allow or block websites based on
category.

To verify FortiGuard connectivity

1. On the FortiClient-Laptop VM, open the CLI, and then ping fgd1.fortigate.com.
If FortiClient can contact FortiGuard, you should see the following output:

Identify Web Filter Categories

To understand how websites are categorized on FortiGuard, you must first identify how specific websites are
categorized by the FortiGuard service.

To identify web filter categories

1. Continuing on the FortiClient-Laptop VM, open a new browser tab, and then visit
https://www.fortiguard.com/webfilter.

60 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Testing
REPRINT
the FortiGuard Web Filter Identify Web Filter Categories

© FORTINET

2. Use the Web Filter Lookup tool to search for the following URL:

www.youtube.com

YouTube is listed in the Streaming Media and Download category.

3. Use the Web Filter Lookup tool again to find the web filter categories for the following websites:

FortiClient EMS 7.0 Lab Guide 61

Fortinet Technologies Inc.
DO Identify
NOT WebREPRINT
Filter Categories Exercise 2: Testing the FortiGuard Web Filter

© FORTINET
l www.viber.com
l www.ask.com
l www.bing.com

62 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Testing
REPRINT
the FortiGuard Web Filter Review a FortiGuard Category-Based Web Filter

© FORTINET

You will also test your web filter using these websites.

The following table shows the category assigned to each URL, as well as the action to take, which is
configured on FortiClient based on your web filter settings:

Website Category Action

www.dailymotion.com Streaming Media and Download Block

www.viber.com Internet Telephony Warning

www.bing.com Search Engines and Portals Allow

www.mp3.com Streaming Media and Download Block

Review a FortiGuard Category-Based Web Filter

You will review the web filter profile and configuration of the FortiGuard category-based filter. These are the web
filter settings that you configured in the previous exercise on endpoint profiles, which were then pushed by EMS.

To review the web filter profile

1. On the FortiClient-Laptop VM, in the system tray, right-click the FortiClient icon.
2. Click Open FortiClient Console to open the FortiClient GUI.

FortiClient EMS 7.0 Lab Guide 63

Fortinet Technologies Inc.
DO Review
NOTa FortiGuard
REPRINT Category-Based Web Filter Exercise 2: Testing the FortiGuard Web Filter

© FORTINET

3. Verify that FortiGuard category based filter is enabled.

4. On the Web Filter tab, in the upper-right corner, click the settings icon .
5. Review the configured actions for the following categories:

Category Action

Potentially Liable Block

Adult/Mature Content Allow: Sports Hunting and War Games, Sex Education, and Lingerie
and Swimsuit

Block: all other subcategories

Tip: Expand or click Adult/Mature Content to view the subcategories.

General Interest - Personal Allow

General Interest - Business Allow

Unrated Allow

6. Click Bandwidth Consuming to expand it and view the subcategories.

64 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Testing
REPRINT
the FortiGuard Web Filter Test the Web Filter

© FORTINET
7. Verify that Streaming Media and Download is set to Block, and Internet Telephony is set to Warn.

Test the Web Filter

For the purposes of this lab, you will test the web filter security profile that is configured for each category.

To test the web filter

1. Continuing on the FortiClient-Laptop VM, open a new browser tab, and then visit www.dailymotion.com.
The system displays a warning according to the predefined action for this website category.

2. Open a new browser tab, and then visit www.viber.com.

The system displays a warning according to the predefined action for this website category.

FortiClient EMS 7.0 Lab Guide 65

Fortinet Technologies Inc.
DO Verify
NOT a WebREPRINT
Filter Exclusion List Exercise 2: Testing the FortiGuard Web Filter

© FORTINET

3. Click Proceed to accept the warning and access the website.

4. Open a new browser tab, and then visit www.bing.com.
This website appears because it belongs to the Search Engines and Portals category, which is set to
Allow.

Verify a Web Filter Exclusion List

You will verify that the URL www.mp3.com is included in the exclusion list.

To verify a URL is included in the exclusion list

1. On the FortiClient-Laptop VM, open the FortiClient console, and then select WEB FILTER.

2. On the Web Filter tab, in the upper-right corner, click the settings icon .
3. Click the + sign to expand Exclusion List.

66 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Testing
REPRINT
the FortiGuard Web Filter Test the Web Exclusion List

© FORTINET
Test the Web Exclusion List

You will test the web exclusion list you reviewed in the previous procedure.

To test the web exclusion list

1. Continuing on the FortiClient-Laptop VM, open a new browser tab, and then try to access the website
www.mp3.com.
The website is allowed and it matches an exclusion list to bypass the FortiGuard block category. If you try to
access www.dailymotion.com again, FortiGuard will block it.

FortiClient EMS 7.0 Lab Guide 67

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Understanding Antivirus Protection and
Vulnerability Scans

In this exercise, you will test the FortiClient malware protection features that you configured in Exercise 1. You will
test antivirus protection to understand how FortiClient performs real-time protection. You will also learn how a
vulnerability scan helps detect and patch application vulnerabilities that can be exploited by known and unknown
threats.

Verify AntiVirus Protection Settings

You will verify antivirus settings on FortiClient, which you configured in the EMS endpoint profile, and were then
pushed to FortiClient.

To view and verify current FortiClient antiVirus protection settings

1. In the pane on the left side of the window, click Malware Protection, and then verify that real-time protection is
enabled.

2. You can also click the settings icon , and then verify that the Scan files as they are downloaded or copied
to my system checkbox is selected.

68 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Understanding
REPRINT Antivirus Protection and Vulnerability Scans Test the Antivirus Real-Time Configuration

© FORTINET
Test the Antivirus Real-Time Configuration

You will download the EICAR test file to your FortiClient-Laptop VM. The EICAR test file is an industry-standard
virus that is used to test antivirus detection without causing damage.

To test the antivirus configuration

1. Continuing on the FortiClient-Laptop VM, open a new browser tab, and then visit the following website:
www.eicar.org

2. On the EICAR website, in the upper-right corner of the page, click DOWNLOAD ANTI MALWARE TESTFILE.
3. On the left side of the page, click the Download link.
4. In the Download area using the secure, SSL enabled protocol HTTPS section, download the sample file
named eicar_com.zip.

FortiClient should quarantine the download attempt and insert a replacement message similar to the following
example:

FortiClient shows the HTTP/HTTPS virus message when it blocks or quarantines infected files.

FortiClient EMS 7.0 Lab Guide 69

Fortinet Technologies Inc.
DO Run
NOT REPRINT
an On-Demand Vulnerability Scan Exercise 3: Understanding Antivirus Protection and Vulnerability Scans

© FORTINET
5. Click Close to close the alert window.
6. In the download window, click OK to save the file.
7. Change the download location to Desktop, and then click Save.
You should see that the file you downloaded on the desktop shows the download error in the Firefox
downloads dialog.

Why did the download fail?

Stop and think!

Because the file is quarantined, an EMS administrator must add it to the allowlist it and restore it to view the
content.

Run an On-Demand Vulnerability Scan

You will test an on-demand vulnerability scan that you configured on the EMS endpoint profile in the first exercise,
which was then pushed to FortiClient. Vulnerability scans help detect and patch application vulnerabilities that can
be exploited.

To run an on-demand vulnerability scan

1. Continuing on the FortiClient console, in the pane on the left side of the window, select Vulnerability Scan to view
the tab.
2. On the Vulnerabilities tab, click Scan Now to start an on-demand scan.

70 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Understanding
REPRINT Antivirus Protection and Vulnerability Scans Run an On-Demand Vulnerability Scan

© FORTINET
3. After the scan is finished, you will see the scan results under Vulnerabilities Detected.
4. To review the vulnerability details, click CRITICAL, and then expand 3rd Party App.

In this case, FortiClient cannot automatically install the software patch because the recommended action is
Manual Install. You can manually download and install the latest version of vulnerable software to fix the
vulnerability.

5. Close all open windows.

In the real environment, you should install the patch on affected applications.

FortiClient EMS 7.0 Lab Guide 71

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 6: Zero Trust Network Access

In this lab, you will learn about the use of a zero trust network access (ZTNA) proxy for remote access to specific
applications. You will configure the required components, from the FortiClient EMS, to FortiGate and FortiClient.
You will also review key ZTNA concepts.

Objectives
l Verify the FortiGate and FortiClient EMS connection
l Configure EMS ZTNA tagging rules
l Enable the ZTNA feature on FortiGate and verify ZTNA tags
l Configure a basic HTTPS access proxy with SSL certificate-based authentication
l Configure an HTTPS access proxy with basic user authentication and ZTNA tags
l Configure basic ZTNA IP/MAC filtering

Time to Complete
Estimated: 55 minutes

Prerequisites
Before you start this lab, you must connect the Remote-Client endpoint to FortiClient EMS. FortiClient is already
installed on the endpoint and must establish a connection to FortiClient EMS.

To connect a remote endpoint to FortiClient EMS

1. On the Remote-Client VM, in the system tray, right-click the FortiClient icon.
2. Click Open FortiClient Console to open the FortiClient GUI.

3. In the ZERO TRUST TELEMETRY section, type the IP address 100.64.1.100.

72 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Lab
NOT 6: Zero REPRINT
Trust Network Access

© FORTINET
4. Click Connect.
After a few minutes, the status changes to connect, and FortiClient has all the configuration pushed by
FortiClient EMS.

FortiClient EMS 7.0 Lab Guide 73

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring ZTNA Tags, Tagging Rules, and
Features

In this exercise, you will verify the connection between FortiClient, FortiClient EMS, and FortiGate. You will also
configure ZTNA tags and tagging rules, and then verify if the tags are synced on FortiClient and FortiGate. These
tags will be used in the next exercises to authorize user traffic based on ZTNA tagging rules configured on
FortiClient EMS.

Verify the Connection Between FortiClient, FortiClient EMS, and FortiGate

Establishing device identity and device trust between FortiClient, FortiClient EMS, and FortiGate is integral to
ZTNA setup. All of these devices must have a stable connection in order to exchange information required for
ZTNA tagging to work properly.

To verify the FortiClient to FortiClient EMS connection

1. On the Remote-Client VM, in the system tray, right-click the FortiClient icon.
2. Click Open FortiClient Console to open the FortiClient GUI.

3. In the ZERO TRUST TELEMETRY section, ensure that the status of Centrally Managed by EMS is Connected.

74 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT
and
1: Configuring ZTNA Tags, Tagging Rules,
FeaturesREPRINT Verify the Connection Between FortiClient, FortiClient EMS,
and FortiGate

© FORTINET
If the status is shown as Not reachable, you must reconnect the endpoint.

1. In the ZERO TRUST TELEMETRY section, click Disconnect.

2. In the Enter Server address or Invitation code field, type 100.64.1.100, and
then click Connect to reconnect the Remote-Client VM to FortiClient EMS.

In this exercise, FortiGate is configured with a VIP and a firewall policy that allows
inbound connections to FortiClient EMS so that the remote endpoint can connect.

To verify FortiClient EMS as the Fabric connector

1. On the AD Server VM, open Firefox, type the FortiGate IP address 10.0.1.254, and then log in with the
username admin and password password.
2. On the FortiGate GUI, click Security Fabric > Fabric Connecters.
3. On the right side, scroll down to see the FortiClient EMS connector status.
The status arrow should be a green up arrow.

FortiClient EMS 7.0 Lab Guide 75

Fortinet Technologies Inc.
DO Configure
NOTFortiClient
REPRINT
EMS ZTNA Tagging Rules Exercise 1: Configuring ZTNA Tags, Tagging Rules, and Features

© FORTINET

You can also verify the status by running the following CLI command on FortiGate:
diagnose endpoint fctems test-connectivity <EMS name>

Configure FortiClient EMS ZTNA Tagging Rules

FortiClient EMS uses zero-trust tagging rules to tag endpoints based on the information that it has on each
endpoint. The tags are shared with FortiGate, which are then used to assign authorization to user traffic. You will
configure ZTNA tagging rules on the FortiClient EMS server.

To configure the FortiClient EMS ZTNA tagging rule for detecting a file
1. On the AD Server VM, click the FortiClient EMS icon to launch the application.
2. Log in to the FortiClient EMS GUI with the username admin and password Password123.
3. In the left menu, click Zero Trust Tags > Zero Trust Tagging Rules.
4. In the upper-right, click Add.
5. In the Name field, type Malicious-File-Detected.
6. In the Tag Endpoint As field, type Malicious-File-Detected, and then press Enter.
7. In the Rules section, click Add Rule, and then select Windows OS.
8. In the Rule Type field, select File.

76 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT ZTNA Tags, Tagging Rules, and Features Configure FortiClient EMS ZTNA Tagging Rules

© FORTINET
9. In the File field, type C:\virus.txt, and then click Save.
10. Click Save to save this zero-trust tagging rule.

To configure the FortiClient EMS ZTNA tagging rule for detecting remote endpoints
1. Continuing on Zero Trust Tags > Zero Trust Tagging Rules.
2. In the upper-right, click Add.
3. In the Name field, type Remote-Endpoints.
4. In the Tag Endpoint As field, type Remote-Endpoints, and then press Enter.
5. In the Rules section, click Add Rule, and then select Windows OS.
6. In the Rule Type field, select IP Range.
7. In the IP Range field, type 10.0.2.0/24, and then click Save.
8. Click Save to save this zero-trust tagging rule.

FortiClient EMS 7.0 Lab Guide 77

Fortinet Technologies Inc.
DO Configure
NOTFortiClient
REPRINT
EMS ZTNA Tagging Rules Exercise 1: Configuring ZTNA Tags, Tagging Rules, and Features

© FORTINET

Both rules appear under Zero Trust Tagging Rules.

9. Click Zero Trust Tags > Zero Trust Tag Monitor.

Remote-Client is tagged as Remote-Endpoints. If it does not appear immediately, use the Refresh button
in the upper-right corner of the window.

78 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT ZTNA Tags, Tagging Rules, and Features Configure FortiClient EMS ZTNA Tagging Rules

© FORTINET
To configure the ZTNA tag to display on FortiClient
1. Continuing on the FortiClient EMS GUI, click Endpoint Profiles > Manage Profiles.
2. Select the Default profile, and then click Edit.
3. On the System Settings tab, under UI, enable Show Host Tag on FortiClient GUI.

4. Click Save to apply the changes.

5. Repeat steps 1–4 for the Fortinet-Training endpoint profile.
6. On the Remote-Client VM, on the FortiClient GUI, click the user avatar.
The Zero Trust Tags field shows the currently detected tags.

FortiClient EMS 7.0 Lab Guide 79

Fortinet Technologies Inc.
DO Enable
NOT
Synced
the ZTNA Feature and Verify That ZTNA Tags Are
REPRINT Exercise 1: Configuring ZTNA Tags, Tagging Rules, and
Features

© FORTINET
Enable the ZTNA Feature and Verify That ZTNA Tags Are Synced

You will enable the ZTNA feature on FortiGate, and then verify that the tags are synced between FortiClient EMS
and FortiGate.

To enable the ZTNA feature and verify that ZTNA tags are synced on FortiGate
1. On the AD server VM, on the FortiGate GUI, click System > Feature Visibility, and then enable Zero Trust
Network Access.
2. Click Policy & Objects > ZTNA, and then on the right side, click the ZTNA Tags tab.
ZTNA tags should be displayed on the page.

3. Hover over the Remote-Endpoints tag to see the IP address of the endpoint.

80 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring a Basic HTTPS Access Proxy With
SSL Certificate-Based Authentication

In this exercise, you will configure a basic HTTPS proxy access with SSL certificate-based authentication. A client
certificate is obtained when an endpoint registers with FortiClient EMS. FortiClient automatically submits a CSR
request and FortiClient EMS signs and returns the client certificate. The endpoint information is synchronized
between FortiGate and FortiClient EMS.

You will also locate the certificate on the endpoint and match it on FortiClient EMS and FortiGate. Finally, you will
see the behavior of the FortiGate set client-cert and set empty-cert-action options on the access-
proxy object.

Configure a Basic HTTPS Access Proxy With Certificate-Based

Authentication

The HTTPS access proxy setup requires a ZTNA server, real server, ZTNA rule, and firewall policy on FortiGate.

To configure the ZTNA server or HTTPS access proxy VIP

1. On the HQ-FortiGate GUI, click Policy & Objects > ZTNA, and then click the ZTNA Servers tab.
2. Click Create New to create a new server, and then configure the following settings:

Field Value

Name ZTNA-webserver

External interface Select port1.

External IP 100.64.1.10

External port 9443

Default certificate Select Fortinet_SSL.

FortiClient EMS 7.0 Lab Guide 81

Fortinet Technologies Inc.
DO Configure
NOTaREPRINT Basic HTTPS Access Proxy With
Certificate-Based Authentication
Exercise 2: Configuring a Basic HTTPS Access Proxy With SSL
Certificate-Based Authentication

© FORTINET

3. In the Service/server mapping section, click Create New.

4. In the Virtual Host field, select Any Host.
5. Leave the Path field at the default value of /.
6. In the Servers section, click Create New to create a new server mapping.
7. In the IP field, type 10.0.3.10, in the Port field, type 443, and then click OK.

8. Click OK to save the Service/server mapping settings.

9. Click OK to complete the ZTNA server setup.

To configure ZTNA rules

1. Continuing on Policy & Objects > ZTNA, click the ZTNA Rules tab.
2. Click Create New to create a new rule.

82 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT
Certificate-Based
a Basic HTTPS Access Proxy With SSL
Authentication
Configure a Basic HTTPS Access Proxy With
Certificate-Based Authentication

© FORTINET
3. In the Name field, type ZTNA-Allow-All.
4. Leave the Source field set to all.
5. In the ZTNA Server field, select ZTNA-webserver.
6. In the Action field, select ACCEPT.
7. In the Logging Options section, ensure that the Log Allowed Traffic field is set to All Sessions.
8. Ensure that Enable this policy is enabled.

9. Click OK to save the settings.

To configure a firewall policy on FortiGate for full ZTNA

1. Continuing on the HQ-FortiGate GUI, click Policy & Objects > Firewall Policy.
2. Click Create New to add a new firewall policy.
3. Configure the following settings:

Field Value

Name ZTNA-WAN

ZTNA Enable ZTNA, and then select Full ZTNA.

FortiClient EMS 7.0 Lab Guide 83

Fortinet Technologies Inc.
DO Configure
NOTaREPRINT Basic HTTPS Access Proxy With
Certificate-Based Authentication
Exercise 2: Configuring a Basic HTTPS Access Proxy With SSL
Certificate-Based Authentication

© FORTINET
Field Value

Incoming Interface port1

Source all

ZTNA Server ZTNA-webserver

Schedule always

Service ALL

Action ACCEPT

NAT <disable>

Log Allowed Traffic <enable>

Enable this policy <enable>

4. Click OK to save the settings.

84 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT
Based
2: Configuring a Basic HTTPS Access Proxy With SSL Certificate-
REPRINT
Authentication
Test Remote Access to the HTTPS
Access Proxy

© FORTINET
Test Remote Access to the HTTPS Access Proxy

Now that you configured FortiGate, you will test the HTTPS access proxy remote connection.

To test remote access to the HTTPS access proxy

1. On the Remote-Client VM, open the command prompt from the task bar.
2. Enter ping webserver.ztnademo.com, and then verify it resolves to 100.64.1.10.

The actual ping will not be successful—you just want to be sure that the DNS resolves.

3. Close the command prompt window.

4. Open the Chrome browser from the desktop, and then type https://webserver.ztnademo.com:9443.
The browser prompts you for the client certificate to use.

5. Choose the EMS signed certificate, and then click OK.

Access to the web server should be allowed. We're using the FortiAnalyzer login page to demonstrate the
web page.

FortiClient EMS 7.0 Lab Guide 85

Fortinet Technologies Inc.
DO Test
NOT Remote Access to the HTTPS
Access REPRINT
Proxy
Exercise 2: Configuring a Basic HTTPS Access Proxy With SSL Certificate-
Based Authentication

© FORTINET

By default, client certificate authentication is enabled on the access proxy, so when the
HTTPS request is received, the FortiGate WAD process challenges the client to
identify itself with its certificate.

To locate the certificate on the endpoint and match it on FortiClient EMS and FortiGate
1. Continuing on the Remote-Client VM, open a Windows search, and then look for user certificates.

86 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT
Based
2: Configuring a Basic HTTPS Access Proxy With SSL Certificate-
REPRINT
Authentication
Test Remote Access to the HTTPS
Access Proxy

© FORTINET

2. In the user certificate store, open the Personal > Certificates folders.
3. Choose the FCTEMS issued certificate, and then double-click the certificate to view the properties.
4. Click the Details tab, and then find the Serial number of the certificate.

FortiClient EMS 7.0 Lab Guide 87

Fortinet Technologies Inc.
DO Test
NOT Remote Access to the HTTPS
Access REPRINT
Proxy
Exercise 2: Configuring a Basic HTTPS Access Proxy With SSL Certificate-
Based Authentication

© FORTINET
Your certificate might not match what is shown in this example.

5. On the desktop, open PuTTY, and then double-click HQ-FortiGate from the saved session to open FortiGate CLI
access.
6. Enter the username admin and password password to log in, and then enter the following CLI command to view
the endpoint serial number (SN) and other information:
diagnose endpoint record list

7. On the AD server tab, open the FortiClient EMS GUI, and then click Endpoints > All Endpoints.
8. In the list, click Remote-Client, and then in the Configuration section, check the FortiClient ID and ZTNA Serial
Number fields to match the information.

88 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT
Certificate-Based
a Basic HTTPS Access Proxy With SSL
Authentication
Understand the Behavior of the set empty-
cert-action Option

© FORTINET
Your FortiClient ID and certificate serial number might not match what is shown in this example.

Understand the Behavior of the set empty-cert-action Option

By default, client certificate authentication is enabled on the access proxy, so when the HTTPS request is
received, the FortiGate WAD process challenges the client to identify itself with its certificate. FortiGate also has a
configuration to accept or block an empty client certificate.

If a user clicks cancel during the certificate challenge, one of the following actions
occurs:

1. If the empty-cert-action is accept, the client is allowed to continue with

ZTNA proxy rule processing.
2. If the empty-cert-action is block, the client is blocked from further ZTNA
proxy rule processing.
The empty-cert-action options can be configured from the CLI only.

To configure FortiGate to block empty certificate challenges

1. On the PuTTY session, enter the following CLI commands:
config firewall access-proxy
edit ZTNA-webserver
set empty-cert-action block
end

By default, in 7.0.1, empty-cert-action is set to block. In 7.0.0, it was set to

accept.

2. Close the PuTTY session.

3. On the desktop, open the Chrome browser, and then type https://webserver.ztnademo.com:9443.
The browser prompts you for the client certificate to use.

4. Click Cancel.
FortiGate blocks access.

FortiClient EMS 7.0 Lab Guide 89

Fortinet Technologies Inc.
DO Understand
NOT Option
cert-action
the Behavior of the set empty-
REPRINT Exercise 2: Configuring a Basic HTTPS Access Proxy With SSL
Certificate-Based Authentication

© FORTINET

90 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Configuring an HTTPS Access Proxy With
User Authentication and ZTNA Tags

In this exercise, you will extend the solution to include user authentication with local users and security posture
checks with ZTNA tags. You will configure local user authentication and ZTNA rules to apply security posture
checks using ZTNA tags.

To configure a local user on FortiGate

1. On the AD Server VM, open a browser to log in to the HQ-FortiGate IP address 10.0.1.254 with the username
admin and password password.
2. In the left menu, click User & Authentication > User Definition.
3. Click Create New to create a new user.
4. In the wizard, select Local User, and then click Next.
5. In the Username field, type ZTNAuser, in the Password field, type fortinet, and then click Next.
6. Leave Two-factor Authentication disabled, and then click Next.
7. Ensure that the User Account Status field is set to Enabled.
8. Enable User Group, and then select ZTNAaccess_group.

9. Click Submit to save the user.

You can also use LDAP, RADIUS, and TACACS+ users for authentication.

To configure an authentication scheme on FortiGate

1. Continuing on the HQ-FortiGate GUI, click System > Feature Visibility, and then enable Explicit Proxy to make
the Authentication Rules page visible.
2. Click Apply.
3. Click Policy & Objects > Authentication Rules, and then in the top-right, select Authentication Schemes.
4. Click Create New > Authentication Scheme.
5. In the Name field, type ZTNA-Auth-scheme.

FortiClient EMS 7.0 Lab Guide 91

Fortinet Technologies Inc.
DO Configure
NOTanREPRINT
Rule
Authentication Exercise 3: Configuring an HTTPS Access Proxy With User Authentication and ZTNA
Tags

© FORTINET
6. In the Method field, select Basic.
7. Leave the User database field set to Local.

8. Click OK to save the settings.

Configure an Authentication Rule

An authentication rule specifies which proxy sources and destinations require authentication and which
authentication scheme to apply. You will use active authentication through the basic HTTP prompt and apply it to
all sources.

To configure an authentication rule on FortiGate

1. Continuing on the Authentication Rules page, click Create New > Authentication Rules.
2. In the Name field, type ZTNA-Auth-Rule.
3. In the Source Address field, select all.
4. Leave the Protocol field set to HTTP.
5. Enable Authentication Scheme, and then select ZTNA-Auth-scheme.
6. Ensure that the Enable This Rule field is set to Enable.

7. Click OK to save the rule.

92 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT
and
3: Configuring an HTTPS Access Proxy With User Authentication
REPRINT
ZTNA Tags
Apply the User Group and ZTNA Tag to a
ZTNA Rule

© FORTINET
Apply the User Group and ZTNA Tag to a ZTNA Rule

You must apply a user or user group to one or more ZTNA rules that you want to use to control user access. The
authenticated user from the authentication scheme and rule must match the user or user group in the ZTNA rule.

To apply a user group and add a ZTNA tag to the ZTNA allow rule
1. Continuing on the HQ-FortiGate GUI, click Policy & Objects > ZTNA.
2. Click ZTNA Rules, select ZTNA-Allow-All, and then click Edit.
3. In the Source field, click + to add a new entry.
4. In the window, select User, and then choose ZTNAaccess_group.
5. In the ZTNA Tag field, click +, and then add the Remote-Endpoints IP tag.

6. Click OK to apply the changes.

To create a deny rule for malicious file detection

1. Click ZTNA > ZTNA Rules, and then click Create New.
2. In the New ZTNA Rule window, configure the following settings:

Field Value

Name ZTNA-Deny-Malicious

Source Address: all

User: ZTNAaccess_group

ZTNA Tag Malicious-File-Detected

ZTNA Server ZTNA-webserver

Action Deny

Enable this policy <enable>

3. Click OK to save the new rule.

4. Move this rule above the ZTNA-Allow-All rule.

FortiClient EMS 7.0 Lab Guide 93

Fortinet Technologies Inc.
DO Test
NOT
With
Remote Access to the HTTPS Access Proxy
REPRINT
User Authentication
Exercise 3: Configuring an HTTPS Access Proxy With User
Authentication and ZTNA Tags

© FORTINET
Test Remote Access to the HTTPS Access Proxy With User Authentication

You will test the HTTPS access proxy connection for authorized and unauthorized users.

To test the connection for authorized users

1. On the Remote-Client VM, open the Chrome browser from the desktop, and then type
https://webserver.ztnademo.com:9443.
The browser prompts you for the client certificate to use.

2. Choose the EMS signed certificate, and then click OK.

3. When prompted for sign-in, type the Username ZTNAuser and Password fortinet, and then click Sign in to
access the page.

After successful authentication, you can access the web page.

94 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configuring
REPRINT
Authentication
an HTTPS Access Proxy With User
and ZTNA Tags
Test Remote Access to the HTTPS Access Proxy
With User Authentication

© FORTINET

4. Close the browser.

5. On the AD Server VM, on the FortiGate GUI, click Dashboard > Users & Devices.
6. Open the Firewall Users widget to see the authenticated user.

7. Select ZTNAuser, and then click Deauthenticate to remove the user from FortiGate.

To test the connection for unauthorized users

1. Repeat the previous steps to access https://webserver.ztnademo.com:9443.
The browser prompts you for the client certificate to use.

FortiClient EMS 7.0 Lab Guide 95

Fortinet Technologies Inc.
DO Test
NOT
With
Remote Access to the HTTPS Access Proxy
REPRINT
User Authentication
Exercise 3: Configuring an HTTPS Access Proxy With User
Authentication and ZTNA Tags

© FORTINET
2. Choose the EMS signed certificate, and then click OK.
3. When prompted for sign-in, type the Username student and Password fortinet, and then click Sign in to
access the page.

Access is denied because the user is not authorized to access the resource.

4. On the HQ-FortiGate GUI, click Log & Report > Forward Traffic to check the deny logs for the student user.

96 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configuring
REPRINT
Authentication
an HTTPS Access Proxy With User
and ZTNA Tags
Verify the Behavior When the Security Posture
Changes on the Endpoint

© FORTINET
You may need to filter the Source IP address to 100.64.2.253 to see the related logs.

Verify the Behavior When the Security Posture Changes on the Endpoint

You will test a scenario where the endpoint security posture changed because of a malicious file. You will create a
test virus file to trigger the ZTNA tag detection that you created in the previous exercise.

To detect a malicious file and tag an endpoint

1. On the Remote-Client VM, open Notepad, and then create a file with dummy text.
2. On the C: drive, save the file as virus.
3. Open the FortiClient console, and then click the avatar to view the detected tags.
It may take a minute to see the updated tags.

4. On the desktop, open the Chrome browser, and then type https://webserver.ztnademo.com:9443 to
access the web page.

FortiClient EMS 7.0 Lab Guide 97

Fortinet Technologies Inc.
DO Verify
NOT
Changes
the Behavior When the Security Posture
onREPRINT
the Endpoint
Exercise 3: Configuring an HTTPS Access Proxy With User
Authentication and ZTNA Tags

© FORTINET

Access is denied because the endpoint security posture has changed.

5. On the C: drive, delete the file virus.

6. On the AD Server VM, on the FortiGate GUI, click Dashboard > Users & Devices.
7. Open the Firewall Users widget to see the authenticated user.
8. On the FortiGate GUI, select student, and then click Deauthenticate to remove the user from FortiGate.

98 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 4: Configuring and Testing Compliance Rules to
Create Dynamic Groups and Policies

In this exercise, you will create and test a firewall policy using ZTNA IP/MAC filtering. You will use an existing
ZTNA tag to block endpoint access when a malicious file exists on the endpoint. ZTNA IP/MAC filtering mode
enhances security when endpoints are physically on the corporate network, whereas full ZTNA mode focuses on
access for remote users.

Create a Firewall Policy

To enforce compliance for local endpoints, you can select a ZTNA IP/MAC filtering option and apply a ZTNA tag to
a firewall policy.

To create a new firewall policy to apply a ZTNA tag

1. On the HQ-FortiGate GUI, click Policy & Objects > Firewall Policy, and then click Create New to create a new
firewall policy.
2. In the New Policy window, configure the following settings:

Field Value

Name Block-Malicious

ZTNA Enable this option, and then select IP/MAC filtering.

ZTNA Tag Malicious-File-Detected

Incoming Interface port3

Outgoing Interface port1

Source all

Destination all

Schedule always

Service ALL

Action DENY

Enable this policy <enable>

3. Click OK to add a new firewall policy.

FortiClient EMS 7.0 Lab Guide 99

Fortinet Technologies Inc.
DO Test
NOT
ZTNA
Endpoint Access Using the IP/MAC Filtering
REPRINT
Firewall Policy
Exercise 4: Configuring and Testing Compliance Rules to Create
Dynamic Groups and Policies

© FORTINET

4. Move the Block-Malicious policy above the IOC_Policy policy at the top.

Test Endpoint Access Using the IP/MAC Filtering ZTNA Firewall Policy

You will test endpoint access control with a ZTNA tag.

To test endpoint access using the IP/MAC filtering ZTNA firewall policy
1. On the FortiClient-Laptop VM, ping IP 8.8.8.8 -t continuously to check connectivity to the internet.
It must be allowed.

2. On the FortiClient EMS GUI, click Zero Trust Tags > Zero Trust Tag Monitor.
There should not be any endpoints with the Malicious-File-Detected tag.

100 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4:Groups
Dynamic
Configuring and Testing Compliance Rules to Create
REPRINT
and Policies
Test Endpoint Access Using the IP/MAC Filtering
ZTNA Firewall Policy

© FORTINET
3. On the FortiClient-Laptop VM, open Notepad, and then create a file with dummy text.
4. On the C: drive, save the file as virus.

5. Open the FortiClient console, and then click the avatar to view the detected tag.
It may take a minute to see the updated tag.

6. On the FortiClient EMS GUI, click Zero Trust Tags > Zero Trust Tag Monitor.
An endpoint appears on the Malicious-File-Detected tag.

FortiClient EMS 7.0 Lab Guide 101

Fortinet Technologies Inc.
DO Test
NOT
ZTNA
Endpoint Access Using the IP/MAC Filtering
REPRINT
Firewall Policy
Exercise 4: Configuring and Testing Compliance Rules to Create
Dynamic Groups and Policies

© FORTINET

7. On the HQ-FortiGate GUI, click Policy & Objects > ZTNA.

8. Click ZTNA Tags, and then hover over the Malicious-File-Detected tag to see the endpoint details.

The endpoint IP address is shown. The ping should have stopped because the endpoint is tagged with a
malicious file detection tag.

102 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4:Groups
Dynamic
Configuring and Testing Compliance Rules to Create
REPRINT
and Policies
Test Endpoint Access Using the IP/MAC Filtering
ZTNA Firewall Policy

© FORTINET
9. On the FortiClient-Laptop VM, on the C: drive, delete the virus file.
After some time, a ping should start.

10. On the AD Server VM, on the FortiClient EMS GUI, click Zero Trust Tags > Zero Trust Tag Monitor. There is no
Malicious-File-Detected tag.
11. On the FortiGate GUI, click Policy & Objects > ZTNA.
12. Click ZTNA Tags, and then hover over the Malicious-File-Detected tag.
There is no IP address.

FortiClient EMS 7.0 Lab Guide 103

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 7: Diagnostics and Troubleshooting

In this lab, you will examine the files that are created by running the diagnostic tools of FortiClient and FortiClient
EMS.

Objectives
l Run FortiClient and FortiClient EMS diagnostic tools

Time to Complete
Estimated: 20 minutes

Prerequisites
Before beginning this lab, you must finish the previous lab.

104 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Running Diagnostic Tools

In this exercise, you will run FortiClient and FortiClient EMS diagnostic tools on the FortiClient-Laptop VM and AD
Server VM.

Run the FortiClient Diagnostic Tool

You will run the diagnostic tool on FortiClient endpoints to gather system information.

Before you run the diagnostic tool, you must change the FortiClient log level to
Debug. On the FortiClient EMS GUI, click Endpoint Profiles > Fortinet-Training,
click Edit on the System Settings tab, and then under Log, change the log level to
Debug.

To run the FortiClient diagnostic tool from the FortiClient console

1. On the FortiClient-Laptop VM, open the FortiClient console.
2. Click About, and then click Diagnostic Tool to open the tool window.

3. In the Diagnostic Tool window, click Run Diagnostic Tool.

4. On the console, click Run Tool.

FortiClient EMS 7.0 Lab Guide 105

Fortinet Technologies Inc.
DO Run
NOT REPRINT
the FortiClient Diagnostic Tool Exercise 1: Running Diagnostic Tools

© FORTINET

A command line window opens and the diagnostic tool runs tasks to collect system data.

5. Press any key to continue the VPN diagnostics.

After all tasks are completed, the tool opens the
C:\Users\Administrator\AppData\Local\Temp\1\Diagnostic_Result link to show the
Diagnostic_Result.zip file.

6. Click Close to close the diagnostic tool.

7. Extract the Diagnostic_Result.zip file, and then search for the SystemInfo.txt and ipconfig.txt files.

106 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Running
REPRINT
Diagnostic Tools Run the FortiClient Diagnostic Tool

© FORTINET
If Windows cannot extract or unzip the folder, you may need to use 7-Zip software to
unzip a file. 7-Zip is installed on the VM.

8. To review the file content, click these files. When you click a file, a window opens and extracts the file to a
destination. Select Desktop for the destination.

Log files are compressed, so to read them, you must extract the files.

To run the FortiClient diagnostic tool from FortiClient EMS

1. On the AD-Server VM, log in to the FortiClient EMS GUI.
2. Click Endpoints > All Endpoints, and then select endpoint IP 10.0.1.10.
3. Click Action, and then select Request Diagnostic Results to run the tool on the selected endpoint.

FortiClient EMS 7.0 Lab Guide 107

Fortinet Technologies Inc.
DO Run
NOT REPRINT
the FortiClient EMS Diagnostic Tool Exercise 1: Running Diagnostic Tools

© FORTINET

The tool starts to run in the background. The file should be available after three keepalive cycles. The default
is 60 seconds for each cycle.

4. Continuing on the FortiClient EMS GUI, click Action, and then select Download Available Diagnostics Results
to download the results file.

5. Click Save again to download the file to the FortiClient EMS server download folder.

Run the FortiClient EMS Diagnostic Tool

You will run the FortiClient EMS diagnostic tool on the AD server to gather information. Before you run the tool,
you must change the FortiClient EMS log level to DEBUG.

To run the FortiClient EMS diagnostic tool

1. On the AD server, go to the FortiClient EMS installation folder at the following location: C:\Program Files
(x86)\Fortinet\FortiClientEMS.
2. Search for the EMSDiagnosticTool file, and then double-click the file to run the tool.

A command line window opens and the diagnostic tool runs tasks to collect system data.

108 FortiClient EMS 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Running
REPRINT
Diagnostic Tools Run the FortiClient EMS Diagnostic Tool

© FORTINET

3. After all tasks are completed, the tool opens the C:\Users\Administrator\AppData\Local\Temp\1 link to
show the forticlientems_diagnostic.zip file.
4. Extract or unzip the forticlientems_7.0.1.0103_diagnostic_<xxxxxx-xxx-xxxx-xxxx-
xxxxxxxxx-xxxxxxx>.zip file, and then search for the SystemInfo.txt, events, and debug_xx-xx-
xxxx files.
5. To review the file content, click these files. When you click a file, a window opens and extracts the file to a
destination. Select Desktop for the destination.

Log files are compressed, so to read them, you must extract the files.

FortiClient EMS 7.0 Lab Guide 109

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.