FortiTelemetry/On-Net/FortiClient Endpoint Compliance

FortiTelemetry/On-Net/FortiClient Endpoint Compliance

FortiTelemetry (called FortiHeartBeat in FortiOS 5.4.0 and FortiClient Access in FortiOS 5.2) is an interface option that listens for connections from devices with FortiClient installed.

FortiTelemetry is the TCP/8013 protocol used between FortiClient and FortiGate, FortiClient and FortiClient EMS, and between FortiGate and other FortiGates in CSF configurations.

While all GUI references of FortiHeartBeat have been changed to FortiTelemetry in FortiOS 5.4.1, the CLI options have not been renamed and will remain as fortiheartbeat.

With FortiTelemetry enabled on the FortiGate, you can enforce FortiTelemetry for all FortiClients. This FortiClient endpoint compliance will require all clients to have FortiClient installed in order to get access through the FortiGate. Configure these settings in the internal interface under Network > Interfaces. Edit the interface of your choice. Under Restrict Access > Administrative Access, enable FortiTelemetry, then enable FortiClient On-Net Status.

CLI command – To enable FortiTelemetry on an interface:

config system interface edit <port_number> set listen-forticlient-connection enable set endpoint-compliance enable

end

You can also enable DHCP server and FortiClient On-Net Status to display the on-net status of FortiClient devices on the FortiClient Monitor (under Monitor > FortiClient Monitor).

CLI command – To enable FortiClient On-Net status for a DHCP server added to the port1 interface:

config system dhcp server edit 1 set interface port1

set forticlient-on-net-status enable

end

FortiClient Endpoint licence updates

FortiClient endpoint licenses for FortiOS 5.6.0 can be purchased in multiples of 100. There is a maximum client limit based on the FortiGate’s model. FortiCare enforces the maximum limits when the customer is applying the license to a model.

If you are using the ten free licenses for FortiClient, support is provided on the Fortinet Forum (forum.fortinet.com). Phone support is only available for paid licenses.

Model(s) Maximum Client Limit
VM00 200

FortiTelemetry/On-Net/FortiClient Endpoint Compliance

Model(s) Maximum Client Limit
FGT/FWF 30 to 90 series 200
FGT 100 to 400 series 600
FGT 500 to 900 series, VM01, VM02 2,000
FGT 1000 to 2900 series, VM04 50,000
FGT 3700D and above, VM08 and above 100,000

Older FortiClient SKUs will still be valid and can be applied to FortiOS 5.4 and 5.6.

Connecting FortiClient Telemetry after installation

After FortiClient is installed on an endpoint, FortiClient automatically launches and searches for a FortiGate or FortiClient EMS for FortiClient Telemetry connection. When FortiClient locates a FortiGate or EMS, the FortiGate Detected or Enterprise Management Server (EMS) Detected dialog box will appear:

If all the information displayed is correct, select Accept. FortiClient Telemetry will connect to the identified FortiGate/EMS.

Alternately, you can select Cancel and launch FortiClient without connecting to FortiClient Telemetry. This will launch FortiClient is standalone mode, where you can manually connect FortiClient Telemetry.

After FortiClient Telemetry is connected to FortiGate or EMS, FortiClient downloads a profile from FortiGate/EMS.

How FortiClient locates FortiGate/EMS

FortiClient uses the following methods in the following order to automatically locate FortiGate/EMS for Telemetry connection:

FortiTelemetry/On-Net/FortiClient Endpoint Compliance

  1. Telemetry gateway IP list: FortiClient Telemetry searches for IP addresses in its subnet in the Gateway IP list. It connects to the FortiGate in the list that is also in the same subnet as the host system.

If FortiClient cannot find any FortiGates in its subnet, it will attempt to connect to the first reachable FortiGate in the list, starting from the top. The order of the list is maintained as it was configured in the Gateway IP list.

  1. Remembered gateway IP list: You can configure FortiClient to remember gateway IP addresses when you connect Telemetry to FortiGate/EMS. Later FortiClient can use the remembered IP addresses to automatically connect Telemetry to FortiGate/EMS.
  2. Default gateway IP address: The default gateway IP address is specified on the FortiClient endpoint and is used to automatically connect to FortiGate. This method does not support connection to EMS.

FortiClient obtains the default gateway IP address from the operating system on the endpoint device. The default gateway IP address of the endpoint device should be the IP address for the FortiGate interface with Telemetry enabled.

If FortiClient is unable to automatically locate a FortiGate/EMS on the network for Telemetry connection, you can type the gateway IP address of the FortiGate/EMS.

 

This entry was posted in FortiGate on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.