FortiTelemetry/On-Net/FortiClient Endpoint Compliance

FortiTelemetry (called FortiHeartBeat in FortiOS 5.4.0 and FortiClient Access in FortiOS 5.2) is an interface option that listens for connections from devices with FortiClient installed. 

FortiTelemetry is the TCP/8013 protocol used between FortiClient and FortiGate, FortiClient and FortiClient EMS, and between FortiGate and other FortiGates in CSF configurations.

note icon While all GUI references of FortiHeartBeat have been changed to FortiTelemetry in FortiOS 5.4.1, the CLI options have not been renamed and will remain as fortiheartbeat.

With FortiTelemetry enabled on the FortiGate, you can enforce FortiTelemetry for all FortiClients. This FortiClient endpoint compliance will require all clients to have FortiClient installed in order to get access through the FortiGate. Configure these settings in the internal interface under Network > Interfaces. Edit the interface of your choice. Under Restrict Access > Administrative Access, enable FortiTelemetry, then enable FortiClient On-Net Status.

CLI command - To enable FortiTelemetry on an interface:

config system interface edit <port_number>

set fortiheartbeat enable

set endpoint-compliance enable

end

 

You can also enable DHCP server and FortiClient On-Net Status to display the on-net status of FortiClient devices on the FortiClient Monitor (under Monitor > FortiClient Monitor).

CLI command - To enable FortiClient On-Net status for a DHCP server added to the port1 interface:

config system dhcp server edit 1

set interface port1

set forticlient-on-net-status enable

end

Connecting FortiClient Telemetry after installation

After FortiClient is installed on an endpoint, FortiClient automatically launches and searches for a FortiGate or FortiClient EMS for FortiClient Telemetry connection. When FortiClient locates a FortiGate or EMS, the FortiGate Detected or Enterprise Management Server (EMS) Detected dialog box will appear:

If all the information displayed is correct, select Accept. FortiClient Telemetry will connect to the identified FortiGate/EMS.

Alternately, you can select Cancel and launch FortiClient without connecting to FortiClient Telemetry. This will launch FortiClient is standalone mode, where you can manually connect FortiClient Telemetry.

After FortiClient Telemetry is connected to FortiGate or EMS, FortiClient downloads a profile from FortiGate/EMS.

How FortiClient locates FortiGate/EMS

FortiClient uses the following methods in the following order to automatically locate FortiGate/EMS for Telemetry connection:

  1. Telemetry gateway IP list: FortiClient Telemetry searches for IP addresses in its subnet in the Gateway IP list. It connects to the FortiGate in the list that is also in the same subnet as the host system.

If FortiClient cannot find any FortiGates in its subnet, it will attempt to connect to the first reachable FortiGate in the list, starting from the top. The order of the list is maintained as it was configured in the Gateway IP list.

  1. Remembered gateway IP list: You can configure FortiClient to remember gateway IP addresses when you connect Telemetry to FortiGate/EMS. Later FortiClient can use the remembered IP addresses to automatically connect Telemetry to FortiGate/EMS.
  2. Default gateway IP address: The default gateway IP address is specified on the FortiClient endpoint and is used to automatically connect to FortiGate. This method does not support connection to EMS.
note icon FortiClient obtains the default gateway IP address from the operating system on the endpoint device. The default gateway IP address of the endpoint device should be the IP address for the FortiGate interface with Telemetry enabled.

If FortiClient is unable to automatically locate a FortiGate/EMS on the network for Telemetry connection, you can type the gateway IP address of the FortiGate/EMS.

note icon FortiClient uses the same process to connect Telemetry to FortiGate/EMS after the FortiClient endpoint reboots, rejoins the network, or encounters a network change.