Technical Tip: Blocking FortiGate VPN access based on FortiClient Version

Description

This article describes how to allow/block FortiClient users to connect to the FortiGate VPN (IPsec or SSL VPN) based on the software version of FortiClient they have available. This might be useful for administrators looking to enforce a policy of keeping FortiClient up-to-date on end-user computers.

Scope

FortiGate, FortiClient, EMS.

Solution

Option 1a: Restricting VPN access based on ZTNA Tags (EMS FortiClient only; SSL VPN and IPsec Supported):

• In EMS (under Endpoint Profiles -> Remote Access -> VPN Tunnels -> Advanced Settings) it is possible to specify a set of ZTNA tags that will either allow or block the user from connecting to the VPN. 
• This can be combined with a ZTNA tagging rule (in EMS: Zero Trust Tags -> Zero Trust Tagging Rules) that uses the 'FortiClient Version' Rule type to identify the version of FortiClient and apply an appropriate tag. This tag can then be used to either allow or deny the user access to the VPN until they are using an acceptable version (i.e. they can be blocked if they have a lower-than-expected version or allowed if they are at or above the expected version).
• For more information, refer to the following document: Augmenting VPN security with ZTNA tags

Option 1b: Restricting VPN access to managed EMS FortiClient only (EMS FortiClient only; SSL VPN only):

• This is a supplementary option to the above that allows admins to restrict SSL VPN access to managed EMS FortiClient users only (i.e., blocking free FortiClient users) using ZTNA on the FortiGate:

config vpn ssl setting

set ztna-trusted-client {enable | disable}

end

• This feature requires FortiClient to provide a valid EMS-signed certificate to the FortiGate during the VPN authentication process. Without a proper certificate (i.e. Deregistered FortiClient or free FortiClient-VPN), access is denied. Refer to the following documentation for more information: ZTNA device certificate verification from EMS for SSL VPN connections 7.2.1

• Combining Option 1a and Option 1b will result in an SSL VPN configuration that blocks free FortiClient-VPN users and only allows EMS-managed FortiClient users that are using acceptable versions of the software.

Option 1c: Enforcing ZTNA security posture tag - available in version 7.6.0 and above(EMS FortiClient only; IPsec VPN only):

• When a tag is defined on an IKEv2 IPsec tunnel, the client IP addresses that are resolved by that tag will be allowed to establish connection to the tunnel.

config vpn ipsec phase1-interface

    edit <name>

        set ike-version 2

        set remote-gw-match {any | ipmask | iprange | geography | ztna}

        set remote-gw-ztna-tags <IPv4 ZTNA posture tags>

    next

end

• Refer to the following documentation for more information: Security posture tag match enforced before dial-up IPsec VPN connection.

Option 2: Using FortiGate host checks (Free VPN and EMS FortiClient; SSL VPN only):

• Host checking rules can be configured on the FortiGate to allow/deny access to the SSL VPN if the client meets certain requirements. During the initial connection stage for the SSL VPN, FortiClient will receive these host-checking rules from the FortiGate and will assess if it complies with the rules or not.
• The following documentation covers the general parameters that can be checked on both the free FortiClient-VPN as well as paid EMS-managed FortiClient:
  • FortiGate-powered host check for free VPN client 7.0.3
  • Configuring OS and host check

• In this case, it is possible to have the FortiGate check for a minimum version of FortiClient running on the SSL VPN client before allowing the VPN to fully-establish. With the below config, the VPN only works for v7.4.1.1736 or above.

config vpn ssl web host-check-software

    edit <host_check_name>

        set os-type windows

        set type fw

            config check-item-list

                edit 1

                    set action require

                    set type process

                    set target "FortiClient.exe"

                    set version "7.4.1.1736"

                next

            end

config vpn ssl web portal

    edit <portal name>

        set host-check custom

        set host-check-policy <host_check_name>

    end

• Host checks are applied on a per-portal basis and do support the usage of multiple host check rule sets, but note that they are assessed in an AND format rather than an OR format (i.e. host check rule 1 and host check rule 2).