Technical Tip: Configuring custom registry checks for SSL VPN

The following configuration adds a custom host check, and enforces it in the 'full-access' web portal.

# config vpn ssl web host-check-software     edit "test-registry"     # config check-item-list         edit 1             set target "HKLM\\SOFTWARE\\Something\\Registry_Key:Registry_Data==Data_Value"             set type registry         next     end next end 

# config vpn ssl web portal
    edit "full-access"
        set host-check custom
        set host-check-policy "test-registry"     next end

 For example, check against the computer name:

# config vpn ssl web host-check-software
    edit "test-registry"
            config check-item-list
                edit 1
                    set target "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName:ComputerName=TESTLAPTOP"
                    set type registry
                next
            end
    next
end

Same holds true for a check of domains, set the 'target as':

HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters:Domain==forti.lab

Note: 

Both HKLM and HKEY_LOCAL_MACHINE work.

Note: 

Using FortiClient, fully licenses version should be used to make Host-check registry work.

If the registry key is not present,  this error message on the FortiClient will appear:

Related Articles

Technical Tip: Configuring custom registry checks for SSL VPN