Skip to main content
Richard_one
Richard_one
New Member
May 17, 2016
Solved

Forticlient and EMS config questions

  • May 17, 2016
  • 1 reply
  • 10811 views

Hello, I am new to Fortigate and struggling with setting up forticlient access.  I know what I want, but in going through all of the Fortinet documentation I just can't find the exact solution I need. I have a fortigate running 5.2.7 and also have EMS.  I basically want to do an assessment of my laptops running Forticlient before they are allowed to connect to the SSLVPN using Forticlient. 1.  When a laptop connects from the internet, before I allow connection to my internal network I want to make sure that the forticlient AV is up to date and the firewall is active. If not, I do not want it to connect. 2.  After a laptop connects with forticlient, I want it to be able to register it's status with the internal EMS server.  The many examples in fortigate documentation show how to get it to register with the fortigate itself, but I am using EMS. Can anyone point me in the right direction? Thanks!

    Best answer by Huey

    I'll post anyway in hopes you can give me insight into your EMS deployment:

     

    The host check is fairly straightforward.  It looks for registry keys so if somethings in the registry then you can grant access based on it being there.  We look for domain membership and the presence of McAfee AV.

    Some notes on Host Check

    Although Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, we can use a registry value to detect the firewall status.

    If Windows firewall is on, the following registry value will be set to 1:

    KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

    ValueName: EnableFirewall

     

    So we could use the registry-value-check feature to define the Windows Firewall software by the following cli:

     

    config vpn ssl web host-check-software

        edit WindowsDefaultFirewall

            set type fw

                config check-item-list

                    edit 1

                        set type registry

                        set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1"

                    next

                end

         next

    end

     

    We had to check for McAfee AV so we did this:

     

    config vpn ssl web host-check-software

        edit "McAfee-VirusScan"             config check-item-list                 edit 1                     set type registry                     set target "HKCR\\*\\shellex\\ContextMenuHandlers\\VirusScan:default=={cda2863e-2497-4c49-9b89-06840e070a87}"                 next             end     next

     

    config vpn ssl web portal     edit "SSLVPN Portal"         set tunnel-mode enable         set host-check custom         set limit-user-logins enable         set ip-pools "SSLVPN_range"         set split-tunneling-routing-address "Internal_Nets"         set host-check-policy "McAfee-VirusScan"     next end !######### Enable host check ############## config vpn ssl web portal     edit "SSLVPN Portal"         set tunnel-mode enable         set host-check custom     set host-check-policy "McAfee-VirusScan"      end

    Note: To check for domain membership, use the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters Domain ourdomain.com

     

     

    The registry checking syntax is defined as following:

     

    ///////////////////////////////////////////////////////////////////////////////

    //

    // RegistryPolicyTarget example:

    // HKLM\SOFTWARE\Fortinet\FortiClient\Misc : TrafficChartMask == 12345678

    // ---- ---------------------------------- - ---------------- -- --------

    // --A- ------------------B--------------- C --------D------- -E-----F---

    // A B C D E F

    // | | | | | |

    // | | | | | +--> Value (for string: abc, "abc" or 'abc')

    // | | | | +--> Comparison Operator

    // | | | +--> RegValueName ("default" for un-named or default)

    // | | +--> SubKey and ValueName separator

    // | +--> RegSubKey

    // +--> RegRoot

    //

    // <SubKey and ValueName separator>, <RegValueName>, <Comparison Operator> and <Value> are optional.

     

    #define COMPARISON_OP_UNKNOWN 0 // Unknown comparison operator

    #define COMPARISON_OP_NONE 1 // No comparison operator

    #define COMPARISON_OP_EQ 2 // "=" , "==" : Equal

    #define COMPARISON_OP_NE 3 // "!=", "<>" : Not equal

    #define COMPARISON_OP_LT 4 // "<" : Less than

    #define COMPARISON_OP_GT 5 // ">" : Greater than

    #define COMPARISON_OP_LE 6 // "<=" : Less than or equal to

    #define COMPARISON_OP_GE 7 // ">=" : Greater than or equal

     

    1 reply

    Huey
    Huey
    New Member
    June 28, 2016

    Any luck with this?  your post is kind of old and before spending time helping let me know if you still need it.

    Huey
    HueyAnswer
    New Member
    June 28, 2016

    I'll post anyway in hopes you can give me insight into your EMS deployment:

     

    The host check is fairly straightforward.  It looks for registry keys so if somethings in the registry then you can grant access based on it being there.  We look for domain membership and the presence of McAfee AV.

    Some notes on Host Check

    Although Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, we can use a registry value to detect the firewall status.

    If Windows firewall is on, the following registry value will be set to 1:

    KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

    ValueName: EnableFirewall

     

    So we could use the registry-value-check feature to define the Windows Firewall software by the following cli:

     

    config vpn ssl web host-check-software

        edit WindowsDefaultFirewall

            set type fw

                config check-item-list

                    edit 1

                        set type registry

                        set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1"

                    next

                end

         next

    end

     

    We had to check for McAfee AV so we did this:

     

    config vpn ssl web host-check-software

        edit "McAfee-VirusScan"             config check-item-list                 edit 1                     set type registry                     set target "HKCR\\*\\shellex\\ContextMenuHandlers\\VirusScan:default=={cda2863e-2497-4c49-9b89-06840e070a87}"                 next             end     next

     

    config vpn ssl web portal     edit "SSLVPN Portal"         set tunnel-mode enable         set host-check custom         set limit-user-logins enable         set ip-pools "SSLVPN_range"         set split-tunneling-routing-address "Internal_Nets"         set host-check-policy "McAfee-VirusScan"     next end !######### Enable host check ############## config vpn ssl web portal     edit "SSLVPN Portal"         set tunnel-mode enable         set host-check custom     set host-check-policy "McAfee-VirusScan"      end

    Note: To check for domain membership, use the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters Domain ourdomain.com

     

     

    The registry checking syntax is defined as following:

     

    ///////////////////////////////////////////////////////////////////////////////

    //

    // RegistryPolicyTarget example:

    // HKLM\SOFTWARE\Fortinet\FortiClient\Misc : TrafficChartMask == 12345678

    // ---- ---------------------------------- - ---------------- -- --------

    // --A- ------------------B--------------- C --------D------- -E-----F---

    // A B C D E F

    // | | | | | |

    // | | | | | +--> Value (for string: abc, "abc" or 'abc')

    // | | | | +--> Comparison Operator

    // | | | +--> RegValueName ("default" for un-named or default)

    // | | +--> SubKey and ValueName separator

    // | +--> RegSubKey

    // +--> RegRoot

    //

    // <SubKey and ValueName separator>, <RegValueName>, <Comparison Operator> and <Value> are optional.

     

    #define COMPARISON_OP_UNKNOWN 0 // Unknown comparison operator

    #define COMPARISON_OP_NONE 1 // No comparison operator

    #define COMPARISON_OP_EQ 2 // "=" , "==" : Equal

    #define COMPARISON_OP_NE 3 // "!=", "<>" : Not equal

    #define COMPARISON_OP_LT 4 // "<" : Less than

    #define COMPARISON_OP_GT 5 // ">" : Greater than

    #define COMPARISON_OP_LE 6 // "<=" : Less than or equal to

    #define COMPARISON_OP_GE 7 // ">=" : Greater than or equal

     

    Richard_one
    Richard_oneAuthor
    New Member
    June 28, 2016

    Huey,

    Great, thanks for that information!  That is the best real world example yet I have seen for this setup.

    My remaining question has to do with integration of Forticlient with EMS and the Fortigate.  I haven't found a good explanation in the Fortinet docs on how to setup the scenario of having the Fortigate enforce the configuration checks but still have the forticlient register with the EMS server to provide a status and get any profile updates.  It almost seems like Fortinet didn't have everything baked before EMS was released.  

    Thanks,

     

    Terms & ConditionsAccessibility statement