New Member

Question

Fortigate SSLVPN - FortiClient - RegKey Checking on Login

Forum|Forum|11 years ago
November 13, 2014
16 replies
37762 views

I have an issue where we would like to prevent people from installing the SSLVPN client on their home computers and gaining access through to our systems in tunnel mode.

What I would like to do is to configure the SSLVPN to carry out a “RegKey Check” for a “arbitrary custom string” which you place in your registry and you would need to not only have the software installed but the key would need to match a predefined string otherwise deny your request to login.

Has anyone achieved this at all?

Kind Regards

Blacktip

norouzi

New Member

I thin you need to implement PKI.

In this case your clients should have valid certificates in their browsers or in a token.

Another solution is using FortiToken.

After entering correct user and pass, user must enter OTP (one time password) that can be generated with FortiToken.

Using email and sms is the same as implementing two factor authentication with FortiToken.So users will receive OTP through email or sms.

BlacktipAuthor

New Member

Thanks for your quick reply.

We do have a PKI infrastructure but I know when a previous colleague was working on the PoC (and he’s now left and didn’t document anything), there were issues in getting this working properly. I don’t know what these issues were and information from him now is not forthcoming and normally equates to no more than have you tried a reboot!!!

We don’t want to go down the route of the FortiToken as we already use a 2FFA mechanism through SafeNet which provides an OTP and we don’t want the additional cost.

Blacktip

Carl_Wallmark

New Member

Hi,

You can use the "host-check" function for this.

When the client connects to the firewall, the firewall sends out a check to the VPN client to look for:

1. Registry string

2. A file on your computer

3. A running process.

4. If you have a firewall software

5. If you have a antivirus software

So for your problem, use option 1,

config vpn ssl web host-check-software

edit <a name>

config check-item-list

edit 0

set type registry

set target <your registry string>

end

(be sure to type "get" and see all available options)

Then associate this policy with your SSL VPN portal.

BlacktipAuthor

New Member

Fantastic. This seems exactly like what I'm looking for.

Is the <your registry string> in your example in the format of:

"HKEY_LOCAL_MACHINE\SOFTWARE\Custom_Org_Hive\String_You_Want_To_Check_For"

Carl_Wallmark

New Member

Correct!

Here is a reference:

http://docs-legacy.fortinet.com/fgt/handbook/cli_html/index.html#page/FortiOS%205.0%20CLI/config_vpn.27.19.html

BlacktipAuthor

New Member

Many thanks for your help here. Its much appreciated.

Carl_Wallmark

New Member

No problem! ;)

BlacktipAuthor

New Member

I have managed to start testing this today and I've done a new portal etc... and have configured the information, but I cant see where you associate the regkey check policy against the SSL VPN Portal. Has this moved in 5.2.1?

Carl_Wallmark

New Member

config vpn ssl web portal

edit <tunnel>

set host-check custom

set host-check-policy <profile>

end

BlacktipAuthor

New Member

Hmmm

I managed to apply the host-check-policy to the SSLweb portal but I now seem to get an error with blah blah blah (-7006) which is a host does not meet the requirement. Either my syntax is incorrect or the firewall cant read the regkey even though I've made the key readable to everyone.

Grrr

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded