Technical Tip: Blocking FortiGate VPN access based on FortiClient Version

Description

This article describes how to allow/block FortiClient users to connect to the FortiGate VPN (IPsec or SSL VPN) based on the software version of FortiClient they have available. This might be useful for administrators looking to enforce a policy of keeping FortiClient up-to-date on end-user computers.

Scope

FortiGate, FortiClient, EMS

Solution

This article will describe options that are available to both the paid EMS FortiClient users and the free FortiClient VPN users, as well as options restricted to paid EMS FortiClient only.

Option 1a: Restricting VPN access based on ZTNA Tags (EMS FortiClient only; SSL VPN and IPsec Supported):

• In EMS (under Endpoint Profiles -> Remote Access -> VPN Tunnels -> Advanced Settings) it is possible to specify a set of ZTNA tags that will either allow or block the user from connecting to the VPN. 
• This can be combined with a ZTNA tagging rule (in EMS: Zero Trust Tags -> Zero Trust Tagging Rules) that uses the 'FortiClient Version' Rule type to identify the version of FortiClient and apply an appropriate tag. This tag can then be used to either allow or deny the user access to the VPN until they are using an acceptable version (i.e. they can be blocked if they have a lower-than-expected version or allowed if they are at or above the expected version).
• For more information, refer to the following document: Augmenting VPN security with ZTNA tags

Option 1b: Restricting VPN access to managed EMS FortiClient only (EMS FortiClient only; SSL VPN only):

• This is a supplementary option to the above that allows admins to restrict SSL VPN access to managed EMS FortiClient users only (i.e. blocking free FortiClient users) using ZTNA on the FortiGate:

config vpn ssl setting

set ztna-trusted-client {enable | disable}

end

• This feature requires FortiClient to provide a valid EMS-signed certificate to the FortiGate during the VPN authentication process. Without a proper certificate (i.e. Deregistered FortiClient or free FortiClient-VPN), access is denied. Refer to the following documentation for more information: ZTNA device certificate verification from EMS for SSL VPN connections 7.2.1

• Combining Option 1a and Option 1b will result in an SSL VPN configuration that blocks free FortiClient-VPN users and only allows EMS-managed FortiClient users that are using acceptable versions of the software.

Option 2:  Using FortiGate host checks (Free VPN and EMS FortiClient; SSL VPN only):

• Host checking rules can be configured on the FortiGate to allow/deny access to the SSL VPN if the client meets certain requirements. During the initial connection stage for the SSL VPN, FortiClient will receive these host-checking rules from the FortiGate and will assess if it complies with the rules or not.
• The following documentation covers the general parameters that can be checked on both the free FortiClient-VPN as well as paid EMS-managed FortiClient:

FortiGate-powered host check for free VPN client 7.0.3

Configuring OS and host check

• In this case, it is possible to have the FortiGate check for a specific version of FortiClient running on the SSL VPN client before allowing the VPN to fully-establish. The following is an example rule that matches Windows-based clients and checks for a running instance of 'FortiClient.exe' on version 7.4.1 b1736:

config vpn ssl web host-check-software

edit <host_check_name>

set os-type windows
set type fw
config check-item-list

edit 1
set action require
set type process
set target "FortiClient.exe"
set version "7.4.1.1736"

next

end

config vpn ssl web portal

edit <portal name>

set host-check custom

set host-check-policy <host_check_name>

end

• Host checks are applied on a per-portal basis and do support the usage of multiple host check rule sets, but note that they are assessed in an AND format rather than an OR format (i.e. host check rule 1 AND host check rule 2).