FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff
Article Id 197114

Description
This article describes the passing conditions for host check list defined in host-check-software and host-check-policy defined in the web portal.

Solution
Host Check list defined in host-check-software works as AND condition whereas host-check-policy defined in web portal works as OR condition.

Scenario 1.
Two check-item-list in host check definitions have been defined.

# config  vpn  ssl web  host-check-software
    edit hostcheck_condition1
# config check-item-list
    edit 1
        set type file
        set target C:\Program Files\Fortinet\FortiClient\FortiClient.exe
    next
    edit 2
        set type process
        set target FortiClient.exe
    next
end

When hostcheck_condition1 is called in the host-check-policy as below, Pc's running with FortiClient.exe application and having the file FortiClient.exe in the specific file location will be able to connect the VPN.
If one of these check-item-list fails, then SSL VPN will not connect.

# config vpn ssl web portal
    edit full-access
        set host-check custom
        set host-check-policy hostcheck_condition1
    end

Scenario 2.

Two host check definitions as below have been defined.

# config  vpn  ssl web  host-check-software
    edit hostcheck_condition1
# config check-item-list
    edit 1
        set type file
        set target C:\Program Files\Fortinet\FortiClient\FortiClient.exe
    next
    edit 2
        set type process
        set target cmd.exe
    next
    edit hostcheck_condition2
# config check-item-list
    edit 1
        set type registry
        set target HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient
    next
end

If both hostcheck_condition1 and hostcheck_condition2 are called in the host-check-policy, then the client can connect SSL VPN if it passes both or anyone host check definition.

# config vpn ssl web portal
    edit full-access
        set host-check custom
        set host-check-policy  hostcheck_condition1 hostcheck_condition2
    end

Client PC passing the all check-item-list defined in hostcheck_condition1 or hostcheck_condition2 will be able to connect VPN.

Contributors