Created on 06-01-2020 07:02 AM Edited on 11-28-2021 09:16 PM By Anonymous
Description
This article describes the passing conditions for host check list defined in host-check-software and host-check-policy defined in the web portal.
Solution
Host Check list defined in host-check-software works as AND condition whereas host-check-policy defined in web portal works as OR condition.
Scenario 1.
Two check-item-list in host check definitions have been defined.
# config vpn ssl web host-check-software
edit hostcheck_condition1
# config check-item-list
edit 1
set type file
set target C:\Program Files\Fortinet\FortiClient\FortiClient.exe
next
edit 2
set type process
set target FortiClient.exe
next
end
When hostcheck_condition1 is called in the host-check-policy as below, Pc's running with FortiClient.exe application and having the file FortiClient.exe in the specific file location will be able to connect the VPN.
If one of these check-item-list fails, then SSL VPN will not connect.
# config vpn ssl web portal
edit full-access
set host-check custom
set host-check-policy hostcheck_condition1
end
Scenario 2.
Two host check definitions as below have been defined.
# config vpn ssl web host-check-software
edit hostcheck_condition1
# config check-item-list
edit 1
set type file
set target C:\Program Files\Fortinet\FortiClient\FortiClient.exe
next
edit 2
set type process
set target cmd.exe
next
edit hostcheck_condition2
# config check-item-list
edit 1
set type registry
set target HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient
next
end
If both hostcheck_condition1 and hostcheck_condition2 are called in the host-check-policy, then the client can connect SSL VPN if it passes both or anyone host check definition.
# config vpn ssl web portal
edit full-access
set host-check custom
set host-check-policy hostcheck_condition1 hostcheck_condition2
end
Client PC passing the all check-item-list defined in hostcheck_condition1 or hostcheck_condition2 will be able to connect VPN.