Technical Tip: SSL VPN host check validation for 'REG_DWORD' type registry

sthapa · ‎09-29-2020

Description
This article discusses about host check validation for 'REG_QWORD' type registry.

Solution
The REG_DWORD type represents the data by a four byte number and is commonly used for boolean values, such as '0' is disabled and '1"'is enabled in binary, hexadecimal and decimal format.

The following configuration adds a custom host check, and enforces it in the 'full-access' SSL VPN web portal profile.

# config vpn ssl web host-check-software
   edit "test-registry"
        set os-type windows
        set type av
        set version ''
        set guid "00000000-0000-0000-0000-000000000000"
# config check-item-list
   edit 1
        set action require
        set type registry
        set target "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Security:TCw1ntc$@ss3tchk_a$rnt==00000001"
        set version ''
   next
end

The registry target path as 'Security:TCw1ntc$@ss3tchk_a$rnt==00000001', where 'Security' is regedit search directory, 'TCw1ntc$@ss3tchk_a$rn' is key and '00000001' is a value in hexadecimal format which means enabled.

# config vpn ssl web portal
    edit "full-access"
        set host-check custom
        set host-check-policy "test-registry" <- Mapping hostcheck profile.
    next
end

Case 1.

The SSL VPN connection gets failed when Hexadecimal value changed the to '00000000' which means disabled.

[20894:root:2]login_succeeded:398 redirect to hostcheck
[20894:root:2]deconstruct_session_id:380 decode session id ok, user=[guest],group=[],authserver=[],portal=[full-access],host=[10.5.21.58],realm=[],idx=0,auth=1,sid=24a597d2, login=1601387250, access=1601387250
[20894:root:2]deconstruct_session_id:380 decode session id ok, user=[guest],group=[],authserver=[],portal=[full-access],host=[10.5.21.58],realm=[],idx=0,auth=1,sid=24a597d2, login=1601387250, access=1601387250
[20894:root:2]deconstruct_session_id:380 decode session id ok, user=[guest],group=[],authserver=[],portal=[full-access],host=[10.5.21.58],realm=[],idx=0,auth=1,sid=24a597d2, login=1601387250, access=1601387250
[20894:root:2]req: /remote/hostcheck_validate
[20894:root:2]deconstruct_session_id:380 decode session id ok, user=[guest],group=[],authserver=[],portal=[full-access],host=[10.5.21.58],realm=[],idx=0,auth=1,sid=24a597d2, login=1601387250, access=1601387250
[20894:root:2]deconstruct_session_id:380 decode session id ok, user=[guest],group=[],authserver=[],portal=[full-access],host=[10.5.21.58],realm=[],idx=0,auth=1,sid=24a597d2, login=1601387250, access=1601387250
[20894:root:2]host check result:4 0000,6.3.0,02:00:4c:4f:4f:50|00:66:65:72:26:02|00:66:65:72:26:01
[20894:root:2]rmt_hcvalidate_cb_handler:385 hostcheck validation failed

If the registry key value is not equals to '00000001' which means enabled, then this error message on the FortiClient will appear(refer below screenshot).

Case 2.

The SSL VPN connection gets successful when Hexadecimal value changed the to '00000001' which means enabled.

[20890:root:2]SSL VPN login matched rule (1).
[20890:root:2]rmt_web_session_create:726 create web session, idx[0]
[20890:root:2]login_succeeded:398 redirect to hostcheck
[20891:root:2]tunnelEnter:417 0x7f265ba4b800:0x7f265ba29000 sslvpn user[guest],type 1,logintime 0 vd 0
[20891:root:2]sconn 0x7f265ba4b800 (0:root) vfid=0 local=[10.5.19.80] remote=[10.5.21.58] dynamicip=[10.212.134.200]
[20891:root:2]Prepare to launch ppp service...

If registry key value is equals to '00000001' then only user gets connected with the SSL VPN (refer below screenshot).

Note.

Either an EMS license or a FortiClient endpoint and telemetry license require to make Host-check registry validation work in latest FortiClient version.

Related Articles

Technical Tip: FortiClient licensing and support