Description
This article describes host check validation for 'REG_QWORD' type registry.
Solution
The REG_DWORD type represents the data by a four byte number and is commonly used for boolean values, such as '0' is disabled and '1"'is enabled in binary, hexadecimal and decimal format.
The following configuration adds a custom host check, and enforces it in the 'full-access' SSL VPN web portal profile.
config vpn ssl web host-check-software
edit "test-registry"
set os-type windows
set type av
set version ''
set guid "00000000-0000-0000-0000-000000000000"
config check-item-list
edit 1
set action require
set type registry
set target "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Security:TCw1ntc$@ss3tchk_a$rnt==00000001"
set version ''
next
end
The registry target path as 'Security:TCw1ntc$@ss3tchk_a$rnt==00000001', where 'Security' is regedit search directory, 'TCw1ntc$@ss3tchk_a$rn' is key and '00000001' is a value in hexadecimal format which means enabled.
config vpn ssl web portal
edit "full-access"
set host-check custom
set host-check-policy "test-registry" <- Mapping hostcheck profile.
next
end
Case 1.
The SSL VPN connection gets failed when Hexadecimal value changed the to '00000000' which means disabled.
[20894:root:2]login_succeeded:398 redirect to hostcheck
[20894:root:2]deconstruct_session_id:380 decode session id ok, user=[guest],group=[],authserver=[],portal=[full-access],host=[10.5.21.58],realm=[],idx=0,auth=1,sid=24a597d2, login=1601387250, access=1601387250
[20894:root:2]deconstruct_session_id:380 decode session id ok, user=[guest],group=[],authserver=[],portal=[full-access],host=[10.5.21.58],realm=[],idx=0,auth=1,sid=24a597d2, login=1601387250, access=1601387250
[20894:root:2]deconstruct_session_id:380 decode session id ok, user=[guest],group=[],authserver=[],portal=[full-access],host=[10.5.21.58],realm=[],idx=0,auth=1,sid=24a597d2, login=1601387250, access=1601387250
[20894:root:2]req: /remote/hostcheck_validate
[20894:root:2]deconstruct_session_id:380 decode session id ok, user=[guest],group=[],authserver=[],portal=[full-access],host=[10.5.21.58],realm=[],idx=0,auth=1,sid=24a597d2, login=1601387250, access=1601387250
[20894:root:2]deconstruct_session_id:380 decode session id ok, user=[guest],group=[],authserver=[],portal=[full-access],host=[10.5.21.58],realm=[],idx=0,auth=1,sid=24a597d2, login=1601387250, access=1601387250
[20894:root:2]host check result:4 0000,6.3.0,02:00:4c:4f:4f:50|00:66:65:72:26:02|00:66:65:72:26:01
[20894:root:2]rmt_hcvalidate_cb_handler:385 hostcheck validation failed
If the registry key value is not equals to '00000001' which means enabled, the following error message on the FortiClient will appear (refer to the screenshot below).
Case 2.
The SSL VPN connection is successful when the Hexadecimal value is changed to '00000001', which means enabled.
The SSL VPN connection is successful when the Hexadecimal value is changed to '00000001', which means enabled.
[20890:root:2]SSL VPN login matched rule (1).
[20890:root:2]rmt_web_session_create:726 create web session, idx[0]
[20890:root:2]login_succeeded:398 redirect to hostcheck
[20891:root:2]tunnelEnter:417 0x7f265ba4b800:0x7f265ba29000 sslvpn user[guest],type 1,logintime 0 vd 0
[20891:root:2]sconn 0x7f265ba4b800 (0:root) vfid=0 local=[10.5.19.80] remote=[10.5.21.58] dynamicip=[10.212.134.200]
[20891:root:2]Prepare to launch ppp service...
If registry key value is equals to '00000001' then only user gets connected with the SSL VPN (refer below screenshot).
Related article:
