FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 269644


This article describes how to use SSL VPN host check features to allow or prevent endpoints from connecting to FortiGate through SSL VPN, depending on software installation and process running state.




FortiGate, SSL VPN.



In certain organizations, endpoints are needed to install and run specified software before they can establish an SSL VPN connection.


For an example, consider the following scenario: before making SSL VPN connections, endpoints are required to install endpoint security software (such as TrendMicro).
This article will demonstrate the process of setting up a custom host check policy and utilizing it to target a particular SSL VPN user group through the SSL VPN portal.

SSLVPN host check policy configuration

  1. Using registry editor, locate 'InstallStatus' under the TrendMicro software directory; this will be used as a custom registry check parameter.



  1.  Run the software and identify the process name (for example, TmsaInstance64.exe) by running tasklist under the command prompt.


  1. Using the acquired information, set up a SSLVPN host check policy that includes both registry and process checks.
    SSLVPN host check policy name: trendmicro_check.
    Registry check: HKEY_LOCAL_MACHINE\\SOFTWARE\\TrendMicro:InstallStatus==1.
    Process check: TmsaInstance64.exe.





  • Both 'HKLM' and 'HKEY_LOCAL_MACHINE' work under registry check.
  • SSLVPN host check features are only available in the free FortiClient as of version 7.0.3 and above.
  • The item check list functions as an AND operator: in order for SSLVPN to establish a connection, it needs to meet both requirements. (For example, the TrendMicro software is installed and running.)
  • On the other hand, one of the host check requirements is not matched (for example, TrendMicro software is installed but not running), SSL VPN users will be unable to connect.

  1. Apply the SSL VPN host check policy to the specific SSL VPN portal (for example, full-access):


Testing and validation

Case 1: TrendMicro software is not installed or it is installed but not running.

Result: SSLVPN users are not able to connect to FortiGate as it does not meet the host check requirements.




SSL VPN debug logs:



Case 2: Software is installed and running

Result: SSL VPN users are able to connect to FortiGate as it meets the host check requirement.