FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anderson_yee
Staff
Staff
Article Id 269644
Description

 

This article describes how to use SSL VPN host check features to allow or prevent endpoints from connecting to FortiGate through SSL VPN, depending on software installation and process running state.

 

Scope

 

FortiGate, SSL VPN.

Solution

 

In certain organizations, endpoints are needed to install and run specified software before they can establish an SSL VPN connection.

 

For an example, consider the following scenario: before making SSL VPN connections, endpoints are required to install endpoint security software (such as TrendMicro).
This article will demonstrate the process of setting up a custom host check policy and utilizing it to target a particular SSL VPN user group through the SSL VPN portal.

SSLVPN host check policy configuration

  1. Using registry editor, locate 'InstallStatus' under the TrendMicro software directory; this will be used as a custom registry check parameter.
 
 

anderson_yee_1-1692628762654.png

 

  1.  Run the software and identify the process name (for example, TmsaInstance64.exe) by running tasklist under the command prompt.

anderson_yee_2-1692628762668.png

  1. Using the acquired information, set up a SSLVPN host check policy that includes both registry and process checks.
    SSLVPN host check policy name: trendmicro_check.
    Registry check: HKEY_LOCAL_MACHINE\\SOFTWARE\\TrendMicro:InstallStatus==1.
    Process check: TmsaInstance64.exe.

 

anderson_yee_3-1692628873085.png

 

Note:

  • Both 'HKLM' and 'HKEY_LOCAL_MACHINE' work under registry check.
  • SSLVPN host check features are only available in the free FortiClient as of version 7.0.3 and above.
  • The item check list functions as an AND operator: in order for SSLVPN to establish a connection, it needs to meet both requirements. (For example, the TrendMicro software is installed and running.)
  • On the other hand, one of the host check requirements is not matched (for example, TrendMicro software is installed but not running), SSL VPN users will be unable to connect.

  1. Apply the SSL VPN host check policy to the specific SSL VPN portal (for example, full-access):


anderson_yee_4-1692628951196.png


Testing and validation

Case 1: TrendMicro software is not installed or it is installed but not running.


Result: SSLVPN users are not able to connect to FortiGate as it does not meet the host check requirements.

 

anderson_yee_5-1692629000382.png

 

SSL VPN debug logs:

 

anderson_yee_6-1692629053125.png


Case 2: Software is installed and running


Result: SSL VPN users are able to connect to FortiGate as it meets the host check requirement.

 

anderson_yee_6-1692627437743.png