Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
herta
New Contributor II

SSL VPN host-check-policy (A and B) or (A and C)

Fortigate: 6.0.6 This is related to https://kb.fortinet.com/k....do?externalID=FD39129 and to https://kb.fortinet.com/k....do?externalID=FD48982 We have defined a custom host check to only allow access from systems that are member of our domain, that have specific files in a given folder and that run certain programs. We would like to add an antivirus check to that. The difficulty is that we are in the process of upgrading the anti virus software, and noticed that the old version has a different GUID from the new one.  Due to circumstances beyond our control, we expect it will take several months before everyone is running the same version again. We configured the host-check-software similar to this: config vpn ssl web host-check-software     edit "Domain check"         config check-item-list             edit 1                 set type registry                 set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters:Domain=ours.com"             next             (...)             edit 5                 set type process                 set target something-essential.exe             next         end     next     edit "AV virusscan 1"         set version "18"         set guid "mmmmmmm"     next     edit "AV virusscan 2"         set version "19"         set guid "nnnnnnn""     next end

But how do you define the host-check-policy so that either the 1st and 2nd or the 1st and 3rd condition must be met for a given portal? (I.e. (A and B) or (A and C)) Kind regards, Herta

3 REPLIES 3
emnoc
Esteemed Contributor III

Did you read this KB. I think if it equal or higher than it would pass, so you have to write the check to match at the minimum version 

 

Adding custom host check definitions for FortiGate SSL VPN host check feature (fortinet.com)

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

herta
New Contributor II

Yes, I read it.  It's the first link in my post. Point 8 states "If GUID differs then host check will fail. The version check will pass as long as the application version is equal to or greater than what is defined in the custom host check definition along with GUID match." As explained, the 2 versions of our AV don't have matching GUIDs, which is why we need both "AV virusscan 1" and "AV virusscan 2".

BatemanR
New Contributor

you must duplicate the host check as a second host check, and specify the 'alternate' GUID in the second.

 

Be careful defining, because the client only has to satisfy the conditions of a single host check to pass, so you must bundle all conditions into a single host check.

 

Or, in this case, two, each with one of your possible GUIDs