Hi
actually I do not really know if this would work because I never used it but if you would like to differ between official devices and not official device on WebPortal or/and Tunnel mode why you do not use a Registry Check? This means if you have installed on a Endpoint Windows a FortiClient and only specific Endpoint Clients which have the FortiClient installed and using SSL tunnel mode and/or Webportal you can check against a specific Registry if they are able to connect. To configure this stuff use following:
Definition of the Registry check:
# config vpn ssl web host-check-software
# edit [Name für den Registry Check]
# config check-item-list
# edit [Use an integer "1"]
# set target [Define a Registry Key to be checked agains "HKLM\\SOFTWARE\\Something\\Example"]
# set type registry
# next
# end
# next
# end
Definiton of the tunnel/webportal to be used for the Registry check:
# config vpn ssl web portal
# edit [Name of the profile Web/Tunnel Mode]
# set host-check custom
# set host-check-policy [Defintion of the Registry check "host-check-software"]
# next
# end
If a FortiClient SSL would conncet to the FGT over tunnel this Registry is checked. If a user meaning Endpoint which has at minimum the SSL client installed would use the WebPortal the same check is used and if it does not exist following is shown:
Following is shown if Reg is not existing:
Keep in mind that device identification can be faked meaning in every linux it is possible to fake for a attack the identification (not easy but it can be done). This means I'm able to attack from a linux a device and tell this device that I'm a windows device! With such a configuration shown here only devices with this Reg Check can connect nobody else.
Give it a try it is easy done and fast configured.
hope this helps
have fun
