Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Holy
Contributor

Device identification for SSL.root Interface possible?

Hello,

 

is it possible to activate device Authentification on SSL.root interface, to block for example all android and iphones.

 

So if someone gets connected through ssl vpn using Forticlient on Android or Iphone he wont be able to access internal LAN. and all the others who connectes from FortiClient on a Windows PC or MAC have accsess.

 

i have test it. Activate "Device identification" on WAN1 (where ssl.root) and then created a policy which denies all traffic for android devices from ssl.root > lan. but it didn´t worked...

 

 

thank you

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
4 REPLIES 4
AndreaSoliva
Contributor III

Hi

 

actually I do not really know if this would work because I never used it but if you would like to differ between official devices and not official device on WebPortal or/and Tunnel mode why you do not use a Registry Check? This means if you have installed on a Endpoint Windows a FortiClient and only specific Endpoint Clients which have the FortiClient installed and using SSL tunnel mode and/or Webportal you can check against a specific Registry if they are able to connect. To configure this stuff use following:

 

       Definition of the Registry check:       
# config vpn ssl web host-check-software
# edit [Name für den Registry Check]
# config check-item-list
# edit [Use an integer "1"]
# set target [Define a Registry Key to be checked agains "HKLM\\SOFTWARE\\Something\\Example"]
# set type registry
# next
# end
# next
# end
       Definiton of the tunnel/webportal to be used for the Registry check:       
# config vpn ssl web portal
# edit [Name of the profile Web/Tunnel Mode]
# set host-check custom
# set host-check-policy [Defintion of the Registry check "host-check-software"]
# next
# end

If a FortiClient SSL would conncet to the FGT over tunnel this Registry is checked. If a user meaning Endpoint which has at minimum the SSL client installed would use the WebPortal the same check is used and if it does not exist following is shown:

Following is shown if Reg is not existing:

 

Keep in mind that device identification can be faked meaning in every linux it is possible to fake for a attack the identification (not easy but it can be done). This means I'm able to attack from a linux a device and tell this device that I'm a windows device! With such a configuration shown here only devices with this Reg Check can connect nobody else.

Give it a try it is easy done and fast configured.

hope this helps

have fun

 
Holy

Hello,

 

thank you for your answer, i will try it out.

 

but actually i just wanted a Device Based Policy like you can create one for Wlan Interfaces for example, now just for ssl.root interface. My Customer want, that users are only allowed from FortiClient + Windows, No Phones, No Tablets...

 

 

AndreaSoliva wrote:

Hi

 

actually I do not really know if this would work because I never used it but if you would like to differ between official devices and not official device on WebPortal or/and Tunnel mode why you do not use a Registry Check? This means if you have installed on a Endpoint Windows a FortiClient and only specific Endpoint Clients which have the FortiClient installed and using SSL tunnel mode and/or Webportal you can check against a specific Registry if they are able to connect. To configure this stuff use following:

 

 Definition of the Registry check: 
# config vpn ssl web host-check-software
# edit [Name für den Registry Check]
# config check-item-list
# edit [Use an integer "1"]
# set target [Define a Registry Key to be checked agains "HKLM\\SOFTWARE\\Something\\Example"]
# set type registry
# next
# end
# next
# end
 Definiton of the tunnel/webportal to be used for the Registry check: 
# config vpn ssl web portal
# edit [Name of the profile Web/Tunnel Mode]
# set host-check custom
# set host-check-policy [Defintion of the Registry check "host-check-software"]
# next
# end

If a FortiClient SSL would conncet to the FGT over tunnel this Registry is checked. If a user meaning Endpoint which has at minimum the SSL client installed would use the WebPortal the same check is used and if it does not exist following is shown:

Following is shown if Reg is not existing:

[attachImg]https://forum.fortinet.com/download.axd?file=0;124460&where=message&f=error-reg-check.JPG[/attachImg]

 

Keep in mind that device identification can be faked meaning in every linux it is possible to fake for a attack the identification (not easy but it can be done). This means I'm able to attack from a linux a device and tell this device that I'm a windows device! With such a configuration shown here only devices with this Reg Check can connect nobody else.

Give it a try it is easy done and fast configured.

hope this helps

have fun

 

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
AndreaSoliva
Contributor III

Hi

 

as mentioned I never used it but what you want is described here:

 

http://help.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/SSLVPN_FortiGate_41.161.40...

 

hope it helps

 

have fun

 

Andrea

Holy

Thank you, that should be a good way to block phones and tablets. 

 

AndreaSoliva wrote:

Hi

 

as mentioned I never used it but what you want is described here:

 

http://help.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/SSLVPN_FortiGate_41.161.40...

 

hope it helps

 

have fun

 

Andrea

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
Labels
Top Kudoed Authors