Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Carl_Wallmark
Valued Contributor

FC 5.6 Shutdown

Has anyone managed to shutdown FortiClient 5.6 manually when managed by EMS and you set a password lock ?

 

Even after I click "Disconnect" and enter the password I cannot unlock forticlient and shut it down, works well in 5.4 but not in 5.6.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
1 Solution
Carl_Wallmark

Want to hear some more scary **** ?

 

 

The GUI in FortiClient is a small webserver, so the functions are plain javascript.

As a normal user (no admin), take a copy of the forticlient.exe file, put it on your desktop.

Edit the file with Notepad++

Because forticlient contains javascript, the functions are in plain text.

Find the password function. it will be something like this: "if password == password2 then bla bla"

change the "==" to "!="

Save the file

Run it from the desktop, click on disconnect, enter any password you like, BOOM!! accepted and disconnected......

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

View solution in original post

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
8 REPLIES 8
Carl_Wallmark
Valued Contributor

I have created a ticket 2239521 if anyone from Fortinet wants to take a look.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Carl_Wallmark

According to support, this is by design.

 

It´s impossible to shutdown FortiClient manually when you have configured a "Settings Password" in the EMS profile.

 

 

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
FortiMess

This is insane.

 

Disabling AV completely for a short period of time as a troubleshooting technique to rule out AV as a factor/cause of an end user issue is a L1 task. Disabling AV to uninstall/update AV is also a L1 task (yep, we do this manually since FortiClient's update process is so unbelievably - yet believably, because it's Fortinet - convoluted).

 

Now we have a setting called "Password Lock Configuration" that does not actually unlock the configuration when you enter the password. Now we have L1 techs who apparently will need access to our AV console, and subsequently (since EMS cannot have multiple local users) either the AV console server or our management domain.

 

Yesterday a Fortinet rep told me on the phone that they are the leading and de facto information security company. He couldn't see it, but I rolled my eyes. EMS cannot even import a trusted cert, no MITM protection for our AV console?

 

Industry pioneers? Definitely.

Enterprise-ready functionality? Not so fast.

 

Edit: As of v1.2, EMS supports importing a CA-signed cert so you are no longer forced to use the self-signed one that it ships with.

Carl_Wallmark

Want to hear some more scary **** ?

 

 

The GUI in FortiClient is a small webserver, so the functions are plain javascript.

As a normal user (no admin), take a copy of the forticlient.exe file, put it on your desktop.

Edit the file with Notepad++

Because forticlient contains javascript, the functions are in plain text.

Find the password function. it will be something like this: "if password == password2 then bla bla"

change the "==" to "!="

Save the file

Run it from the desktop, click on disconnect, enter any password you like, BOOM!! accepted and disconnected......

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
rejohnson
New Contributor

This works for me with EMS 1.2.1 and FCT 5.6.0.  Create a profile without password lock, apply to a separate group, move computer to that group.  Disconnect.  Can now shutdown FortiClient.

Carl_Wallmark

Yep, that you can do.

 

But what do you do when you have someone outside the office, traveling or something that cannot reach your EMS server ?

Ok, you can of course run FortiClient tools and import a new profile etc. without a password but it´s way more complicated than it should be.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
rejohnson

Evil people make everything more complicated!  I understand that Fortinet has to keep the bad guys from stopping FortiClient but they've probably got this password thing backwards.  If you have a p/w then you should be able to shutdown FortiClient.  No password, then you can't without EMS taking you out of management.

 

Do you have VPN or publicly publish the EMS server on the Internet?  Definitely need one or both of those if you have remote clients.  If EMS isn't available for other reasons then you're pretty much hosed, anyway.  But I agree that some method of local authentication is still needed because sometimes you just have to be able to shut that sucker down!

FortiMess

That is crazy. I wasn't able to reproduce this hack to bypass the password lock, but I do find it interesting that the door is wide open for anyone to have at the java functions, especially without admin permissions.

 

And yes, you can create a copy of every policy you have in place, create an EMS "group" or an AD OU, and apply the copy of the policy to your container of choice and finally remove the password lock. However you still have to give L1 staff access to EMS, an infrastructure security solution. And given the lack of granularity of permissions you can assign EMS users, that is why I felt the word "insane" was warranted.

 

The ridiculous thing is that it used to work, so we know that it can work, they simply changed the behavior to appease a subset of their customers instead of making the behavior configurable so that their solution meets the needs of a wider customer base.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors