Has anyone managed to shutdown FortiClient 5.6 manually when managed by EMS and you set a password lock ?
Even after I click "Disconnect" and enter the password I cannot unlock forticlient and shut it down, works well in 5.4 but not in 5.6.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Want to hear some more scary **** ?
The GUI in FortiClient is a small webserver, so the functions are plain javascript.
As a normal user (no admin), take a copy of the forticlient.exe file, put it on your desktop.
Edit the file with Notepad++
Because forticlient contains javascript, the functions are in plain text.
Find the password function. it will be something like this: "if password == password2 then bla bla"
change the "==" to "!="
Save the file
Run it from the desktop, click on disconnect, enter any password you like, BOOM!! accepted and disconnected......
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
I have created a ticket 2239521 if anyone from Fortinet wants to take a look.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
According to support, this is by design.
It´s impossible to shutdown FortiClient manually when you have configured a "Settings Password" in the EMS profile.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
This is insane.
Disabling AV completely for a short period of time as a troubleshooting technique to rule out AV as a factor/cause of an end user issue is a L1 task. Disabling AV to uninstall/update AV is also a L1 task (yep, we do this manually since FortiClient's update process is so unbelievably - yet believably, because it's Fortinet - convoluted).
Now we have a setting called "Password Lock Configuration" that does not actually unlock the configuration when you enter the password. Now we have L1 techs who apparently will need access to our AV console, and subsequently (since EMS cannot have multiple local users) either the AV console server or our management domain.
Yesterday a Fortinet rep told me on the phone that they are the leading and de facto information security company. He couldn't see it, but I rolled my eyes. EMS cannot even import a trusted cert, no MITM protection for our AV console?
Industry pioneers? Definitely.
Enterprise-ready functionality? Not so fast.
Edit: As of v1.2, EMS supports importing a CA-signed cert so you are no longer forced to use the self-signed one that it ships with.
Want to hear some more scary **** ?
The GUI in FortiClient is a small webserver, so the functions are plain javascript.
As a normal user (no admin), take a copy of the forticlient.exe file, put it on your desktop.
Edit the file with Notepad++
Because forticlient contains javascript, the functions are in plain text.
Find the password function. it will be something like this: "if password == password2 then bla bla"
change the "==" to "!="
Save the file
Run it from the desktop, click on disconnect, enter any password you like, BOOM!! accepted and disconnected......
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
This works for me with EMS 1.2.1 and FCT 5.6.0. Create a profile without password lock, apply to a separate group, move computer to that group. Disconnect. Can now shutdown FortiClient.
Yep, that you can do.
But what do you do when you have someone outside the office, traveling or something that cannot reach your EMS server ?
Ok, you can of course run FortiClient tools and import a new profile etc. without a password but it´s way more complicated than it should be.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Evil people make everything more complicated! I understand that Fortinet has to keep the bad guys from stopping FortiClient but they've probably got this password thing backwards. If you have a p/w then you should be able to shutdown FortiClient. No password, then you can't without EMS taking you out of management.
Do you have VPN or publicly publish the EMS server on the Internet? Definitely need one or both of those if you have remote clients. If EMS isn't available for other reasons then you're pretty much hosed, anyway. But I agree that some method of local authentication is still needed because sometimes you just have to be able to shut that sucker down!
That is crazy. I wasn't able to reproduce this hack to bypass the password lock, but I do find it interesting that the door is wide open for anyone to have at the java functions, especially without admin permissions.
And yes, you can create a copy of every policy you have in place, create an EMS "group" or an AD OU, and apply the copy of the policy to your container of choice and finally remove the password lock. However you still have to give L1 staff access to EMS, an infrastructure security solution. And given the lack of granularity of permissions you can assign EMS users, that is why I felt the word "insane" was warranted.
The ridiculous thing is that it used to work, so we know that it can work, they simply changed the behavior to appease a subset of their customers instead of making the behavior configurable so that their solution meets the needs of a wider customer base.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1086 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.