Hello, I am new to Fortigate and struggling with setting up forticlient access. I know what I want, but in going through all of the Fortinet documentation I just can't find the exact solution I need. I have a fortigate running 5.2.7 and also have EMS. I basically want to do an assessment of my laptops running Forticlient before they are allowed to connect to the SSLVPN using Forticlient. 1. When a laptop connects from the internet, before I allow connection to my internal network I want to make sure that the forticlient AV is up to date and the firewall is active. If not, I do not want it to connect. 2. After a laptop connects with forticlient, I want it to be able to register it's status with the internal EMS server. The many examples in fortigate documentation show how to get it to register with the fortigate itself, but I am using EMS. Can anyone point me in the right direction? Thanks!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I'll post anyway in hopes you can give me insight into your EMS deployment:
The host check is fairly straightforward. It looks for registry keys so if somethings in the registry then you can grant access based on it being there. We look for domain membership and the presence of McAfee AV.
Although Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, we can use a registry value to detect the firewall status.
If Windows firewall is on, the following registry value will be set to 1:
KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
ValueName: EnableFirewall
So we could use the registry-value-check feature to define the Windows Firewall software by the following cli:
config vpn ssl web host-check-software
edit WindowsDefaultFirewall
set type fw
config check-item-list
edit 1
set type registry
set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1"
next
end
next
end
We had to check for McAfee AV so we did this:
config vpn ssl web host-check-software
edit "McAfee-VirusScan" config check-item-list edit 1 set type registry set target "HKCR\\*\\shellex\\ContextMenuHandlers\\VirusScan:default=={cda2863e-2497-4c49-9b89-06840e070a87}" next end next
config vpn ssl web portal edit "SSLVPN Portal" set tunnel-mode enable set host-check custom set limit-user-logins enable set ip-pools "SSLVPN_range" set split-tunneling-routing-address "Internal_Nets" set host-check-policy "McAfee-VirusScan" next end !######### Enable host check ############## config vpn ssl web portal edit "SSLVPN Portal" set tunnel-mode enable set host-check custom set host-check-policy "McAfee-VirusScan" end
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters Domain ourdomain.com
The registry checking syntax is defined as following:
///////////////////////////////////////////////////////////////////////////////
//
// RegistryPolicyTarget example:
// HKLM\SOFTWARE\Fortinet\FortiClient\Misc : TrafficChartMask == 12345678
// ---- ---------------------------------- - ---------------- -- --------
// --A- ------------------B--------------- C --------D------- -E-----F---
// A B C D E F
// | | | | | |
// | | | | | +--> Value (for string: abc, "abc" or 'abc')
// | | | | +--> Comparison Operator
// | | | +--> RegValueName ("default" for un-named or default)
// | | +--> SubKey and ValueName separator
// | +--> RegSubKey
// +--> RegRoot
//
// <SubKey and ValueName separator>, <RegValueName>, <Comparison Operator> and <Value> are optional.
#define COMPARISON_OP_UNKNOWN 0 // Unknown comparison operator
#define COMPARISON_OP_NONE 1 // No comparison operator
#define COMPARISON_OP_EQ 2 // "=" , "==" : Equal
#define COMPARISON_OP_NE 3 // "!=", "<>" : Not equal
#define COMPARISON_OP_LT 4 // "<" : Less than
#define COMPARISON_OP_GT 5 // ">" : Greater than
#define COMPARISON_OP_LE 6 // "<=" : Less than or equal to
#define COMPARISON_OP_GE 7 // ">=" : Greater than or equal
Any luck with this? your post is kind of old and before spending time helping let me know if you still need it.
I'll post anyway in hopes you can give me insight into your EMS deployment:
The host check is fairly straightforward. It looks for registry keys so if somethings in the registry then you can grant access based on it being there. We look for domain membership and the presence of McAfee AV.
Although Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, we can use a registry value to detect the firewall status.
If Windows firewall is on, the following registry value will be set to 1:
KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
ValueName: EnableFirewall
So we could use the registry-value-check feature to define the Windows Firewall software by the following cli:
config vpn ssl web host-check-software
edit WindowsDefaultFirewall
set type fw
config check-item-list
edit 1
set type registry
set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1"
next
end
next
end
We had to check for McAfee AV so we did this:
config vpn ssl web host-check-software
edit "McAfee-VirusScan" config check-item-list edit 1 set type registry set target "HKCR\\*\\shellex\\ContextMenuHandlers\\VirusScan:default=={cda2863e-2497-4c49-9b89-06840e070a87}" next end next
config vpn ssl web portal edit "SSLVPN Portal" set tunnel-mode enable set host-check custom set limit-user-logins enable set ip-pools "SSLVPN_range" set split-tunneling-routing-address "Internal_Nets" set host-check-policy "McAfee-VirusScan" next end !######### Enable host check ############## config vpn ssl web portal edit "SSLVPN Portal" set tunnel-mode enable set host-check custom set host-check-policy "McAfee-VirusScan" end
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters Domain ourdomain.com
The registry checking syntax is defined as following:
///////////////////////////////////////////////////////////////////////////////
//
// RegistryPolicyTarget example:
// HKLM\SOFTWARE\Fortinet\FortiClient\Misc : TrafficChartMask == 12345678
// ---- ---------------------------------- - ---------------- -- --------
// --A- ------------------B--------------- C --------D------- -E-----F---
// A B C D E F
// | | | | | |
// | | | | | +--> Value (for string: abc, "abc" or 'abc')
// | | | | +--> Comparison Operator
// | | | +--> RegValueName ("default" for un-named or default)
// | | +--> SubKey and ValueName separator
// | +--> RegSubKey
// +--> RegRoot
//
// <SubKey and ValueName separator>, <RegValueName>, <Comparison Operator> and <Value> are optional.
#define COMPARISON_OP_UNKNOWN 0 // Unknown comparison operator
#define COMPARISON_OP_NONE 1 // No comparison operator
#define COMPARISON_OP_EQ 2 // "=" , "==" : Equal
#define COMPARISON_OP_NE 3 // "!=", "<>" : Not equal
#define COMPARISON_OP_LT 4 // "<" : Less than
#define COMPARISON_OP_GT 5 // ">" : Greater than
#define COMPARISON_OP_LE 6 // "<=" : Less than or equal to
#define COMPARISON_OP_GE 7 // ">=" : Greater than or equal
Huey,
Great, thanks for that information! That is the best real world example yet I have seen for this setup.
My remaining question has to do with integration of Forticlient with EMS and the Fortigate. I haven't found a good explanation in the Fortinet docs on how to setup the scenario of having the Fortigate enforce the configuration checks but still have the forticlient register with the EMS server to provide a status and get any profile updates. It almost seems like Fortinet didn't have everything baked before EMS was released.
Thanks,
I'm in touch with a FortiNet SE on EMS. Right now, from what I understand, NAC/Host-Check requires a license bound to the FortiGate. EMS is most likely never going to support NAC/Host check. You should be hammering whoever sold you the licenses on some arrangement to support both. From what I understand they are open to working with clients now but that window may close soon. I have multiple clients in this situation where they want to do NAC and manage clients. The short term answer if you want to use EMS is have two licenses. Long term answer is unclear.
Have you deployed any EMS clients yet? Do you own the FortiGate based FortiClient licensing?
Also, if you have anymore questions, feed them to me and I'll get answers if I don't already know them.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.