- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Forticlient and EMS config questions
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forticlient and EMS config questions
Hello, I am new to Fortigate and struggling with setting up forticlient access. I know what I want, but in going through all of the Fortinet documentation I just can't find the exact solution I need. I have a fortigate running 5.2.7 and also have EMS. I basically want to do an assessment of my laptops running Forticlient before they are allowed to connect to the SSLVPN using Forticlient. 1. When a laptop connects from the internet, before I allow connection to my internal network I want to make sure that the forticlient AV is up to date and the firewall is active. If not, I do not want it to connect. 2. After a laptop connects with forticlient, I want it to be able to register it's status with the internal EMS server. The many examples in fortigate documentation show how to get it to register with the fortigate itself, but I am using EMS. Can anyone point me in the right direction? Thanks!
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll post anyway in hopes you can give me insight into your EMS deployment:
The host check is fairly straightforward. It looks for registry keys so if somethings in the registry then you can grant access based on it being there. We look for domain membership and the presence of McAfee AV.
Some notes on Host Check
Although Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, we can use a registry value to detect the firewall status.
If Windows firewall is on, the following registry value will be set to 1:
KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
ValueName: EnableFirewall
So we could use the registry-value-check feature to define the Windows Firewall software by the following cli:
config vpn ssl web host-check-software
edit WindowsDefaultFirewall
set type fw
config check-item-list
edit 1
set type registry
set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1"
next
end
next
end
We had to check for McAfee AV so we did this:
config vpn ssl web host-check-software
edit "McAfee-VirusScan" config check-item-list edit 1 set type registry set target "HKCR\\*\\shellex\\ContextMenuHandlers\\VirusScan:default=={cda2863e-2497-4c49-9b89-06840e070a87}" next end next
config vpn ssl web portal edit "SSLVPN Portal" set tunnel-mode enable set host-check custom set limit-user-logins enable set ip-pools "SSLVPN_range" set split-tunneling-routing-address "Internal_Nets" set host-check-policy "McAfee-VirusScan" next end !######### Enable host check ############## config vpn ssl web portal edit "SSLVPN Portal" set tunnel-mode enable set host-check custom set host-check-policy "McAfee-VirusScan" end
Note: To check for domain membership, use the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters Domain ourdomain.com
The registry checking syntax is defined as following:
///////////////////////////////////////////////////////////////////////////////
//
// RegistryPolicyTarget example:
// HKLM\SOFTWARE\Fortinet\FortiClient\Misc : TrafficChartMask == 12345678
// ---- ---------------------------------- - ---------------- -- --------
// --A- ------------------B--------------- C --------D------- -E-----F---
// A B C D E F
// | | | | | |
// | | | | | +--> Value (for string: abc, "abc" or 'abc')
// | | | | +--> Comparison Operator
// | | | +--> RegValueName ("default" for un-named or default)
// | | +--> SubKey and ValueName separator
// | +--> RegSubKey
// +--> RegRoot
//
// <SubKey and ValueName separator>, <RegValueName>, <Comparison Operator> and <Value> are optional.
#define COMPARISON_OP_UNKNOWN 0 // Unknown comparison operator
#define COMPARISON_OP_NONE 1 // No comparison operator
#define COMPARISON_OP_EQ 2 // "=" , "==" : Equal
#define COMPARISON_OP_NE 3 // "!=", "<>" : Not equal
#define COMPARISON_OP_LT 4 // "<" : Less than
#define COMPARISON_OP_GT 5 // ">" : Greater than
#define COMPARISON_OP_LE 6 // "<=" : Less than or equal to
#define COMPARISON_OP_GE 7 // ">=" : Greater than or equal
Layer8 Consulting
http://www.L8C.com
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any luck with this? your post is kind of old and before spending time helping let me know if you still need it.
Layer8 Consulting
http://www.L8C.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll post anyway in hopes you can give me insight into your EMS deployment:
The host check is fairly straightforward. It looks for registry keys so if somethings in the registry then you can grant access based on it being there. We look for domain membership and the presence of McAfee AV.
Some notes on Host Check
Although Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, we can use a registry value to detect the firewall status.
If Windows firewall is on, the following registry value will be set to 1:
KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
ValueName: EnableFirewall
So we could use the registry-value-check feature to define the Windows Firewall software by the following cli:
config vpn ssl web host-check-software
edit WindowsDefaultFirewall
set type fw
config check-item-list
edit 1
set type registry
set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1"
next
end
next
end
We had to check for McAfee AV so we did this:
config vpn ssl web host-check-software
edit "McAfee-VirusScan" config check-item-list edit 1 set type registry set target "HKCR\\*\\shellex\\ContextMenuHandlers\\VirusScan:default=={cda2863e-2497-4c49-9b89-06840e070a87}" next end next
config vpn ssl web portal edit "SSLVPN Portal" set tunnel-mode enable set host-check custom set limit-user-logins enable set ip-pools "SSLVPN_range" set split-tunneling-routing-address "Internal_Nets" set host-check-policy "McAfee-VirusScan" next end !######### Enable host check ############## config vpn ssl web portal edit "SSLVPN Portal" set tunnel-mode enable set host-check custom set host-check-policy "McAfee-VirusScan" end
Note: To check for domain membership, use the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters Domain ourdomain.com
The registry checking syntax is defined as following:
///////////////////////////////////////////////////////////////////////////////
//
// RegistryPolicyTarget example:
// HKLM\SOFTWARE\Fortinet\FortiClient\Misc : TrafficChartMask == 12345678
// ---- ---------------------------------- - ---------------- -- --------
// --A- ------------------B--------------- C --------D------- -E-----F---
// A B C D E F
// | | | | | |
// | | | | | +--> Value (for string: abc, "abc" or 'abc')
// | | | | +--> Comparison Operator
// | | | +--> RegValueName ("default" for un-named or default)
// | | +--> SubKey and ValueName separator
// | +--> RegSubKey
// +--> RegRoot
//
// <SubKey and ValueName separator>, <RegValueName>, <Comparison Operator> and <Value> are optional.
#define COMPARISON_OP_UNKNOWN 0 // Unknown comparison operator
#define COMPARISON_OP_NONE 1 // No comparison operator
#define COMPARISON_OP_EQ 2 // "=" , "==" : Equal
#define COMPARISON_OP_NE 3 // "!=", "<>" : Not equal
#define COMPARISON_OP_LT 4 // "<" : Less than
#define COMPARISON_OP_GT 5 // ">" : Greater than
#define COMPARISON_OP_LE 6 // "<=" : Less than or equal to
#define COMPARISON_OP_GE 7 // ">=" : Greater than or equal
Layer8 Consulting
http://www.L8C.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Huey,
Great, thanks for that information! That is the best real world example yet I have seen for this setup.
My remaining question has to do with integration of Forticlient with EMS and the Fortigate. I haven't found a good explanation in the Fortinet docs on how to setup the scenario of having the Fortigate enforce the configuration checks but still have the forticlient register with the EMS server to provide a status and get any profile updates. It almost seems like Fortinet didn't have everything baked before EMS was released.
Thanks,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm in touch with a FortiNet SE on EMS. Right now, from what I understand, NAC/Host-Check requires a license bound to the FortiGate. EMS is most likely never going to support NAC/Host check. You should be hammering whoever sold you the licenses on some arrangement to support both. From what I understand they are open to working with clients now but that window may close soon. I have multiple clients in this situation where they want to do NAC and manage clients. The short term answer if you want to use EMS is have two licenses. Long term answer is unclear.
Have you deployed any EMS clients yet? Do you own the FortiGate based FortiClient licensing?
Layer8 Consulting
http://www.L8C.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, if you have anymore questions, feed them to me and I'll get answers if I don't already know them.
Layer8 Consulting
http://www.L8C.com
Related Posts
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 58 Views
- Unable to connect Internet once VPN... 300 Views
- Getting SAML error with FortiClient EMS... 269 Views
- Forticlient blocks LAN connection 354 Views
- Which tunnel pool takes presidense? 147 Views
Labels
-
FortiGate
6,457 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.