Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Richard_one
New Contributor

Forticlient and EMS config questions

Hello, I am new to Fortigate and struggling with setting up forticlient access.  I know what I want, but in going through all of the Fortinet documentation I just can't find the exact solution I need. I have a fortigate running 5.2.7 and also have EMS.  I basically want to do an assessment of my laptops running Forticlient before they are allowed to connect to the SSLVPN using Forticlient. 1.  When a laptop connects from the internet, before I allow connection to my internal network I want to make sure that the forticlient AV is up to date and the firewall is active. If not, I do not want it to connect. 2.  After a laptop connects with forticlient, I want it to be able to register it's status with the internal EMS server.  The many examples in fortigate documentation show how to get it to register with the fortigate itself, but I am using EMS. Can anyone point me in the right direction? Thanks!

1 Solution
Huey
New Contributor III

I'll post anyway in hopes you can give me insight into your EMS deployment:

 

The host check is fairly straightforward.  It looks for registry keys so if somethings in the registry then you can grant access based on it being there.  We look for domain membership and the presence of McAfee AV.

Some notes on Host Check

Although Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, we can use a registry value to detect the firewall status.

If Windows firewall is on, the following registry value will be set to 1:

KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

ValueName: EnableFirewall

 

So we could use the registry-value-check feature to define the Windows Firewall software by the following cli:

 

config vpn ssl web host-check-software

    edit WindowsDefaultFirewall

        set type fw

            config check-item-list

                edit 1

                    set type registry

                    set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1"

                next

            end

     next

end

 

We had to check for McAfee AV so we did this:

 

config vpn ssl web host-check-software

    edit "McAfee-VirusScan"             config check-item-list                 edit 1                     set type registry                     set target "HKCR\\*\\shellex\\ContextMenuHandlers\\VirusScan:default=={cda2863e-2497-4c49-9b89-06840e070a87}"                 next             end     next

 

config vpn ssl web portal     edit "SSLVPN Portal"         set tunnel-mode enable         set host-check custom         set limit-user-logins enable         set ip-pools "SSLVPN_range"         set split-tunneling-routing-address "Internal_Nets"         set host-check-policy "McAfee-VirusScan"     next end !######### Enable host check ############## config vpn ssl web portal     edit "SSLVPN Portal"         set tunnel-mode enable         set host-check custom     set host-check-policy "McAfee-VirusScan"      end

Note: To check for domain membership, use the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters Domain ourdomain.com

 

 

The registry checking syntax is defined as following:

 

///////////////////////////////////////////////////////////////////////////////

//

// RegistryPolicyTarget example:

// HKLM\SOFTWARE\Fortinet\FortiClient\Misc : TrafficChartMask == 12345678

// ---- ---------------------------------- - ---------------- -- --------

// --A- ------------------B--------------- C --------D------- -E-----F---

// A B C D E F

// | | | | | |

// | | | | | +--> Value (for string: abc, "abc" or 'abc')

// | | | | +--> Comparison Operator

// | | | +--> RegValueName ("default" for un-named or default)

// | | +--> SubKey and ValueName separator

// | +--> RegSubKey

// +--> RegRoot

//

// <SubKey and ValueName separator>, <RegValueName>, <Comparison Operator> and <Value> are optional.

 

#define COMPARISON_OP_UNKNOWN 0 // Unknown comparison operator

#define COMPARISON_OP_NONE 1 // No comparison operator

#define COMPARISON_OP_EQ 2 // "=" , "==" : Equal

#define COMPARISON_OP_NE 3 // "!=", "<>" : Not equal

#define COMPARISON_OP_LT 4 // "<" : Less than

#define COMPARISON_OP_GT 5 // ">" : Greater than

#define COMPARISON_OP_LE 6 // "<=" : Less than or equal to

#define COMPARISON_OP_GE 7 // ">=" : Greater than or equal

 

Layer8 Consulting

http://www.L8C.com

 

View solution in original post

Layer8 Consulting http://www.L8C.com
5 REPLIES 5
Huey
New Contributor III

Any luck with this?  your post is kind of old and before spending time helping let me know if you still need it.

Layer8 Consulting

http://www.L8C.com

 

Layer8 Consulting http://www.L8C.com
Huey
New Contributor III

I'll post anyway in hopes you can give me insight into your EMS deployment:

 

The host check is fairly straightforward.  It looks for registry keys so if somethings in the registry then you can grant access based on it being there.  We look for domain membership and the presence of McAfee AV.

Some notes on Host Check

Although Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, we can use a registry value to detect the firewall status.

If Windows firewall is on, the following registry value will be set to 1:

KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

ValueName: EnableFirewall

 

So we could use the registry-value-check feature to define the Windows Firewall software by the following cli:

 

config vpn ssl web host-check-software

    edit WindowsDefaultFirewall

        set type fw

            config check-item-list

                edit 1

                    set type registry

                    set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1"

                next

            end

     next

end

 

We had to check for McAfee AV so we did this:

 

config vpn ssl web host-check-software

    edit "McAfee-VirusScan"             config check-item-list                 edit 1                     set type registry                     set target "HKCR\\*\\shellex\\ContextMenuHandlers\\VirusScan:default=={cda2863e-2497-4c49-9b89-06840e070a87}"                 next             end     next

 

config vpn ssl web portal     edit "SSLVPN Portal"         set tunnel-mode enable         set host-check custom         set limit-user-logins enable         set ip-pools "SSLVPN_range"         set split-tunneling-routing-address "Internal_Nets"         set host-check-policy "McAfee-VirusScan"     next end !######### Enable host check ############## config vpn ssl web portal     edit "SSLVPN Portal"         set tunnel-mode enable         set host-check custom     set host-check-policy "McAfee-VirusScan"      end

Note: To check for domain membership, use the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters Domain ourdomain.com

 

 

The registry checking syntax is defined as following:

 

///////////////////////////////////////////////////////////////////////////////

//

// RegistryPolicyTarget example:

// HKLM\SOFTWARE\Fortinet\FortiClient\Misc : TrafficChartMask == 12345678

// ---- ---------------------------------- - ---------------- -- --------

// --A- ------------------B--------------- C --------D------- -E-----F---

// A B C D E F

// | | | | | |

// | | | | | +--> Value (for string: abc, "abc" or 'abc')

// | | | | +--> Comparison Operator

// | | | +--> RegValueName ("default" for un-named or default)

// | | +--> SubKey and ValueName separator

// | +--> RegSubKey

// +--> RegRoot

//

// <SubKey and ValueName separator>, <RegValueName>, <Comparison Operator> and <Value> are optional.

 

#define COMPARISON_OP_UNKNOWN 0 // Unknown comparison operator

#define COMPARISON_OP_NONE 1 // No comparison operator

#define COMPARISON_OP_EQ 2 // "=" , "==" : Equal

#define COMPARISON_OP_NE 3 // "!=", "<>" : Not equal

#define COMPARISON_OP_LT 4 // "<" : Less than

#define COMPARISON_OP_GT 5 // ">" : Greater than

#define COMPARISON_OP_LE 6 // "<=" : Less than or equal to

#define COMPARISON_OP_GE 7 // ">=" : Greater than or equal

 

Layer8 Consulting

http://www.L8C.com

 

Layer8 Consulting http://www.L8C.com
Richard_one

Huey,

Great, thanks for that information!  That is the best real world example yet I have seen for this setup.

My remaining question has to do with integration of Forticlient with EMS and the Fortigate.  I haven't found a good explanation in the Fortinet docs on how to setup the scenario of having the Fortigate enforce the configuration checks but still have the forticlient register with the EMS server to provide a status and get any profile updates.  It almost seems like Fortinet didn't have everything baked before EMS was released.  

Thanks,

 

Huey
New Contributor III

I'm in touch with a FortiNet SE on EMS.  Right now, from what I understand, NAC/Host-Check requires a license bound to the FortiGate.  EMS is most likely never going to support NAC/Host check.  You should be hammering whoever sold you the licenses on some arrangement to support both.  From what I understand they are open to working with clients now but that window may close soon.  I have multiple clients in this situation where they want to do NAC and manage clients.  The short term answer if you want to use EMS is have two licenses.  Long term answer is unclear.

 

Have you deployed any EMS clients yet?  Do you own the FortiGate based FortiClient licensing?

Layer8 Consulting

http://www.L8C.com

 

Layer8 Consulting http://www.L8C.com
Huey
New Contributor III

Also, if you have anymore questions, feed them to me and I'll get answers if I don't already know them.

Layer8 Consulting

http://www.L8C.com

 

Layer8 Consulting http://www.L8C.com
Top Kudoed Authors