- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate SSLVPN - FortiClient - RegKey Checking on Login
I have an issue where we would like to prevent people from installing the SSLVPN client on their home computers and gaining access through to our systems in tunnel mode.
What I would like to do is to configure the SSLVPN to carry out a “RegKey Check” for a “arbitrary custom string” which you place in your registry and you would need to not only have the software installed but the key would need to match a predefined string otherwise deny your request to login.
Has anyone achieved this at all?
Kind Regards
Blacktip
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I thin you need to implement PKI.
In this case your clients should have valid certificates in their browsers or in a token.
Another solution is using FortiToken.
After entering correct user and pass, user must enter OTP (one time password) that can be generated with FortiToken.
Using email and sms is the same as implementing two factor authentication with FortiToken.So users will receive OTP through email or sms.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your quick reply.
We do have a PKI infrastructure but I know when a previous colleague was working on the PoC (and he’s now left and didn’t document anything), there were issues in getting this working properly. I don’t know what these issues were and information from him now is not forthcoming and normally equates to no more than have you tried a reboot!!!
We don’t want to go down the route of the FortiToken as we already use a 2FFA mechanism through SafeNet which provides an OTP and we don’t want the additional cost.
Blacktip
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You can use the "host-check" function for this.
When the client connects to the firewall, the firewall sends out a check to the VPN client to look for:
1. Registry string
2. A file on your computer
3. A running process.
4. If you have a firewall software
5. If you have a antivirus software
So for your problem, use option 1,
config vpn ssl web host-check-software
edit <a name>
config check-item-list
edit 0
set type registry
set target <your registry string>
end
end
(be sure to type "get" and see all available options)
Then associate this policy with your SSL VPN portal.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fantastic. This seems exactly like what I'm looking for.
Is the <your registry string> in your example in the format of:
"HKEY_LOCAL_MACHINE\SOFTWARE\Custom_Org_Hive\String_You_Want_To_Check_For"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct!
Here is a reference:
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks for your help here. Its much appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem! ;)
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have managed to start testing this today and I've done a new portal etc... and have configured the information, but I cant see where you associate the regkey check policy against the SSL VPN Portal. Has this moved in 5.2.1?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
config vpn ssl web portal
edit <tunnel>
set host-check custom
set host-check-policy <profile>
end
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C