Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Blacktip
New Contributor

Fortigate SSLVPN - FortiClient - RegKey Checking on Login

I have an issue where we would like to prevent people from installing the SSLVPN client on their home computers and gaining access through to our systems in tunnel mode.

 

What I would like to do is to configure the SSLVPN to carry out a “RegKey Check” for a “arbitrary custom string” which you place in your registry and you would need to not only have the software installed but the key would need to match a predefined string otherwise deny your request to login.

 

Has anyone achieved this at all?

 

Kind Regards

 

Blacktip

18 REPLIES 18
norouzi
Contributor

I thin you need to implement PKI.

In this case your clients should have valid certificates in their browsers or in a token.

 

Another solution is using FortiToken.

After entering correct user and pass, user must enter OTP (one time password)  that can be generated with FortiToken.

Using email and sms is the same as implementing two factor authentication with FortiToken.So users will receive OTP through email or sms. 

 

Blacktip
New Contributor

Thanks for your quick reply.

 

We do have a PKI infrastructure but I know when a previous colleague was working on the PoC (and he’s now left and didn’t document anything), there were issues in getting this working properly.  I don’t know what these issues were and information from him now is not forthcoming and normally equates to no more than have you tried a reboot!!!

 

We don’t want to go down the route of the FortiToken as we already use a 2FFA mechanism through SafeNet which provides an OTP and we don’t want the additional cost.

 

Blacktip

Carl_Wallmark
Valued Contributor

Hi,

 

You can use the "host-check" function for this.

 

When the client connects to the firewall, the firewall sends out a check to the VPN client to look for:

 

1. Registry string

2. A file on your computer

3. A running process.

4. If you have a firewall software

5. If you have a antivirus software

 

So for your problem, use option 1,

 

config vpn ssl web host-check-software

edit <a name>

config check-item-list

edit 0

set type registry

set target <your registry string>

end

end

(be sure to type "get" and see all available options)

 

Then associate this policy with your SSL VPN portal.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Blacktip
New Contributor

Fantastic.  This seems exactly like what I'm looking for.

 

Is the <your registry string> in your example in the format of:

"HKEY_LOCAL_MACHINE\SOFTWARE\Custom_Org_Hive\String_You_Want_To_Check_For"

Carl_Wallmark
Valued Contributor

Correct!

 

Here is a reference:

 

http://docs-legacy.fortinet.com/fgt/handbook/cli_html/index.html#page/FortiOS%205.0%20CLI/config_vpn...

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Blacktip
New Contributor

Many thanks for your help here.  Its much appreciated.

Carl_Wallmark
Valued Contributor

No problem! ;)

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Blacktip
New Contributor

I have managed to start testing this today and I've done a new portal etc... and have configured the information, but I cant see where you associate the regkey check policy against the SSL VPN Portal.  Has this moved in 5.2.1?

Carl_Wallmark
Valued Contributor

config vpn ssl web portal

edit <tunnel>

set host-check custom

set host-check-policy <profile>

end

 

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Labels
Top Kudoed Authors