This is getting interesting now.  I configured the Host Checking part as below:-

config vpn ssl web host-check-software edit RegKeyCheck config check-item-list edit 1 set action require set type registry set target "HKLM\SOFTWARE\ABC\RegKeyCheck\C7764C78" end end

Then I assigned this Host Checking Policy to the Web Portal:-

config vpn ssl web portal edit "Managed_Device" set host-check custom set host-check-policy RegKeyCheck end

I created the RegKey in question on the client device and made this readable to everyone.

I then ran the Process Monitor to have a look at what RegKeys were being called.

Made the connection with the client again.

Connection failed with error message:-

Warning

Your PC does not meet the host checking requirements set by the firewall.  Please check that your OS version or antivirus and firewall applications are installed and running properly or you have the right network interface. (-7006)

When I then look at the Process Monitor, I can see that the FortiClient.exe made a RegOpenKey operation and looked for a path of HKLM\SOFTWARE\ABC\RegKeyCheck\C7764C78 with a Result of NAME NOT FOUND and a detail of Desired Access: Query Value.

OK this feature does not behave as you would expect it to but I do have this working now.

When you create the regkey on the laptop such as following example:-

HKLM\SOFTWARE\ABC\RegkeyCheck\123456

You need to configure the vpn ssl web host-check-software to:-

set target "HKLM\SOFTWARE\ABC" and NOT "HKLM\SOFTWARE\ABC\RegkeyCheck\123456" or "HKLM\SOFTWARE\ABC\RegkeyCheck".

As long as you have something in that hive (RegKeyCheck) then it will work.  It does not check for the RegKeyCheck field itself per say or the value of that filed, its just a simple "Does the path exist" query only.

You can use "reg query" to show how you cant/can see the result.  See below:-

A failed query:-

C:\>reg query HKLM\SOFTWARE\ABC\RegKeyCheck\

ERROR: The system was unable to find the specified registry key or value.

C:\>

A working query:-

C:\>reg query HKLM\SOFTWARE\ABC\

HKEY_LOCAL_MACHINE\SOFTWARE\ABC     RegKeyCheck    REG_SZ    123456

C:\>

Really annoying.

Hi

Im looking for a similiar function.

if the regkey not exist on the connecting pc, is it then possible to redirect that user/pc to specific policy that allow the user only to run rdp to the user own office computer.

If the user use his domain joined laptop computer it should have full access but if using home computers only access as describe as above.

rofo

The match is a policy to say required (default behaviour) or deny.  There is no "alternate action" for the matching statement.

Tanx for the answer blacktip.

can I instead set up a webportal with different wan ip and let the home working user connect his forticlient to that ip and set up set up an other sslvpn tunnel address for that portal?

Can any one tell me how host check is working. background funtionality?

Like fortinet first send the host check policy. then it will be received by browser where user has logged in .

then policy package will be installed in PC.

I am asking because we will not confiugure these policy in PC but only in fortigate so how PC will provide information 

One more question. I haven't seen any where in fortinet documents that we require fortinet client software or not if we enable host check.

can we use this in tunnel mode or in web mode only ?

I don't know when i will get revert for this.but it was urgent so please revert early if possible.