Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Blacktip
New Contributor

Fortigate SSLVPN - FortiClient - RegKey Checking on Login

I have an issue where we would like to prevent people from installing the SSLVPN client on their home computers and gaining access through to our systems in tunnel mode.

 

What I would like to do is to configure the SSLVPN to carry out a “RegKey Check” for a “arbitrary custom string” which you place in your registry and you would need to not only have the software installed but the key would need to match a predefined string otherwise deny your request to login.

 

Has anyone achieved this at all?

 

Kind Regards

 

Blacktip

18 REPLIES 18
Blacktip
New Contributor

Hmmm

 

I managed to apply the host-check-policy to the SSLweb portal but I now seem to get an error with blah blah blah (-7006) which is a host does not meet the requirement.  Either my syntax is incorrect or the firewall cant read the regkey even though I've made the key readable to everyone.

 

Grrr

Blacktip
New Contributor

This is getting interesting now.  I configured the Host Checking part as below:-

 

config vpn ssl web host-check-software edit RegKeyCheck config check-item-list edit 1 set action require set type registry set target "HKLM\SOFTWARE\ABC\RegKeyCheck\C7764C78" end end

 

Then I assigned this Host Checking Policy to the Web Portal:-

 

config vpn ssl web portal edit "Managed_Device" set host-check custom set host-check-policy RegKeyCheck end

 

I created the RegKey in question on the client device and made this readable to everyone.

 

I then ran the Process Monitor to have a look at what RegKeys were being called.

 

Made the connection with the client again.

 

Connection failed with error message:-

Warning

Your PC does not meet the host checking requirements set by the firewall.  Please check that your OS version or antivirus and firewall applications are installed and running properly or you have the right network interface. (-7006)

 

When I then look at the Process Monitor, I can see that the FortiClient.exe made a RegOpenKey operation and looked for a path of HKLM\SOFTWARE\ABC\RegKeyCheck\C7764C78 with a Result of NAME NOT FOUND and a detail of Desired Access: Query Value.

 

Blacktip
New Contributor

OK this feature does not behave as you would expect it to but I do have this working now.

 

When you create the regkey on the laptop such as following example:-

HKLM\SOFTWARE\ABC\RegkeyCheck\123456

 

You need to configure the vpn ssl web host-check-software to:-

set target "HKLM\SOFTWARE\ABC" and NOT "HKLM\SOFTWARE\ABC\RegkeyCheck\123456" or "HKLM\SOFTWARE\ABC\RegkeyCheck".

 

As long as you have something in that hive (RegKeyCheck) then it will work.  It does not check for the RegKeyCheck field itself per say or the value of that filed, its just a simple "Does the path exist" query only.

 

You can use "reg query" to show how you cant/can see the result.  See below:-

 

A failed query:-

 

 

C:\>reg query HKLM\SOFTWARE\ABC\RegKeyCheck\

ERROR: The system was unable to find the specified registry key or value.

C:\>

 

A working query:-

C:\>reg query HKLM\SOFTWARE\ABC\

HKEY_LOCAL_MACHINE\SOFTWARE\ABC     RegKeyCheck    REG_SZ    123456

C:\>

 

Really annoying.

rofo_xdf
New Contributor

Hi

Im looking for a similiar function.

if the regkey not exist on the connecting pc, is it then possible to redirect that user/pc to specific policy that allow the user only to run rdp to the user own office computer.

If the user use his domain joined laptop computer it should have full access but if using home computers only access as describe as above.

 

rofo

Blacktip
New Contributor

The match is a policy to say required (default behaviour) or deny.  There is no "alternate action" for the matching statement.

rofo_xdf
New Contributor

Tanx for the answer blacktip.

can I instead set up a webportal with different wan ip and let the home working user connect his forticlient to that ip and set up set up an other sslvpn tunnel address for that portal?

bartman10

FYI.. you can check for specific reg key and value. I use it to ensure the computer is joined to the domain xxx.com

 

For BlackTips example it would be

 

 "HKLM\SOFTWARE\ABC:RegKeyCheck==123456"

 

To check if computer is joined to domain xxx.com

"HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters:Domain==xxx.com"

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.

Over 100 WiFi AP's and growing.

FAZ-200D

FAC-VM 2 node cluster

Friends don't let friends FWF!

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track. Over 100 WiFi AP's and growing. FAZ-200D FAC-VM 2 node cluster Friends don't let friends FWF!
ss198939
New Contributor

Can any one tell me how host check is working. background funtionality?

Like fortinet first send the host check policy. then it will be received by browser where user has logged in .

then policy package will be installed in PC.

 

I am asking because we will not confiugure these policy in PC but only in fortigate so how PC will provide information 

 

One more question. I haven't seen any where in fortinet documents that we require fortinet client software or not if we enable host check.

 

can we use this in tunnel mode or in web mode only ?

 

I don't know when i will get revert for this.but it was urgent so please revert early if possible.

 

bartman10

FortiClient must be the VPN software as it's what checks and replies to the lookup.

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.

Over 100 WiFi AP's and growing.

FAZ-200D

FAC-VM 2 node cluster

Friends don't let friends FWF!

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track. Over 100 WiFi AP's and growing. FAZ-200D FAC-VM 2 node cluster Friends don't let friends FWF!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors