Hi,
I am running Fortigate 501E with remote SSL VPN (os version 5.6.8). I wanted to know if someone came across a problem with the host check configuration. I want to permit access to the LAN through SSL VPN only with computers with specific parameters, so I tried to configure os-check to allow only win-10 os, registry check (for domain), and av-fw but nothing work.
Some of the configuration:
set os-check enable
config os-check-list "windows-2000" set action deny config os-check-list "windows-xp" set action deny config os-check-list "windows-vista" set action deny config os-check-list "windows-7" set action deny config os-check-list "windows-8" set action deny config os-check-list "windows-8.1" set action deny config os-check-list "windows-10" set host-check custom set host-check-policy "corp.x.com" "WindowsFW-DomainProfile" "Trend-Micro-AV" edit "corp.x.com" set type fw config check-item-list edit 1 set type registry set target "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters:Domain==corp.x.com" next end config vpn ssl web host-check-software edit "WindowsFW-DomainProfile" set type fw config check-item-list edit 1 set type registry set target "Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile:EnableFirewall=1" next end
I even tried the command:
set skip-check-for-unsupported-os disable
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hi did you find a solution this problem?
Same problem here. No matter what type of check I want to make, it does not work.
I tried on FortiOS 5.6.11 and FortiClient 5.6.0 and 6.0.8.
Is having FortiClient registered necessary? We are only using it as a VPN client, without license, without registration to FortiGate or EMS.
I finally figured out how to get this feature working. Simply.... Update to 6.0.6, as it doesn't work in 5.6.11 (and probably earlier 5.6 releases).
Who would have thought that this might be a firmware bug? Why am I so surprised?! :D
My company uses Fortigate 100D. After upgrading from FortiOS 5.4.5 to 5.6.11, we confirmed that SSL-VPN host-check did not work. When the version was upgraded from 5.6.11 to 6.0.8, it was confirmed that normal operation was resumed. Since the 5.6 series seems to have a problem with the host-check function, it is recommended to upgrade to the 6.0 series.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1516 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.