the user can install the unlicensed version of forticlient and get unnoticed by the EMS which means they can circumvent the security profiles and settings applied to the users
Is there a way to avoid such connectivity of VPN to our network ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You could leverage zero trust tags for this
https://docs.fortinet.com/document/forticlient/7.2.0/ems-administration-guide/924998/zero-trust-tags
if you use the unlicensed version that machine will not be reporting to EMS and you can push the updates to the device that doesn't report to ems
hello
I would recommend the ZTNA approach.
If you are looking to prevent FCT free-version to connect to your FGT VPN, you may follow below guide:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricted-SSL-VPN-to-FortiClient-connecte...
Note that this is a global setting in FGT.
Enable Endpoint Control on your FortiGate device to enforce policies that allow only authorized versions of FortiClient VPN to connect.
Utilize FortiClient EMS to manage and control the deployment of FortiClient VPN. Enforce licensing requirements, monitor client versions, and push updates to ensure all endpoints are running licensed and authorized versions.
Implement Network Access Control (NAC) mechanisms such as 802.1X authentication or NAC solutions to verify the presence of a valid and licensed FortiClient VPN version before granting network access.
Create firewall policies on your FortiGate device that specifically allow traffic only from licensed FortiClient VPN versions.
Educate users about the importance of using authorized and licensed versions of FortiClient VPN and the risks associated with unlicensed software.
is that possible to create firewall policies on Fortigates to allow only licensed version ?
Firewall policy comes into picture after the VPN is connected, so it may not serve the purpose .
You can enable the below settings, this will check the serial number , and only permit host machines connected to EMS.
# config system global
set sslvpn-ems-sn-check enable
end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.