FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bmeta
Staff
Staff
Description
This article  shows how to perform a custom registry check before allowing SSL VPN access.

Solution

The following configuration adds a custom host check, and enforces it in the 'full-access' web portal.

# config vpn ssl web host-check-software
    edit "test-registry"
    # config check-item-list
        edit 1
            set target "HKLM\\SOFTWARE\\Something\\Registry_Key:Registry_Data==Data_Value"
            set type registry
        next
    end
next
end
# config vpn ssl web portal
edit "full-access"
set host-check custom
set host-check-policy "test-registry" next end
 For example, check against the computer name:
# config vpn ssl web host-check-software
edit "test-registry"
config check-item-list
edit 1
set target "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName:ComputerName=TESTLAPTOP"
set type registry
next
end
next
end

Same holds true for a check of domains, set the 'target as':
HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters:Domain==forti.lab
Note: 

Both HKLM and HKEY_LOCAL_MACHINE work.

Note:

Using FortiClient, fully licenses version should be used to make Host-check registry work.
If the registry key is not present,  this error message on the FortiClient will appear:

dalten_FD36421_FD36421.png


Related Articles

Technical Tip: Configuring custom registry checks for SSL VPN

Contributors