Fortinet white logo
Fortinet white logo

EMS Administration Guide

Restricting VPN access to rogue/non-compliant devices with Security Fabric

Restricting VPN access to rogue/non-compliant devices with Security Fabric

The following guide provides instructions on configuring the Security Fabric to restrict VPN access to rogue/non-compliant devices using EMS and FortiOS 6.2.3. You can configure this feature with IPsec and SSL VPN. Configuring this feature consists of the following steps:

  1. Configure a custom hostname and compliance verification rules on EMS.
  2. Configure the EMS connector in FortiOS.
  3. Configuring VPN settings:
    1. IPsec VPN
    2. SSL VPN
  4. Verify the configuration in FortiClient:
    1. IPsec VPN
    2. SSL VPN

This configuration only supports VPN with FortiOS local users. For Active Directory FSSO support, you must use EMS 6.4 and FOS 6.4. See the FortiClient EMS 6.4.3 Administration Guide.

Configuring a custom hostname and compliance verification rules on EMS

To configure a custom hostname and compliance verification rules on EMS:
  1. In EMS, go to System Settings > Server. In the Custom hostname field, enter a custom hostname.
  2. Create an administrator as Creating a new administrator user account describes. Enable Restrict Login to Trusted Hosts, and in the Trusted Hosts field, enter the FortiGate/trusted host.
  3. Create compliance verification rules as Adding a compliance verification rule set describes:
    1. Create a rule that allows endpoints to access resources. This example creates a rule that applies the AV-Running tag to endpoints that have antivirus software installed and running. You will use the AV-Running in FortiOS dynamic policies at a later step.

    2. Create a rule that blocks endpoints from accessing resources. This example creates a rule that applies the RED-Alert tag to endpoints that have the risk.txt file present.

Configuring the FortiOS-EMS connector

To configure the FortiOS-EMS connector:
  1. In FortiOS, go to Security Fabric > Settings. Enable FortiClient Endpoint Management System (EMS), and enter the credentials for the administrator that you created in To configure a custom hostname and compliance verification rules on EMS:. Click Save.
  2. Go to Security Fabric > Fabric Connectors. Edit the newly created FortiClient EMS connector.
  3. From the Trusted SSL certificate field, select the desired certificate.
  4. Click Apply & Refresh, then OK.
  5. Ensure that the tags that you configured in To configure a custom hostname and compliance verification rules on EMS: are available for the EMS connector.

Configuring VPN settings

To configure FortiOS IPsec VPN settings:
  1. In FortiOS, go to VPN > IPsec Tunnels.
  2. Click Create New > IPsec Tunnel.
  3. On the VPN Setup tab, for Template type, select Remote Access.
  4. For Remote device type, select Client-based, then FortiClient. Click Next.
  5. On the Authentication tab, for Authentication method, select Pre-shared Key. Configure the desired preshared key (PSK).
  6. Configure other fields as desired, then create the tunnel.
  7. Configure policies:
    1. Go to Policy & Objects > IP4 Policy.
    2. Select the VPN IPS policy. Right-click, then select Copy.
    3. Right-click, then select Paste > Above. Repeat to paste two copies of the policy.
    4. Edit the top pasted policy to allow endpoint and EMS connection:
      1. For Destination, select the EMS destination.
      2. For Service, set to EMS port 8013.
      3. Set the Action to ACCEPT.
      4. Enable, then save the policy.

    5. Edit the second pasted policy to restrict access to high-risk managed endpoints:
      1. In the Source field, select the tag that you configured to apply to non-compliant endpoints in To configure a custom hostname and compliance verification rules on EMS:.
      2. Set the Action to DENY.
      3. Enable, then save the policy.

    6. Configure the third policy to permit only compliant endpoints to access resources:
      1. In Source, select the tag that you configured to apply to compliant endpoints in To configure a custom hostname and compliance verification rules on EMS:.
      2. Set the Action to ALLOW.
      3. Enable, then save the policy.

  8. Ensure that the policies are in the correct sequence and enabled.

To configure FortiOS SSL VPN settings:
  1. In FortiOS, go to VPN > SSL-VPN Settings.
  2. Configure the Listen on Port and HTTPS port fields as desired.
  3. Under Authentication/Portal Mapping, select All Other Users/Groups, then select the portal from the Portal dropdown list.
  4. Click the Apply button.
  5. Configure policies:

    1. FortiOS displays a message that no SSL VPN policies exist. Select to create a new SSL VPN policy using the newly configured settings:
      1. From the Outgoing Interface dropdown list, select Internal.
      2. For Source, select the desired users.
      3. For Destination, select the EMS server.
      4. Under Service, create a custom service with destination port 8013.
      5. Enable, then save the policy.

    2. Select the SSL VPN policy. Right-click, then select Copy.
    3. Right-click, then select Paste > Below. Repeat to paste two copies of the policy.
    4. Configure the policies:
      1. Edit the top pasted policy:
        1. For Source, select the tag that you configured to apply to non-compliant endpoints in To configure a custom hostname and compliance verification rules on EMS:.
        2. For Destination, select all.
        3. For Service, select ALL.
        4. Set the Action to DENY.
        5. Enable, then save the policy.

      2. Edit the second pasted policy:
        1. In the Source field, select the tag that you configured to apply to compliant endpoints in To configure a custom hostname and compliance verification rules on EMS:.
        2. For Destination, select all.
        3. For Service, select ALL.
        4. Set the Action to ACCEPT.
        5. Enable, then save the policy.

  6. Ensure that the policies are sequenced and enabled.

Verifying the configuration in FortiClient

To verify the configuration for IPsec VPN on FortiClient:
  1. Install FortiClient on an endpoint and ensure that it is connected to EMS.
  2. Configure and connect to an IPsec VPN tunnel.
  3. Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint:
    1. On the user details page, ensure that EMS has applied the appropriate tag. In this example, the AV-Running tag should be applied.

    2. Ping a device on the network to ensure that it can be reached.
  4. Ensure that EMS and FortiOS apply the correct tags and policies for a non-compliant endpoint:
    1. Change the endpoint condition so that it becomes non-compliant. In this example, that would be creating the risk.txt file on the endpoint. After a few minutes, the ping becomes denied.
    2. Go to the user details page to ensure that the appropriate tag has been applied. Both tags, in this example RED-Alert and AV-Running, should be applied.

  5. Ensure that EMS and FortiOS apply the correct tags and policies for a rogue endpoint:
    1. Delete the risk.txt file, and stop AV services.
    2. Ensure that the user details page does not display any tags. The endpoint should lose network access.

To verify the configuration for SSL VPN on FortiClient:
  1. Install FortiClient on an endpoint.
  2. Configure and connect to an SSL VPN tunnel.
  3. Ensure that EMS and FortiOS apply the correct tags and policies for a rogue endpoint:
    1. Ensure that AV services are not running.
    2. On the user details, ensure that EMS has applied no tags.

    3. Ping the EMS server. The endpoint should be unable to access internal resources.
    4. In FortiOS, go to Monitor > Firewall User Monitor. Ensure that there is no tag attribute for the user/device.

  4. Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint:
    1. Ensure that AV services are running.
    2. Go to the user details page to ensure that the appropriate tag has been applied. In this example, only AV-Running should be applied.

    3. Ping the EMS server again. The endpoint should be able to access internal resources.
  5. Ensure that EMS and FortiOS apply the correct tags and policies for a non-compliant endpoint:
    1. Change the endpoint condition so that it becomes non-compliant. In this example, that would be creating the risk.txt file on the endpoint. After a few minutes, the ping becomes denied.
    2. Go to the user details page to ensure that the appropriate tag has been applied. Both tags, in this example RED-Alert and AV-Running, should be applied.

Restricting VPN access to rogue/non-compliant devices with Security Fabric

Restricting VPN access to rogue/non-compliant devices with Security Fabric

The following guide provides instructions on configuring the Security Fabric to restrict VPN access to rogue/non-compliant devices using EMS and FortiOS 6.2.3. You can configure this feature with IPsec and SSL VPN. Configuring this feature consists of the following steps:

  1. Configure a custom hostname and compliance verification rules on EMS.
  2. Configure the EMS connector in FortiOS.
  3. Configuring VPN settings:
    1. IPsec VPN
    2. SSL VPN
  4. Verify the configuration in FortiClient:
    1. IPsec VPN
    2. SSL VPN

This configuration only supports VPN with FortiOS local users. For Active Directory FSSO support, you must use EMS 6.4 and FOS 6.4. See the FortiClient EMS 6.4.3 Administration Guide.

Configuring a custom hostname and compliance verification rules on EMS

To configure a custom hostname and compliance verification rules on EMS:
  1. In EMS, go to System Settings > Server. In the Custom hostname field, enter a custom hostname.
  2. Create an administrator as Creating a new administrator user account describes. Enable Restrict Login to Trusted Hosts, and in the Trusted Hosts field, enter the FortiGate/trusted host.
  3. Create compliance verification rules as Adding a compliance verification rule set describes:
    1. Create a rule that allows endpoints to access resources. This example creates a rule that applies the AV-Running tag to endpoints that have antivirus software installed and running. You will use the AV-Running in FortiOS dynamic policies at a later step.

    2. Create a rule that blocks endpoints from accessing resources. This example creates a rule that applies the RED-Alert tag to endpoints that have the risk.txt file present.

Configuring the FortiOS-EMS connector

To configure the FortiOS-EMS connector:
  1. In FortiOS, go to Security Fabric > Settings. Enable FortiClient Endpoint Management System (EMS), and enter the credentials for the administrator that you created in To configure a custom hostname and compliance verification rules on EMS:. Click Save.
  2. Go to Security Fabric > Fabric Connectors. Edit the newly created FortiClient EMS connector.
  3. From the Trusted SSL certificate field, select the desired certificate.
  4. Click Apply & Refresh, then OK.
  5. Ensure that the tags that you configured in To configure a custom hostname and compliance verification rules on EMS: are available for the EMS connector.

Configuring VPN settings

To configure FortiOS IPsec VPN settings:
  1. In FortiOS, go to VPN > IPsec Tunnels.
  2. Click Create New > IPsec Tunnel.
  3. On the VPN Setup tab, for Template type, select Remote Access.
  4. For Remote device type, select Client-based, then FortiClient. Click Next.
  5. On the Authentication tab, for Authentication method, select Pre-shared Key. Configure the desired preshared key (PSK).
  6. Configure other fields as desired, then create the tunnel.
  7. Configure policies:
    1. Go to Policy & Objects > IP4 Policy.
    2. Select the VPN IPS policy. Right-click, then select Copy.
    3. Right-click, then select Paste > Above. Repeat to paste two copies of the policy.
    4. Edit the top pasted policy to allow endpoint and EMS connection:
      1. For Destination, select the EMS destination.
      2. For Service, set to EMS port 8013.
      3. Set the Action to ACCEPT.
      4. Enable, then save the policy.

    5. Edit the second pasted policy to restrict access to high-risk managed endpoints:
      1. In the Source field, select the tag that you configured to apply to non-compliant endpoints in To configure a custom hostname and compliance verification rules on EMS:.
      2. Set the Action to DENY.
      3. Enable, then save the policy.

    6. Configure the third policy to permit only compliant endpoints to access resources:
      1. In Source, select the tag that you configured to apply to compliant endpoints in To configure a custom hostname and compliance verification rules on EMS:.
      2. Set the Action to ALLOW.
      3. Enable, then save the policy.

  8. Ensure that the policies are in the correct sequence and enabled.

To configure FortiOS SSL VPN settings:
  1. In FortiOS, go to VPN > SSL-VPN Settings.
  2. Configure the Listen on Port and HTTPS port fields as desired.
  3. Under Authentication/Portal Mapping, select All Other Users/Groups, then select the portal from the Portal dropdown list.
  4. Click the Apply button.
  5. Configure policies:

    1. FortiOS displays a message that no SSL VPN policies exist. Select to create a new SSL VPN policy using the newly configured settings:
      1. From the Outgoing Interface dropdown list, select Internal.
      2. For Source, select the desired users.
      3. For Destination, select the EMS server.
      4. Under Service, create a custom service with destination port 8013.
      5. Enable, then save the policy.

    2. Select the SSL VPN policy. Right-click, then select Copy.
    3. Right-click, then select Paste > Below. Repeat to paste two copies of the policy.
    4. Configure the policies:
      1. Edit the top pasted policy:
        1. For Source, select the tag that you configured to apply to non-compliant endpoints in To configure a custom hostname and compliance verification rules on EMS:.
        2. For Destination, select all.
        3. For Service, select ALL.
        4. Set the Action to DENY.
        5. Enable, then save the policy.

      2. Edit the second pasted policy:
        1. In the Source field, select the tag that you configured to apply to compliant endpoints in To configure a custom hostname and compliance verification rules on EMS:.
        2. For Destination, select all.
        3. For Service, select ALL.
        4. Set the Action to ACCEPT.
        5. Enable, then save the policy.

  6. Ensure that the policies are sequenced and enabled.

Verifying the configuration in FortiClient

To verify the configuration for IPsec VPN on FortiClient:
  1. Install FortiClient on an endpoint and ensure that it is connected to EMS.
  2. Configure and connect to an IPsec VPN tunnel.
  3. Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint:
    1. On the user details page, ensure that EMS has applied the appropriate tag. In this example, the AV-Running tag should be applied.

    2. Ping a device on the network to ensure that it can be reached.
  4. Ensure that EMS and FortiOS apply the correct tags and policies for a non-compliant endpoint:
    1. Change the endpoint condition so that it becomes non-compliant. In this example, that would be creating the risk.txt file on the endpoint. After a few minutes, the ping becomes denied.
    2. Go to the user details page to ensure that the appropriate tag has been applied. Both tags, in this example RED-Alert and AV-Running, should be applied.

  5. Ensure that EMS and FortiOS apply the correct tags and policies for a rogue endpoint:
    1. Delete the risk.txt file, and stop AV services.
    2. Ensure that the user details page does not display any tags. The endpoint should lose network access.

To verify the configuration for SSL VPN on FortiClient:
  1. Install FortiClient on an endpoint.
  2. Configure and connect to an SSL VPN tunnel.
  3. Ensure that EMS and FortiOS apply the correct tags and policies for a rogue endpoint:
    1. Ensure that AV services are not running.
    2. On the user details, ensure that EMS has applied no tags.

    3. Ping the EMS server. The endpoint should be unable to access internal resources.
    4. In FortiOS, go to Monitor > Firewall User Monitor. Ensure that there is no tag attribute for the user/device.

  4. Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint:
    1. Ensure that AV services are running.
    2. Go to the user details page to ensure that the appropriate tag has been applied. In this example, only AV-Running should be applied.

    3. Ping the EMS server again. The endpoint should be able to access internal resources.
  5. Ensure that EMS and FortiOS apply the correct tags and policies for a non-compliant endpoint:
    1. Change the endpoint condition so that it becomes non-compliant. In this example, that would be creating the risk.txt file on the endpoint. After a few minutes, the ping becomes denied.
    2. Go to the user details page to ensure that the appropriate tag has been applied. Both tags, in this example RED-Alert and AV-Running, should be applied.