Fortinet black logo

Secure remote access compliance enforcement 6.4.4

Copy Link
Copy Doc ID 0649062b-898a-11ea-9384-00505692583a:386752
Download PDF

Secure remote access compliance enforcement 6.4.4

You can restrict devices from accessing an SSL VPN tunnel based on the Zero Trust tags applied on the endpoint. This helps to safeguard the internal network from threats that end user devices have. For example, consider that your organization allows employees and customers to bring their own devices and connect them to a corporate VPN tunnel to access the internal organization network. If these devices have vulnerabilities or do not have the latest antivirus (AV) signatures, they may affect the internal network. You can use this feature to block such endpoints from connecting to the corporate VPN tunnel.

To block endpoints that do not have the latest AV signatures from connecting to the VPN tunnel:
  1. Create a Zero Trust tagging rule set that tags endpoints that do not have the latest AV signatures as "Av sign":
    1. Go to Zero Trust Tags > Zero Trust Tagging Rules.
    2. Click Add.
    3. In the Tag Endpoint As field, create a new "Av sign" tag.
    4. Toggle Enabled to on.
    5. Click Add Rule.
    6. For Windows devices, from the Rule Type dropdown list, select AntiVirus Software.
    7. From the dropdown list, select AV Signature is up-to-date.
    8. Select the NOT checkbox.
    9. Click Save.
    10. Click Save again.
  2. Configure the options on the endpoint profile:
    1. Go to Endpoint Profiles > Manage Profiles.
    2. Edit the desired profile, or create a new one.
    3. On the VPN tab, enable Enable Secure Remote Access.
    4. Select an existing VPN tunnel, or create a new one by clicking Add Tunnel.
    5. In Advanced Settings, for Host Tag, select Prohibit.
    6. From the Select a Tag dropdown list, select Av sign.
    7. Enable Customize Host Check Fail Warning.
    8. Enter a message to display to users when their connection to the VPN tunnel is prohibited due to critical vulnerabilities on their device.

    9. Configure other fields as desired.
    10. On the System Settings tab, enable Show Host Tag on FortiClient GUI.
    11. Save the configuration.
  3. After FortiClient receives the latest configuration from EMS, click the user avatar to view the About page. An endpoint that does not have the latest AV signature displays the Av sign tag under Zero Trust Tags.

  4. On the Remote Access tab, attempt to connect to the SSL VPN tunnel. FortiClient blocks the connection since the AV signature is not up-to-date, and displays the warning configured in step 2.

  5. Update AV signatures and retry connection to the SSL VPN tunnel. Connection will be successful.

To block endpoints that do not have critical vulnerabilities from connecting to the VPN tunnel:
  1. Create a Zero Trust tagging rule set that tags endpoints with critical vulnerabilities with the "VULN" tag:
    1. Go to Zero Trust Tags > Zero Trust Tagging Rules.
    2. Click Add.
    3. In the Tag Endpoint As field, create a new "VULN" tag.
    4. Toggle Enabled to on.
    5. Click Add Rule.
    6. For Windows devices, from the Rule Type dropdown list, select VULN.
    7. From the Severity Level dropdown list, select Critical.
    8. Click Save.
    9. Click Save again.
  2. Configure the options on the endpoint profile:
    1. Go to Endpoint Profiles > Manage Profiles.
    2. Edit the desired profile, or create a new one.
    3. On the VPN tab, enable Enable Secure Remote Access.
    4. Select an existing VPN tunnel, or create a new one by clicking Add Tunnel.
    5. In Advanced Settings, for Host Tag, select Prohibit.
    6. From the Select a Tag dropdown list, select VULN.
    7. Enable Customize Host Check Fail Warning.
    8. Enter a message to display to users when their connection to the VPN tunnel is prohibited due to critical vulnerabilities on their device.
    9. Configure other fields as desired.
    10. On the System Settings tab, enable Show Host Tag on FortiClient GUI.
    11. Save the configuration.
  3. After FortiClient receives the latest configuration from EMS, on the Vulnerability Scan tab, click Scan Now to detect vulnerabilities on the system.
  4. After the scan completes, click the user avatar to view the About page. An endpoint that has critical vulnerabilities displays the VULN tag under Zero Trust Tags.

  5. On the Remote Access tab, attempt to connect to the SSL VPN tunnel. FortiClient blocks the connection since the endpoint has critical vulnerabilities, and displays the warning configured in step 2.

  6. Patch the critical vulnerabilities and retry connection to the SSL VPN tunnel. Connection will be successful.

Secure remote access compliance enforcement 6.4.4

You can restrict devices from accessing an SSL VPN tunnel based on the Zero Trust tags applied on the endpoint. This helps to safeguard the internal network from threats that end user devices have. For example, consider that your organization allows employees and customers to bring their own devices and connect them to a corporate VPN tunnel to access the internal organization network. If these devices have vulnerabilities or do not have the latest antivirus (AV) signatures, they may affect the internal network. You can use this feature to block such endpoints from connecting to the corporate VPN tunnel.

To block endpoints that do not have the latest AV signatures from connecting to the VPN tunnel:
  1. Create a Zero Trust tagging rule set that tags endpoints that do not have the latest AV signatures as "Av sign":
    1. Go to Zero Trust Tags > Zero Trust Tagging Rules.
    2. Click Add.
    3. In the Tag Endpoint As field, create a new "Av sign" tag.
    4. Toggle Enabled to on.
    5. Click Add Rule.
    6. For Windows devices, from the Rule Type dropdown list, select AntiVirus Software.
    7. From the dropdown list, select AV Signature is up-to-date.
    8. Select the NOT checkbox.
    9. Click Save.
    10. Click Save again.
  2. Configure the options on the endpoint profile:
    1. Go to Endpoint Profiles > Manage Profiles.
    2. Edit the desired profile, or create a new one.
    3. On the VPN tab, enable Enable Secure Remote Access.
    4. Select an existing VPN tunnel, or create a new one by clicking Add Tunnel.
    5. In Advanced Settings, for Host Tag, select Prohibit.
    6. From the Select a Tag dropdown list, select Av sign.
    7. Enable Customize Host Check Fail Warning.
    8. Enter a message to display to users when their connection to the VPN tunnel is prohibited due to critical vulnerabilities on their device.

    9. Configure other fields as desired.
    10. On the System Settings tab, enable Show Host Tag on FortiClient GUI.
    11. Save the configuration.
  3. After FortiClient receives the latest configuration from EMS, click the user avatar to view the About page. An endpoint that does not have the latest AV signature displays the Av sign tag under Zero Trust Tags.

  4. On the Remote Access tab, attempt to connect to the SSL VPN tunnel. FortiClient blocks the connection since the AV signature is not up-to-date, and displays the warning configured in step 2.

  5. Update AV signatures and retry connection to the SSL VPN tunnel. Connection will be successful.

To block endpoints that do not have critical vulnerabilities from connecting to the VPN tunnel:
  1. Create a Zero Trust tagging rule set that tags endpoints with critical vulnerabilities with the "VULN" tag:
    1. Go to Zero Trust Tags > Zero Trust Tagging Rules.
    2. Click Add.
    3. In the Tag Endpoint As field, create a new "VULN" tag.
    4. Toggle Enabled to on.
    5. Click Add Rule.
    6. For Windows devices, from the Rule Type dropdown list, select VULN.
    7. From the Severity Level dropdown list, select Critical.
    8. Click Save.
    9. Click Save again.
  2. Configure the options on the endpoint profile:
    1. Go to Endpoint Profiles > Manage Profiles.
    2. Edit the desired profile, or create a new one.
    3. On the VPN tab, enable Enable Secure Remote Access.
    4. Select an existing VPN tunnel, or create a new one by clicking Add Tunnel.
    5. In Advanced Settings, for Host Tag, select Prohibit.
    6. From the Select a Tag dropdown list, select VULN.
    7. Enable Customize Host Check Fail Warning.
    8. Enter a message to display to users when their connection to the VPN tunnel is prohibited due to critical vulnerabilities on their device.
    9. Configure other fields as desired.
    10. On the System Settings tab, enable Show Host Tag on FortiClient GUI.
    11. Save the configuration.
  3. After FortiClient receives the latest configuration from EMS, on the Vulnerability Scan tab, click Scan Now to detect vulnerabilities on the system.
  4. After the scan completes, click the user avatar to view the About page. An endpoint that has critical vulnerabilities displays the VULN tag under Zero Trust Tags.

  5. On the Remote Access tab, attempt to connect to the SSL VPN tunnel. FortiClient blocks the connection since the endpoint has critical vulnerabilities, and displays the warning configured in step 2.

  6. Patch the critical vulnerabilities and retry connection to the SSL VPN tunnel. Connection will be successful.