Fortinet black logo

EMS Administration Guide

Restricting VPN access to rogue/non-compliant devices with Security Fabric

Restricting VPN access to rogue/non-compliant devices with Security Fabric

The following guide provides instructions on configuring the Security Fabric to restrict VPN access to rogue/non-compliant devices using EMS and FortiOS 6.4. You can configure this feature with IPsec and SSL VPN. Configuring this feature consists of the following steps:

  1. Create two Zero Trust tagging rules in EMS: one rule for compliant endpoints and one rule for non-compliant endpoints. In this example, one rule tags endpoints as "AV-Running" if they have antivirus software installed and running. The second rule tags endpoints as "RED-Alert" if they have the risk.txt file present. You must also configure the EMS connector in FortiOS. See Configuring FortiOS 6.4 dynamic policies using EMS dynamic endpoint groups
  2. Configuring VPN settings:
    1. IPsec VPN
    2. SSL VPN
  3. Verify the configuration in FortiClient:
    1. IPsec VPN
    2. SSL VPN

Configuring VPN settings

To configure FortiOS IPsec VPN settings:
  1. In FortiOS, go to VPN > IPsec Tunnels.
  2. Click Create New > IPsec Tunnel.
  3. On the VPN Setup tab, for Template type, select Remote Access.
  4. For Remote device type, select Client-based, then FortiClient. Click Next.
  5. On the Authentication tab, for Authentication method, select Pre-shared Key. Configure the desired preshared key (PSK).
  6. Configure other fields as desired, then create the tunnel.
  7. Configure policies:
    1. Go to Policy & Objects > Firewall Policy.
    2. Select the VPN IPS policy. Right-click, then select Copy.
    3. Right-click, then select Paste > Above. Repeat to paste two copies of the policy.
    4. Edit the top pasted policy to allow endpoint and EMS connection:
      1. For Destination, select the EMS destination.
      2. For Service, set to EMS port 8013.
      3. Set the Action to ACCEPT.
      4. Enable, then save the policy.

    5. Edit the second pasted policy to restrict access to high-risk managed endpoints:
      1. In the Source field, select the tag that you configured to apply to non-compliant endpoints.
      2. Set the Action to DENY.
      3. Enable, then save the policy.

    6. Configure the third policy to permit only compliant endpoints to access resources:
      1. In Source, select the tag that you configured to apply to compliant endpoints.
      2. Set the Action to ALLOW.
      3. Enable, then save the policy.

  8. Ensure that the policies are in the correct sequence and enabled.

To configure FortiOS SSL VPN settings:
  1. In FortiOS, go to VPN > SSL-VPN Settings.
  2. Configure the Listen on Port and HTTPS port fields as desired.
  3. Under Authentication/Portal Mapping, select All Other Users/Groups, then select the portal from the Portal dropdown list.
  4. Click the Apply button.
  5. Configure policies:

    1. FortiOS displays a message that no SSL VPN policies exist. Select to create a new SSL VPN policy using the newly configured settings:
      1. From the Outgoing Interface dropdown list, select Internal.
      2. For Source, select the desired users.
      3. For Destination, select the EMS server.
      4. Under Service, create a custom service with destination port 8013.
      5. Enable, then save the policy.

    2. Select the SSL VPN policy. Right-click, then select Copy.
    3. Right-click, then select Paste > Below. Repeat to paste two copies of the policy.
    4. Configure the policies:
      1. Edit the top pasted policy:
        1. For Source, select the tag that you configured to apply to non-compliant endpoints.
        2. For Destination, select all.
        3. For Service, select ALL.
        4. Set the Action to DENY.
        5. Enable, then save the policy.

      2. Edit the second pasted policy:
        1. In the Source field, select the tag that you configured to apply to compliant endpoints.
        2. For Destination, select all.
        3. For Service, select ALL.
        4. Set the Action to ACCEPT.
        5. Enable, then save the policy.

  6. Ensure that the policies are sequenced and enabled.

Verifying the configuration in FortiClient

To verify the configuration for IPsec VPN on FortiClient:
  1. Install FortiClient on an endpoint and ensure that it is connected to EMS.
  2. Configure and connect to an IPsec VPN tunnel.
  3. Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint:
    1. On the user details page, ensure that EMS has applied the appropriate tag. In this example, the AV-Running tag should be applied.

    2. Ping a device on the network to ensure that it can be reached.
  4. Ensure that EMS and FortiOS apply the correct tags and policies for a non-compliant endpoint:
    1. Change the endpoint condition so that it becomes non-compliant. In this example, that would be creating the risk.txt file on the endpoint. After a few minutes, the ping becomes denied.
    2. Go to the user details page to ensure that the appropriate tag has been applied. Both tags, in this example RED-Alert and AV-Running, should be applied.

  5. Ensure that EMS and FortiOS apply the correct tags and policies for a rogue endpoint:
    1. Delete the risk.txt file, and stop AV services.
    2. Ensure that the user details page does not display any tags. The endpoint should lose network access.

To verify the configuration for SSL VPN on FortiClient:
  1. Install FortiClient on an endpoint.
  2. Configure and connect to an SSL VPN tunnel.
  3. Ensure that EMS and FortiOS apply the correct tags and policies for a rogue endpoint:
    1. Ensure that AV services are not running.
    2. On the user details, ensure that EMS has applied no tags.

    3. Ping the EMS server. The endpoint should be unable to access internal resources.
    4. In FortiOS, go to Monitor > Firewall User Monitor. Ensure that there is no tag attribute for the user/device.

  4. Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint:
    1. Ensure that AV services are running.
    2. Go to the user details page to ensure that the appropriate tag has been applied. In this example, only AV-Running should be applied.

    3. Ping the EMS server again. The endpoint should be able to access internal resources.
  5. Ensure that EMS and FortiOS apply the correct tags and policies for a non-compliant endpoint:
    1. Change the endpoint condition so that it becomes non-compliant. In this example, that would be creating the risk.txt file on the endpoint. After a few minutes, the ping becomes denied.
    2. Go to the user details page to ensure that the appropriate tag has been applied. Both tags, in this example RED-Alert and AV-Running, should be applied.

Restricting VPN access to rogue/non-compliant devices with Security Fabric

The following guide provides instructions on configuring the Security Fabric to restrict VPN access to rogue/non-compliant devices using EMS and FortiOS 6.4. You can configure this feature with IPsec and SSL VPN. Configuring this feature consists of the following steps:

  1. Create two Zero Trust tagging rules in EMS: one rule for compliant endpoints and one rule for non-compliant endpoints. In this example, one rule tags endpoints as "AV-Running" if they have antivirus software installed and running. The second rule tags endpoints as "RED-Alert" if they have the risk.txt file present. You must also configure the EMS connector in FortiOS. See Configuring FortiOS 6.4 dynamic policies using EMS dynamic endpoint groups
  2. Configuring VPN settings:
    1. IPsec VPN
    2. SSL VPN
  3. Verify the configuration in FortiClient:
    1. IPsec VPN
    2. SSL VPN

Configuring VPN settings

To configure FortiOS IPsec VPN settings:
  1. In FortiOS, go to VPN > IPsec Tunnels.
  2. Click Create New > IPsec Tunnel.
  3. On the VPN Setup tab, for Template type, select Remote Access.
  4. For Remote device type, select Client-based, then FortiClient. Click Next.
  5. On the Authentication tab, for Authentication method, select Pre-shared Key. Configure the desired preshared key (PSK).
  6. Configure other fields as desired, then create the tunnel.
  7. Configure policies:
    1. Go to Policy & Objects > Firewall Policy.
    2. Select the VPN IPS policy. Right-click, then select Copy.
    3. Right-click, then select Paste > Above. Repeat to paste two copies of the policy.
    4. Edit the top pasted policy to allow endpoint and EMS connection:
      1. For Destination, select the EMS destination.
      2. For Service, set to EMS port 8013.
      3. Set the Action to ACCEPT.
      4. Enable, then save the policy.

    5. Edit the second pasted policy to restrict access to high-risk managed endpoints:
      1. In the Source field, select the tag that you configured to apply to non-compliant endpoints.
      2. Set the Action to DENY.
      3. Enable, then save the policy.

    6. Configure the third policy to permit only compliant endpoints to access resources:
      1. In Source, select the tag that you configured to apply to compliant endpoints.
      2. Set the Action to ALLOW.
      3. Enable, then save the policy.

  8. Ensure that the policies are in the correct sequence and enabled.

To configure FortiOS SSL VPN settings:
  1. In FortiOS, go to VPN > SSL-VPN Settings.
  2. Configure the Listen on Port and HTTPS port fields as desired.
  3. Under Authentication/Portal Mapping, select All Other Users/Groups, then select the portal from the Portal dropdown list.
  4. Click the Apply button.
  5. Configure policies:

    1. FortiOS displays a message that no SSL VPN policies exist. Select to create a new SSL VPN policy using the newly configured settings:
      1. From the Outgoing Interface dropdown list, select Internal.
      2. For Source, select the desired users.
      3. For Destination, select the EMS server.
      4. Under Service, create a custom service with destination port 8013.
      5. Enable, then save the policy.

    2. Select the SSL VPN policy. Right-click, then select Copy.
    3. Right-click, then select Paste > Below. Repeat to paste two copies of the policy.
    4. Configure the policies:
      1. Edit the top pasted policy:
        1. For Source, select the tag that you configured to apply to non-compliant endpoints.
        2. For Destination, select all.
        3. For Service, select ALL.
        4. Set the Action to DENY.
        5. Enable, then save the policy.

      2. Edit the second pasted policy:
        1. In the Source field, select the tag that you configured to apply to compliant endpoints.
        2. For Destination, select all.
        3. For Service, select ALL.
        4. Set the Action to ACCEPT.
        5. Enable, then save the policy.

  6. Ensure that the policies are sequenced and enabled.

Verifying the configuration in FortiClient

To verify the configuration for IPsec VPN on FortiClient:
  1. Install FortiClient on an endpoint and ensure that it is connected to EMS.
  2. Configure and connect to an IPsec VPN tunnel.
  3. Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint:
    1. On the user details page, ensure that EMS has applied the appropriate tag. In this example, the AV-Running tag should be applied.

    2. Ping a device on the network to ensure that it can be reached.
  4. Ensure that EMS and FortiOS apply the correct tags and policies for a non-compliant endpoint:
    1. Change the endpoint condition so that it becomes non-compliant. In this example, that would be creating the risk.txt file on the endpoint. After a few minutes, the ping becomes denied.
    2. Go to the user details page to ensure that the appropriate tag has been applied. Both tags, in this example RED-Alert and AV-Running, should be applied.

  5. Ensure that EMS and FortiOS apply the correct tags and policies for a rogue endpoint:
    1. Delete the risk.txt file, and stop AV services.
    2. Ensure that the user details page does not display any tags. The endpoint should lose network access.

To verify the configuration for SSL VPN on FortiClient:
  1. Install FortiClient on an endpoint.
  2. Configure and connect to an SSL VPN tunnel.
  3. Ensure that EMS and FortiOS apply the correct tags and policies for a rogue endpoint:
    1. Ensure that AV services are not running.
    2. On the user details, ensure that EMS has applied no tags.

    3. Ping the EMS server. The endpoint should be unable to access internal resources.
    4. In FortiOS, go to Monitor > Firewall User Monitor. Ensure that there is no tag attribute for the user/device.

  4. Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint:
    1. Ensure that AV services are running.
    2. Go to the user details page to ensure that the appropriate tag has been applied. In this example, only AV-Running should be applied.

    3. Ping the EMS server again. The endpoint should be able to access internal resources.
  5. Ensure that EMS and FortiOS apply the correct tags and policies for a non-compliant endpoint:
    1. Change the endpoint condition so that it becomes non-compliant. In this example, that would be creating the risk.txt file on the endpoint. After a few minutes, the ping becomes denied.
    2. Go to the user details page to ensure that the appropriate tag has been applied. Both tags, in this example RED-Alert and AV-Running, should be applied.