Fortinet black logo

FortiGate-powered host check for free VPN client 7.0.3

Copy Link
Copy Doc ID c7e1b029-a797-11eb-b70b-00505692583a:651315
Download PDF

FortiGate-powered host check for free VPN client 7.0.3

FortiGate-powered host check supports the following for the FortiClient free VPN client:

  • Operating system (OS) check
  • Antivirus (AV)-only
  • Firewall-only
  • AV and firewall
  • Custom software host check:
    • File
    • Running process
    • Registry

During VPN connection, if the free VPN client detects that the currently running system environment does not meet a setting that FortiGate-powered host check requires, it displays a warning.

To enable OS check on FortiOS:

The following configures a check that the endpoint runs Windows 10.

config vpn ssl web portal

edit "full-access"

set os-check enable

config os-check-list "windows-10"

set action deny

end

end

end

To enable AV-only check on FortiOS:

The following configures a check that requires that AV is enabled on the endpoint:

config vpn ssl web portal

edit "full-access"

set host-check av

end

To enable firewall-only check on FortiOS:

The following configures a check that requires that firewall is enabled on the endpoint:

config vpn ssl web portal

edit "full-access"

set host-check fw

end

To enable AV and firewall check on FortiOS:

The following configures a check that requires that AV and firewall are enabled on the endpoint:

config vpn ssl web portal

edit "full-access"

set host-check av-fw

end

To enable custom file check on FortiOS:

The following configures a check that requires that c:\temp\mytest.txt and %ProgramFiles%\Fortinet\FortiClient\FortiClient.exe exist in the defined directories:

config vpn ssl web host-check-software
    edit "file_exist"
        config check-item-list
            edit 1
                set target "c:\\temp\\mytest.txt"
            next
            edit 2
                set target "%ProgramFiles%\\Fortinet\\FortiClient\\FortiClient.exe"
            next
        end
    next
end
config vpn ssl web portal
    edit "full-access"
        set host-check custom
        set host-check-policy "file_exist"
    next
end
To enable custom running process check on FortiOS:

The following configures a check that requires that a designated process, in this case FortiClient.exe, runs on the endpoint:

config vpn ssl web host-check-software
    edit "Running-Process"
        config check-item-list
            edit 1
                set type process
                set target "FortiClient.exe"
            next
        end
    next
end
config vpn ssl web portal
    edit "full-access"
        set host-check custom
        set host-check-policy "Running-Process"
    next
end
To enable custom registry check on FortiOS:

The following configures a check that requires that a designated string or dword value in a registry key exist. In this example, the designated value is FA_IKE:enabled==1:

config vpn ssl web host-check-software
    edit "hostcheck-condition-registry"
        config check-item-list
            edit 1
                set type registry
                set target "HKLM\\SOFTWARE\\Fortinet\\FortiClient\\FA_IKE:enabled==1"
            next
        end
    next
end
config vpn ssl web portal
    edit "full-access"
        set host-check custom
        set host-check-policy "hostcheck-condition-registry"
    next
end
To perform debugging on FortiOS:

diagnose debug reset

diagnose debug application sslvpn -1

diagnose debug application samld -1

diagnose debug application fnbamd -1

diagnose debug enable

The following shows an example of debugging output when host check fails:

FortiGate-powered host check for free VPN client 7.0.3

FortiGate-powered host check supports the following for the FortiClient free VPN client:

  • Operating system (OS) check
  • Antivirus (AV)-only
  • Firewall-only
  • AV and firewall
  • Custom software host check:
    • File
    • Running process
    • Registry

During VPN connection, if the free VPN client detects that the currently running system environment does not meet a setting that FortiGate-powered host check requires, it displays a warning.

To enable OS check on FortiOS:

The following configures a check that the endpoint runs Windows 10.

config vpn ssl web portal

edit "full-access"

set os-check enable

config os-check-list "windows-10"

set action deny

end

end

end

To enable AV-only check on FortiOS:

The following configures a check that requires that AV is enabled on the endpoint:

config vpn ssl web portal

edit "full-access"

set host-check av

end

To enable firewall-only check on FortiOS:

The following configures a check that requires that firewall is enabled on the endpoint:

config vpn ssl web portal

edit "full-access"

set host-check fw

end

To enable AV and firewall check on FortiOS:

The following configures a check that requires that AV and firewall are enabled on the endpoint:

config vpn ssl web portal

edit "full-access"

set host-check av-fw

end

To enable custom file check on FortiOS:

The following configures a check that requires that c:\temp\mytest.txt and %ProgramFiles%\Fortinet\FortiClient\FortiClient.exe exist in the defined directories:

config vpn ssl web host-check-software
    edit "file_exist"
        config check-item-list
            edit 1
                set target "c:\\temp\\mytest.txt"
            next
            edit 2
                set target "%ProgramFiles%\\Fortinet\\FortiClient\\FortiClient.exe"
            next
        end
    next
end
config vpn ssl web portal
    edit "full-access"
        set host-check custom
        set host-check-policy "file_exist"
    next
end
To enable custom running process check on FortiOS:

The following configures a check that requires that a designated process, in this case FortiClient.exe, runs on the endpoint:

config vpn ssl web host-check-software
    edit "Running-Process"
        config check-item-list
            edit 1
                set type process
                set target "FortiClient.exe"
            next
        end
    next
end
config vpn ssl web portal
    edit "full-access"
        set host-check custom
        set host-check-policy "Running-Process"
    next
end
To enable custom registry check on FortiOS:

The following configures a check that requires that a designated string or dword value in a registry key exist. In this example, the designated value is FA_IKE:enabled==1:

config vpn ssl web host-check-software
    edit "hostcheck-condition-registry"
        config check-item-list
            edit 1
                set type registry
                set target "HKLM\\SOFTWARE\\Fortinet\\FortiClient\\FA_IKE:enabled==1"
            next
        end
    next
end
config vpn ssl web portal
    edit "full-access"
        set host-check custom
        set host-check-policy "hostcheck-condition-registry"
    next
end
To perform debugging on FortiOS:

diagnose debug reset

diagnose debug application sslvpn -1

diagnose debug application samld -1

diagnose debug application fnbamd -1

diagnose debug enable

The following shows an example of debugging output when host check fails: