FortiGate-powered host check for free VPN client 7.0.3
FortiGate-powered host check supports the following for the FortiClient free VPN client:
- Operating system (OS) check
- Antivirus (AV)-only
- Firewall-only
- AV and firewall
- Custom software host check:
- File
- Running process
- Registry
During VPN connection, if the free VPN client detects that the currently running system environment does not meet a setting that FortiGate-powered host check requires, it displays a warning.
To enable OS check on FortiOS:
The following configures a check that the endpoint runs Windows 10.
config vpn ssl web portal
edit "full-access"
set os-check enable
config os-check-list "windows-10"
set action deny
end
end
end
To enable AV-only check on FortiOS:
The following configures a check that requires that AV is enabled on the endpoint:
config vpn ssl web portal
edit "full-access"
set host-check av
end
To enable firewall-only check on FortiOS:
The following configures a check that requires that firewall is enabled on the endpoint:
config vpn ssl web portal
edit "full-access"
set host-check fw
end
To enable AV and firewall check on FortiOS:
The following configures a check that requires that AV and firewall are enabled on the endpoint:
config vpn ssl web portal
edit "full-access"
set host-check av-fw
end
To enable custom file check on FortiOS:
The following configures a check that requires that c:\temp\mytest.txt and %ProgramFiles%\Fortinet\FortiClient\FortiClient.exe exist in the defined directories:
config vpn ssl web host-check-software edit "file_exist" config check-item-list edit 1 set target "c:\\temp\\mytest.txt" next edit 2 set target "%ProgramFiles%\\Fortinet\\FortiClient\\FortiClient.exe" next end next end config vpn ssl web portal edit "full-access" set host-check custom set host-check-policy "file_exist" next end
To enable custom running process check on FortiOS:
The following configures a check that requires that a designated process, in this case FortiClient.exe, runs on the endpoint:
config vpn ssl web host-check-software edit "Running-Process" config check-item-list edit 1 set type process set target "FortiClient.exe" next end next end config vpn ssl web portal edit "full-access" set host-check custom set host-check-policy "Running-Process" next end
To enable custom registry check on FortiOS:
The following configures a check that requires that a designated string or dword value in a registry key exist. In this example, the designated value is FA_IKE:enabled==1
:
config vpn ssl web host-check-software edit "hostcheck-condition-registry" config check-item-list edit 1 set type registry set target "HKLM\\SOFTWARE\\Fortinet\\FortiClient\\FA_IKE:enabled==1" next end next end config vpn ssl web portal edit "full-access" set host-check custom set host-check-policy "hostcheck-condition-registry" next end
To perform debugging on FortiOS:
diagnose debug reset
diagnose debug application sslvpn -1
diagnose debug application samld -1
diagnose debug application fnbamd -1
diagnose debug enable
The following shows an example of debugging output when host check fails: