Restricting VPN access to rogue/non-compliant devices with Security Fabric
The following guide provides instructions on configuring the Security Fabric to restrict VPN access to rogue/non-compliant devices using EMS and FortiOS 6.4. You can configure this feature with IPsec and SSL VPN. Configuring this feature consists of the following steps:
- Create two Zero Trust tagging rules in EMS: one rule for compliant endpoints and one rule for non-compliant endpoints. In this example, one rule tags endpoints as "AV-Running" if they have antivirus software installed and running. The second rule tags endpoints as "RED-Alert" if they have the risk.txt file present. You must also configure the EMS connector in FortiOS. See Configuring FortiOS dynamic policies using EMS dynamic endpoint groups
- Configuring VPN settings:
- Verify the configuration in FortiClient:
Configuring VPN settings
To configure FortiOS IPsec VPN settings:
- In FortiOS, go to VPN > IPsec Tunnels.
- Click Create New > IPsec Tunnel.
- On the VPN Setup tab, for Template type, select Remote Access.
- For Remote device type, select Client-based, then FortiClient. Click Next.
- On the Authentication tab, for Authentication method, select Pre-shared Key. Configure the desired preshared key (PSK).
- Configure other fields as desired, then create the tunnel.
- Configure policies:
- Go to Policy & Objects > Firewall Policy.
- Select the VPN IPS policy. Right-click, then select Copy.
- Right-click, then select Paste > Above. Repeat to paste two copies of the policy.
- Edit the top pasted policy to allow endpoint and EMS connection:
- For Destination, select the EMS destination.
- For Service, set to EMS port 8013.
- Set the Action to ACCEPT.
- Enable, then save the policy.
- Edit the second pasted policy to restrict access to high-risk managed endpoints:
- In the Source field, select the tag that you configured to apply to non-compliant endpoints.
- Set the Action to DENY.
- Enable, then save the policy.
- Configure the third policy to permit only compliant endpoints to access resources:
- In Source, select the tag that you configured to apply to compliant endpoints.
- Set the Action to ALLOW.
- Enable, then save the policy.
- Ensure that the policies are in the correct sequence and enabled.
To configure FortiOS SSL VPN settings:
- In FortiOS, go to VPN > SSL-VPN Settings.
- Configure the Listen on Port and HTTPS port fields as desired.
- Under Authentication/Portal Mapping, select All Other Users/Groups, then select the portal from the Portal dropdown list.
- Click the Apply button.
-
Configure policies:
- FortiOS displays a message that no SSL VPN policies exist. Select to create a new SSL VPN policy using the newly configured settings:
- From the Outgoing Interface dropdown list, select Internal.
- For Source, select the desired users.
- For Destination, select the EMS server.
- Under Service, create a custom service with destination port 8013.
- Enable, then save the policy.
- Select the SSL VPN policy. Right-click, then select Copy.
- Right-click, then select Paste > Below. Repeat to paste two copies of the policy.
- Configure the policies:
- Edit the top pasted policy:
- For Source, select the tag that you configured to apply to non-compliant endpoints.
- For Destination, select all.
- For Service, select ALL.
- Set the Action to DENY.
- Enable, then save the policy.
- Edit the second pasted policy:
- In the Source field, select the tag that you configured to apply to compliant endpoints.
- For Destination, select all.
- For Service, select ALL.
- Set the Action to ACCEPT.
- Enable, then save the policy.
- Edit the top pasted policy:
- FortiOS displays a message that no SSL VPN policies exist. Select to create a new SSL VPN policy using the newly configured settings:
- Ensure that the policies are sequenced and enabled.
Verifying the configuration in FortiClient
To verify the configuration for IPsec VPN on FortiClient:
- Install FortiClient on an endpoint and ensure that it is connected to EMS.
- Configure and connect to an IPsec VPN tunnel.
- Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint:
- On the user details page, ensure that EMS has applied the appropriate tag. In this example, the AV-Running tag should be applied.
- Ping a device on the network to ensure that it can be reached.
- Ensure that EMS and FortiOS apply the correct tags and policies for a non-compliant endpoint:
- Change the endpoint condition so that it becomes non-compliant. In this example, that would be creating the risk.txt file on the endpoint. After a few minutes, the ping becomes denied.
- Go to the user details page to ensure that the appropriate tag has been applied. Both tags, in this example RED-Alert and AV-Running, should be applied.
- Ensure that EMS and FortiOS apply the correct tags and policies for a rogue endpoint:
- Delete the risk.txt file, and stop AV services.
- Ensure that the user details page does not display any tags. The endpoint should lose network access.
To verify the configuration for SSL VPN on FortiClient:
- Install FortiClient on an endpoint.
- Configure and connect to an SSL VPN tunnel.
- Ensure that EMS and FortiOS apply the correct tags and policies for a rogue endpoint:
- Ensure that AV services are not running.
- On the user details, ensure that EMS has applied no tags.
- Ping the EMS server. The endpoint should be unable to access internal resources.
- In FortiOS, go to Monitor > Firewall User Monitor. Ensure that there is no tag attribute for the user/device.
- Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint:
- Ensure that AV services are running.
- Go to the user details page to ensure that the appropriate tag has been applied. In this example, only AV-Running should be applied.
- Ping the EMS server again. The endpoint should be able to access internal resources.
- Ensure that EMS and FortiOS apply the correct tags and policies for a non-compliant endpoint:
- Change the endpoint condition so that it becomes non-compliant. In this example, that would be creating the risk.txt file on the endpoint. After a few minutes, the ping becomes denied.
- Go to the user details page to ensure that the appropriate tag has been applied. Both tags, in this example RED-Alert and AV-Running, should be applied.