Secure remote access compliance enforcement 7.2.3
FortiClient (macOS) and (Linux) support secure remote access compliance enforcement. You can restrict devices from accessing an SSL VPN tunnel based on the applied tags. This helps safeguard your internal network from threats that end user devices may have.
Consider a scenario where an organization allows employees and customers to bring their own devices and connect them to a corporate VPN tunnel to access the internal organization network. Some devices may have vulnerabilities or may not have the latest antivirus (AV) signatures, which may affect the internal network. You can enforce secure remote access compliance to avoid such situations. For example, if FortiClient detects that the endpoint has a vulnerability and tags it as such, the endpoint is blocked from accessing the SSL VPN tunnel.
To configure secure remote access compliance enforcement:
- In EMS, go to Zero Trust Tags > Zero Trust Tagging Rules.
- Click Add.
- Click Add Rule.
- In the OS field, select Mac or Linux.
- From the Rule Type dropdown list, select AntiVirus Software.
- Select NOT.
- From the dropdown list, select AV Signature is up-to-date.
- Click Save.
- Configure other fields as desired, then click Save.
- Go to Endpoint Profiles > Remote Access.
- Create a new profile or edit an existing one.
- For the desired SSL VPN tunnel, go to Advanced Settings.
- Under Tags, select Block for the action, and select the newly configured tag.
- Enable Customize Host Check Fail Warning.
- In the field, enter a message to display to the user when they are blocked from connecting to the SSL VPN tunnel. Save.
When an endpoint's AV signatures are not up-to-date, it cannot connect to the SSL VPN tunnel.