Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • EMS Administration Guide

    Home FortiClient 7.2.6 EMS Administration Guide
    7.2.6
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Restricting VPN access to rogue/non-compliant devices with Security Fabric

    Restricting VPN access to rogue/non-compliant devices with Security Fabric

    The following guide provides instructions on configuring the Security Fabric to restrict VPN access to rogue/non-compliant devices using EMS and FortiOS. You can configure this feature with IPsec and SSL VPN. Configuring this feature consists of the following steps:

    1. Create two Zero Trust tagging rules in EMS: one rule for compliant endpoints and one rule for non-compliant endpoints. In this example, one rule tags endpoints as "AV-Running" if they have antivirus software installed and running. The second rule tags endpoints as "RED-Alert" if they have the risk.txt file present. You must also configure the EMS connector in FortiOS. See Configuring FortiOS dynamic policies using EMS ZTNA tags
    2. Configuring VPN settings:
      1. IPsec VPN
      2. SSL VPN
    3. Verify the configuration in FortiClient:
      1. IPsec VPN
      2. SSL VPN

    Configuring VPN settings

    To configure FortiOS IPsec VPN settings:
    1. In FortiOS, go to VPN > IPsec Tunnels.
    2. Click Create New > IPsec Tunnel.
    3. On the VPN Setup tab, for Template type, select Remote Access.
    4. For Remote device type, select Client-based, then FortiClient. Click Next.
    5. On the Authentication tab, for Authentication method, select Pre-shared Key. Configure the desired preshared key (PSK).
    6. Configure other fields as desired, then create the tunnel.
    7. Configure policies:
      1. Go to Policy & Objects > Firewall Policy.
      2. Select the VPN IPS policy. Right-click, then select Copy.
      3. Right-click, then select Paste > Above. Repeat to paste two copies of the policy.
      4. Edit the top pasted policy to allow endpoint and EMS connection:
        1. For Destination, select the EMS destination.
        2. For Service, set to EMS port 8013.
        3. Set the Action to ACCEPT.
        4. Enable, then save the policy.

      5. Edit the second pasted policy to restrict access to high-risk managed endpoints:
        1. In the Source field, select the tag that you configured to apply to non-compliant endpoints.
        2. Set the Action to DENY.
        3. Enable, then save the policy.

      6. Configure the third policy to permit only compliant endpoints to access resources:
        1. In Source, select the tag that you configured to apply to compliant endpoints.
        2. Set the Action to ALLOW.
        3. Enable, then save the policy.

    8. Ensure that the policies are in the correct sequence and enabled.

    To configure FortiOS SSL VPN settings:
    1. In FortiOS, go to VPN > SSL-VPN Settings.
    2. Configure the Listen on Port and HTTPS port fields as desired.
    3. Under Authentication/Portal Mapping, select All Other Users/Groups, then select the portal from the Portal dropdown list.
    4. Click the Apply button.

    5. Configure policies:

      1. FortiOS displays a message that no SSL VPN policies exist. Select to create a new SSL VPN policy using the newly configured settings:
        1. From the Outgoing Interface dropdown list, select Internal.
        2. For Source, select the desired users.
        3. For Destination, select the EMS server.
        4. Under Service, create a custom service with destination port 8013.
        5. Enable, then save the policy.

      2. Select the SSL VPN policy. Right-click, then select Copy.
      3. Right-click, then select Paste > Below. Repeat to paste two copies of the policy.
      4. Configure the policies:
        1. Edit the top pasted policy:
          1. For Source, select the tag that you configured to apply to non-compliant endpoints.
          2. For Destination, select all.
          3. For Service, select ALL.
          4. Set the Action to DENY.
          5. Enable, then save the policy.

        2. Edit the second pasted policy:
          1. In the Source field, select the tag that you configured to apply to compliant endpoints.
          2. For Destination, select all.
          3. For Service, select ALL.
          4. Set the Action to ACCEPT.
          5. Enable, then save the policy.

    6. Ensure that the policies are sequenced and enabled.

    Verifying the configuration in FortiClient

    To verify the configuration for IPsec VPN on FortiClient:
    1. Install FortiClient on an endpoint and ensure that it is connected to EMS.
    2. Configure and connect to an IPsec VPN tunnel.
    3. Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint:
      1. On the user details page, ensure that EMS has applied the appropriate tag. In this example, the AV-Running tag should be applied.

      2. Ping a device on the network to ensure that it can be reached.
    4. Ensure that EMS and FortiOS apply the correct tags and policies for a non-compliant endpoint:
      1. Change the endpoint condition so that it becomes non-compliant. In this example, that would be creating the risk.txt file on the endpoint. After a few minutes, the ping becomes denied.
      2. Go to the user details page to ensure that the appropriate tag has been applied. Both tags, in this example RED-Alert and AV-Running, should be applied.

    5. Ensure that EMS and FortiOS apply the correct tags and policies for a rogue endpoint:
      1. Delete the risk.txt file, and stop AV services.
      2. Ensure that the user details page does not display any tags. The endpoint should lose network access.

    To verify the configuration for SSL VPN on FortiClient:
    1. Install FortiClient on an endpoint.
    2. Configure and connect to an SSL VPN tunnel.
    3. Ensure that EMS and FortiOS apply the correct tags and policies for a rogue endpoint:
      1. Ensure that AV services are not running.
      2. On the user details, ensure that EMS has applied no tags.

      3. Ping the EMS server. The endpoint should be unable to access internal resources.
      4. In FortiOS, go to Monitor > Firewall User Monitor. Ensure that there is no tag attribute for the user/device.

    4. Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint:
      1. Ensure that AV services are running.
      2. Go to the user details page to ensure that the appropriate tag has been applied. In this example, only AV-Running should be applied.

      3. Ping the EMS server again. The endpoint should be able to access internal resources.
    5. Ensure that EMS and FortiOS apply the correct tags and policies for a non-compliant endpoint:
      1. Change the endpoint condition so that it becomes non-compliant. In this example, that would be creating the risk.txt file on the endpoint. After a few minutes, the ping becomes denied.
      2. Go to the user details page to ensure that the appropriate tag has been applied. Both tags, in this example RED-Alert and AV-Running, should be applied.

    Previous
    Next

    Restricting VPN access to rogue/non-compliant devices with Security Fabric

    Restricting VPN access to rogue/non-compliant devices with Security Fabric

    The following guide provides instructions on configuring the Security Fabric to restrict VPN access to rogue/non-compliant devices using EMS and FortiOS. You can configure this feature with IPsec and SSL VPN. Configuring this feature consists of the following steps:

    1. Create two Zero Trust tagging rules in EMS: one rule for compliant endpoints and one rule for non-compliant endpoints. In this example, one rule tags endpoints as "AV-Running" if they have antivirus software installed and running. The second rule tags endpoints as "RED-Alert" if they have the risk.txt file present. You must also configure the EMS connector in FortiOS. See Configuring FortiOS dynamic policies using EMS ZTNA tags
    2. Configuring VPN settings:
      1. IPsec VPN
      2. SSL VPN
    3. Verify the configuration in FortiClient:
      1. IPsec VPN
      2. SSL VPN

    Configuring VPN settings

    To configure FortiOS IPsec VPN settings:
    1. In FortiOS, go to VPN > IPsec Tunnels.
    2. Click Create New > IPsec Tunnel.
    3. On the VPN Setup tab, for Template type, select Remote Access.
    4. For Remote device type, select Client-based, then FortiClient. Click Next.
    5. On the Authentication tab, for Authentication method, select Pre-shared Key. Configure the desired preshared key (PSK).
    6. Configure other fields as desired, then create the tunnel.
    7. Configure policies:
      1. Go to Policy & Objects > Firewall Policy.
      2. Select the VPN IPS policy. Right-click, then select Copy.
      3. Right-click, then select Paste > Above. Repeat to paste two copies of the policy.
      4. Edit the top pasted policy to allow endpoint and EMS connection:
        1. For Destination, select the EMS destination.
        2. For Service, set to EMS port 8013.
        3. Set the Action to ACCEPT.
        4. Enable, then save the policy.

      5. Edit the second pasted policy to restrict access to high-risk managed endpoints:
        1. In the Source field, select the tag that you configured to apply to non-compliant endpoints.
        2. Set the Action to DENY.
        3. Enable, then save the policy.

      6. Configure the third policy to permit only compliant endpoints to access resources:
        1. In Source, select the tag that you configured to apply to compliant endpoints.
        2. Set the Action to ALLOW.
        3. Enable, then save the policy.

    8. Ensure that the policies are in the correct sequence and enabled.

    To configure FortiOS SSL VPN settings:
    1. In FortiOS, go to VPN > SSL-VPN Settings.
    2. Configure the Listen on Port and HTTPS port fields as desired.
    3. Under Authentication/Portal Mapping, select All Other Users/Groups, then select the portal from the Portal dropdown list.
    4. Click the Apply button.

    5. Configure policies:

      1. FortiOS displays a message that no SSL VPN policies exist. Select to create a new SSL VPN policy using the newly configured settings:
        1. From the Outgoing Interface dropdown list, select Internal.
        2. For Source, select the desired users.
        3. For Destination, select the EMS server.
        4. Under Service, create a custom service with destination port 8013.
        5. Enable, then save the policy.

      2. Select the SSL VPN policy. Right-click, then select Copy.
      3. Right-click, then select Paste > Below. Repeat to paste two copies of the policy.
      4. Configure the policies:
        1. Edit the top pasted policy:
          1. For Source, select the tag that you configured to apply to non-compliant endpoints.
          2. For Destination, select all.
          3. For Service, select ALL.
          4. Set the Action to DENY.
          5. Enable, then save the policy.

        2. Edit the second pasted policy:
          1. In the Source field, select the tag that you configured to apply to compliant endpoints.
          2. For Destination, select all.
          3. For Service, select ALL.
          4. Set the Action to ACCEPT.
          5. Enable, then save the policy.

    6. Ensure that the policies are sequenced and enabled.

    Verifying the configuration in FortiClient

    To verify the configuration for IPsec VPN on FortiClient:
    1. Install FortiClient on an endpoint and ensure that it is connected to EMS.
    2. Configure and connect to an IPsec VPN tunnel.
    3. Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint:
      1. On the user details page, ensure that EMS has applied the appropriate tag. In this example, the AV-Running tag should be applied.

      2. Ping a device on the network to ensure that it can be reached.
    4. Ensure that EMS and FortiOS apply the correct tags and policies for a non-compliant endpoint:
      1. Change the endpoint condition so that it becomes non-compliant. In this example, that would be creating the risk.txt file on the endpoint. After a few minutes, the ping becomes denied.
      2. Go to the user details page to ensure that the appropriate tag has been applied. Both tags, in this example RED-Alert and AV-Running, should be applied.

    5. Ensure that EMS and FortiOS apply the correct tags and policies for a rogue endpoint:
      1. Delete the risk.txt file, and stop AV services.
      2. Ensure that the user details page does not display any tags. The endpoint should lose network access.

    To verify the configuration for SSL VPN on FortiClient:
    1. Install FortiClient on an endpoint.
    2. Configure and connect to an SSL VPN tunnel.
    3. Ensure that EMS and FortiOS apply the correct tags and policies for a rogue endpoint:
      1. Ensure that AV services are not running.
      2. On the user details, ensure that EMS has applied no tags.

      3. Ping the EMS server. The endpoint should be unable to access internal resources.
      4. In FortiOS, go to Monitor > Firewall User Monitor. Ensure that there is no tag attribute for the user/device.

    4. Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint:
      1. Ensure that AV services are running.
      2. Go to the user details page to ensure that the appropriate tag has been applied. In this example, only AV-Running should be applied.

      3. Ping the EMS server again. The endpoint should be able to access internal resources.
    5. Ensure that EMS and FortiOS apply the correct tags and policies for a non-compliant endpoint:
      1. Change the endpoint condition so that it becomes non-compliant. In this example, that would be creating the risk.txt file on the endpoint. After a few minutes, the ping becomes denied.
      2. Go to the user details page to ensure that the appropriate tag has been applied. Both tags, in this example RED-Alert and AV-Running, should be applied.

    Previous
    Next