Fortinet white logo
Fortinet white logo

EMS Administration Guide

Configuring a profile to allow or block endpoint from VPN tunnel connection based on the applied security posture tag

Configuring a profile to allow or block endpoint from VPN tunnel connection based on the applied security posture tag

You can configure a profile to allow or block an endpoint from connecting to a VPN tunnel based on its applied security posture tag. This feature is only available for Windows endpoints. This example describes configuring an endpoint profile to prohibit Windows endpoints with critical vulnerabilities from connecting to VPN.

To configure an endpoint profile to prohibit endpoints with critical vulnerabilities from connecting to VPN:
  1. Create a security posture tagging rule set that tags endpoints with critical vulnerabilities with the "Vulnerable Devices" tag:
    1. Go to Security Posture Tags > Security Posture Tagging Rules.
    2. Click Add.
    3. In the Tag Endpoint As field, create a new "Vulnerable Devices" tag.
    4. Toggle Enabled to on.
    5. Click Add Rule.
    6. For Windows devices, from the Rule Type dropdown list, select Vulnerable Devices.
    7. From the Severity Level dropdown list, select Critical.
    8. Click Save.
    9. Click Save again.

  2. Configure the options on the endpoint profile:
    1. Go to Endpoint Profiles > Remote Access.
    2. Edit the desired profile, or create a new one.
    3. Under General, enable Enable Secure Remote Access.
    4. Select an existing VPN tunnel, or create a new one by clicking Add Tunnel, then Manual.
    5. In Advanced Settings, for Tags, select Prohibit.
    6. From the Select a Tag dropdown list, select Vulnerable Devices.
    7. Enable Customize Host Check Fail Warning.
    8. Enter a message to display to users when their connection to the VPN tunnel is prohibited due to critical vulnerabilities on their device.
    9. Configure other fields as desired.
    10. Save the configuration.

After the next communication between EMS and FortiClient, endpoints with this profile applied are unable to connect to this VPN tunnel if they have critical vulnerabilities. The following shows the notification that the end user sees when their connection to the VPN tunnel is prohibited due to critical vulnerabilities on their device. After the end user fixes the vulnerabilities, FortiClient allows them to establish the VPN connection.

Related Videos

sidebar video

Security Compliance Check Using EMS 7.0 Tags for Remote VPN Users

  • 2,626 views
  • 3 years ago

Configuring a profile to allow or block endpoint from VPN tunnel connection based on the applied security posture tag

Configuring a profile to allow or block endpoint from VPN tunnel connection based on the applied security posture tag

You can configure a profile to allow or block an endpoint from connecting to a VPN tunnel based on its applied security posture tag. This feature is only available for Windows endpoints. This example describes configuring an endpoint profile to prohibit Windows endpoints with critical vulnerabilities from connecting to VPN.

To configure an endpoint profile to prohibit endpoints with critical vulnerabilities from connecting to VPN:
  1. Create a security posture tagging rule set that tags endpoints with critical vulnerabilities with the "Vulnerable Devices" tag:
    1. Go to Security Posture Tags > Security Posture Tagging Rules.
    2. Click Add.
    3. In the Tag Endpoint As field, create a new "Vulnerable Devices" tag.
    4. Toggle Enabled to on.
    5. Click Add Rule.
    6. For Windows devices, from the Rule Type dropdown list, select Vulnerable Devices.
    7. From the Severity Level dropdown list, select Critical.
    8. Click Save.
    9. Click Save again.

  2. Configure the options on the endpoint profile:
    1. Go to Endpoint Profiles > Remote Access.
    2. Edit the desired profile, or create a new one.
    3. Under General, enable Enable Secure Remote Access.
    4. Select an existing VPN tunnel, or create a new one by clicking Add Tunnel, then Manual.
    5. In Advanced Settings, for Tags, select Prohibit.
    6. From the Select a Tag dropdown list, select Vulnerable Devices.
    7. Enable Customize Host Check Fail Warning.
    8. Enter a message to display to users when their connection to the VPN tunnel is prohibited due to critical vulnerabilities on their device.
    9. Configure other fields as desired.
    10. Save the configuration.

After the next communication between EMS and FortiClient, endpoints with this profile applied are unable to connect to this VPN tunnel if they have critical vulnerabilities. The following shows the notification that the end user sees when their connection to the VPN tunnel is prohibited due to critical vulnerabilities on their device. After the end user fixes the vulnerabilities, FortiClient allows them to establish the VPN connection.