Fortinet black logo

Administration Guide

Configuring OS and host check

Configuring OS and host check

Beyond the basics of setting up the SSL VPN, you can configure a number of other options that can help to ensure your internal network is secure and can limit the possibility of attacks and viruses entering the network from an outside source. These include verifying OS and performing host checks on software running on the remote device.

Verifying remote user OS

To verify that remote users are using devices with up-to-date Operating Systems to connect to your network, you can configure a host check for Windows and Mac OS. You can configure an OS host check for specific OS versions, such as Windows 7, 8, 8.1, 10, and 2000.

To configure an OS host check for specific OS versions:
  1. Go to VPN > SSL-VPN.

  2. Click Create New.

  3. Enable Restrict to Specific OS Versions.

  4. Select an OS version and click Edit to change the action.

  5. Select the action:

    • Allow: The selected OS version is allowed to connect. This is the default action.

    • Block: The selected OS version is not allowed to connect.

    • Check up to date: Specify a Tolerance and Latest patch level that is allowed for the selected OS version.

  6. Click OK.

  7. Configure other parameters as needed.

  8. Click OK.

Host check

Host check verifies whether the client device has AntiVirus, firewall, both, or other custom security software enabled on their Windows device. Admins may also define their own custom host check software, which supports Windows and Mac OS. See Creating a custom host check list.

Tooltip

Host Check is only available for SSL VPN tunnel mode.

To configure host checking:
  1. Go to VPN > SSL-VPN Portal.

  2. Click Create New.

  3. Enable Host Check.

  4. Set the Type:

    • Realtime AntiVirus: Checks that AntiVirus software recognized by Windows Security Center is enabled.

    • Firewall: Checks that firewall software recognized by Windows Security Center is enabled.

    • Enable both: Checks that both Realtime AntiVirus and Firewall are enabled.

    • Custom: Not configurable from the GUI. See CLI settings below.

  5. Configure other parameters as needed.

  6. Click OK.

You can configure the full-access portal to perform a custom host check for FortiClient Host Security AV and firewall software.

To configure custom host checking:
config vpn ssl web portal
    edit full-access
        set host-check custom
        set host-check-policy FortiClient-AV FortiClient-FW
    next
end
Note

Many other security software can also be configured. Use set host-check-policy ? to see a list of software.

Replacing the host check error message

You can add your own host security check error message using either the GUI or the CLI. The default message reads:

Your PC does not meet the host checking requirements set by the firewall. Please try again in a few minutes. If the issue persists check that your OS version meets the minimum requirements, that your antivirus and firewall applications are installed and running properly, and that you have the correct network interface.
To replace the host check error message in the GUI:
  1. Go to System > Replacement Messages.

  2. Select Extended View in the upper right corner.

  3. Scroll down to SSL-VPN and select Hostcheck Error Message.

  4. Click Edit. The Hostcheck Error Message pane opens.

  5. Edit the text in the right-hand column.

  6. Click Save.

Note

If you are unhappy with the new message, you can restore the message to its default by selecting Restore Defaults instead of Save.

MAC address check

Aside from OS and Host check, FortiGate can also perform a MAC address check on the remote host.

To configure a MAC address check on the remote host in the CLI:
config vpn ssl web portal
    edit <portal_name>
        set mac-addr-check enable
        config mac-addr-check-rule
            edit <rule_name>
                set mac-addr-list <address> [address]
                set mac-addr-mask <mask between 1-48>
            next
        end
        set set mac-addr-action {allow | deny}
    next
end

Creating a custom host check list

You can add your own software requirements to the host check list using the CLI. Host integrity checking is only possible with client computers running Microsoft Windows platforms.

To add software requirements to the host check list:
config vpn ssl web host-check-software
    edit <software_name>
        set os-type {windows | macos}
        set type {av | fw}
        set version <version_number>
        set guid <guid_value>
        config check-item-list
            edit <ID> 
                set action {require | deny}
                set type {file | registry | process}
                set target <target string>
                set version <version string>
                set md5s <hext string> 
            next
        end
    next
end

If known, enter the Globally Unique Identifier (GUID) for the host check application. Windows uses GUIDs to identify applications in the Windows Registry. The GUID can be found in the Windows registry in the HKEY_CLASSES_ROOT section.

To obtain the exact versioning, in Windows, right-click on the .EXE file of the application and select Properties, then select the Version tab.

Example: Tunnel Mode Host Check - Registry Key Check

The following example configuration checks if a required registry key is present on a Windows device.

config vpn ssl web host-check-software
    edit <computer_name>
        config check-item-list
            edit 1
                set target "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName:ComputerName=WINXP32SP3B62"
                set type registry
            next
        end
    next
end

Example: Tunnel Mode Host Check - Application Running Check

The following example configuration checks if a required application is installed and/or running:

config vpn ssl web host-check-software
    edit "calc"
        config check-item-list
            edit 1
                set target "calc.exe"
                set type process
            next
        end
    next
end

Example: Mac OS host check and process check

The os-type option is available under vpn ssl web host-check-software; if os-type is macos, then type, version and guid are hidden. Furthermore, type in check-item-list can only be set to file or process.

config vpn ssl web portal
    edit <portal_name>
        set os-check enable
        config os-check-list macos-bigsur-11
            set action {allow | deny | check-up-to-date}
            set tolerance <value>
            set latest-patch-level <value>
        end
    next
end
config vpn ssl web host-check-software
    edit <name>
        set os-type macos
        config check-item-list
            edit <name>
                set type process
                set target <target process>
            next
        end
    next
end

Example: Configuring Windows OS Check with patch version

The Windows patch check enables you to define the minimum Windows version and patch level allowed when connecting to the SSL VPN portal. When the user attempts to connect to the web portal, FortiOS performs a query on the version of Windows the user has installed. If it does not match the minimum requirement, the connection is denied. The Windows patch check is configured in the CLI.

To specify the acceptable patch level, you set the latest-patch-level and the tolerance. The lowest acceptable patch level is latest-patch-level minus tolerance. In this case, latest-patch-level is three and tolerance is one, so two is the lowest acceptable patch level.

To configure OS check:
config vpn ssl web portal
    edit <portal_name>
        set os-check enable
        config os-check-list <windows OS version>
            set action {allow | check-up-to-date | deny}
            set latest-patch-level {disable | 0 - 65535}
            set tolerance <tolerance_num>
        end
    next
end

Example: Host check for Windows firewall

The Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, but you can use a registry value to detect the firewall status.

If Windows firewall is on, the following registry value will be set to one:

  • KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

  • ValueName: EnableFirewall

In FortiOS, use the registry-value-check feature to define the Windows firewall software.

To define the Windows firewall software:
config vpn ssl web host-check-software
    edit "Microsoft-Windows-Firewall"
        set type fw
        config check-item-list
            edit 1
                set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1"
                set type registry
            next
            edit 2
                set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile:EnableFirewall==1"
                set type registry
            next
            edit 3
                set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile:EnableFirewall==1"
                set type registry
            next
        end
    next
end
config vpn ssl web portal
    edit <portal_name>
        set host-check custom
        set host-check-policy Microsoft-Windows-Firewall
    next
end

Troubleshooting

To troubleshoot OS and host check, enable the following real-time debugs from the CLI:

# diagnose debug app sslvpn -1
# diagnose debug enable

From the remote client, connect to SSL VPN. Look for debug output similar to the following:

[263:root:3cca1]host check result:4 0100,10.0.19042,74:78:27:4d:81:93|84:1b:77:3a:95:84

To interpret the above output:

Field

Description

host check result: 4

This is the hex number of portal's host check value:

  • 0: None

  • 1: Check antivirus

  • 2: Check firewall

  • 3: Check antivirus and firewall

  • 4: Custom check

0100

The 4 bytes shows the result of host check checking in the FortiGate Settings. Position counts from left to right, zero to three:

  • Position zero means result of third party firewall.

  • Position one means result of third party antivirus.

  • Position two means result of FortiClient firewall.

  • Position three means result of FortiClient antivirus.

0 means not in use. 1 means in use.

10.0.19042 This is the OS version.
74:78:27:4d:81:93|84:1b:77:3a:95:84 The MAC address of the client machine's network interface, that is used for the mac address check. Multiple MAC address are separately by '|'.

Configuring OS and host check

Beyond the basics of setting up the SSL VPN, you can configure a number of other options that can help to ensure your internal network is secure and can limit the possibility of attacks and viruses entering the network from an outside source. These include verifying OS and performing host checks on software running on the remote device.

Verifying remote user OS

To verify that remote users are using devices with up-to-date Operating Systems to connect to your network, you can configure a host check for Windows and Mac OS. You can configure an OS host check for specific OS versions, such as Windows 7, 8, 8.1, 10, and 2000.

To configure an OS host check for specific OS versions:
  1. Go to VPN > SSL-VPN.

  2. Click Create New.

  3. Enable Restrict to Specific OS Versions.

  4. Select an OS version and click Edit to change the action.

  5. Select the action:

    • Allow: The selected OS version is allowed to connect. This is the default action.

    • Block: The selected OS version is not allowed to connect.

    • Check up to date: Specify a Tolerance and Latest patch level that is allowed for the selected OS version.

  6. Click OK.

  7. Configure other parameters as needed.

  8. Click OK.

Host check

Host check verifies whether the client device has AntiVirus, firewall, both, or other custom security software enabled on their Windows device. Admins may also define their own custom host check software, which supports Windows and Mac OS. See Creating a custom host check list.

Tooltip

Host Check is only available for SSL VPN tunnel mode.

To configure host checking:
  1. Go to VPN > SSL-VPN Portal.

  2. Click Create New.

  3. Enable Host Check.

  4. Set the Type:

    • Realtime AntiVirus: Checks that AntiVirus software recognized by Windows Security Center is enabled.

    • Firewall: Checks that firewall software recognized by Windows Security Center is enabled.

    • Enable both: Checks that both Realtime AntiVirus and Firewall are enabled.

    • Custom: Not configurable from the GUI. See CLI settings below.

  5. Configure other parameters as needed.

  6. Click OK.

You can configure the full-access portal to perform a custom host check for FortiClient Host Security AV and firewall software.

To configure custom host checking:
config vpn ssl web portal
    edit full-access
        set host-check custom
        set host-check-policy FortiClient-AV FortiClient-FW
    next
end
Note

Many other security software can also be configured. Use set host-check-policy ? to see a list of software.

Replacing the host check error message

You can add your own host security check error message using either the GUI or the CLI. The default message reads:

Your PC does not meet the host checking requirements set by the firewall. Please try again in a few minutes. If the issue persists check that your OS version meets the minimum requirements, that your antivirus and firewall applications are installed and running properly, and that you have the correct network interface.
To replace the host check error message in the GUI:
  1. Go to System > Replacement Messages.

  2. Select Extended View in the upper right corner.

  3. Scroll down to SSL-VPN and select Hostcheck Error Message.

  4. Click Edit. The Hostcheck Error Message pane opens.

  5. Edit the text in the right-hand column.

  6. Click Save.

Note

If you are unhappy with the new message, you can restore the message to its default by selecting Restore Defaults instead of Save.

MAC address check

Aside from OS and Host check, FortiGate can also perform a MAC address check on the remote host.

To configure a MAC address check on the remote host in the CLI:
config vpn ssl web portal
    edit <portal_name>
        set mac-addr-check enable
        config mac-addr-check-rule
            edit <rule_name>
                set mac-addr-list <address> [address]
                set mac-addr-mask <mask between 1-48>
            next
        end
        set set mac-addr-action {allow | deny}
    next
end

Creating a custom host check list

You can add your own software requirements to the host check list using the CLI. Host integrity checking is only possible with client computers running Microsoft Windows platforms.

To add software requirements to the host check list:
config vpn ssl web host-check-software
    edit <software_name>
        set os-type {windows | macos}
        set type {av | fw}
        set version <version_number>
        set guid <guid_value>
        config check-item-list
            edit <ID> 
                set action {require | deny}
                set type {file | registry | process}
                set target <target string>
                set version <version string>
                set md5s <hext string> 
            next
        end
    next
end

If known, enter the Globally Unique Identifier (GUID) for the host check application. Windows uses GUIDs to identify applications in the Windows Registry. The GUID can be found in the Windows registry in the HKEY_CLASSES_ROOT section.

To obtain the exact versioning, in Windows, right-click on the .EXE file of the application and select Properties, then select the Version tab.

Example: Tunnel Mode Host Check - Registry Key Check

The following example configuration checks if a required registry key is present on a Windows device.

config vpn ssl web host-check-software
    edit <computer_name>
        config check-item-list
            edit 1
                set target "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName:ComputerName=WINXP32SP3B62"
                set type registry
            next
        end
    next
end

Example: Tunnel Mode Host Check - Application Running Check

The following example configuration checks if a required application is installed and/or running:

config vpn ssl web host-check-software
    edit "calc"
        config check-item-list
            edit 1
                set target "calc.exe"
                set type process
            next
        end
    next
end

Example: Mac OS host check and process check

The os-type option is available under vpn ssl web host-check-software; if os-type is macos, then type, version and guid are hidden. Furthermore, type in check-item-list can only be set to file or process.

config vpn ssl web portal
    edit <portal_name>
        set os-check enable
        config os-check-list macos-bigsur-11
            set action {allow | deny | check-up-to-date}
            set tolerance <value>
            set latest-patch-level <value>
        end
    next
end
config vpn ssl web host-check-software
    edit <name>
        set os-type macos
        config check-item-list
            edit <name>
                set type process
                set target <target process>
            next
        end
    next
end

Example: Configuring Windows OS Check with patch version

The Windows patch check enables you to define the minimum Windows version and patch level allowed when connecting to the SSL VPN portal. When the user attempts to connect to the web portal, FortiOS performs a query on the version of Windows the user has installed. If it does not match the minimum requirement, the connection is denied. The Windows patch check is configured in the CLI.

To specify the acceptable patch level, you set the latest-patch-level and the tolerance. The lowest acceptable patch level is latest-patch-level minus tolerance. In this case, latest-patch-level is three and tolerance is one, so two is the lowest acceptable patch level.

To configure OS check:
config vpn ssl web portal
    edit <portal_name>
        set os-check enable
        config os-check-list <windows OS version>
            set action {allow | check-up-to-date | deny}
            set latest-patch-level {disable | 0 - 65535}
            set tolerance <tolerance_num>
        end
    next
end

Example: Host check for Windows firewall

The Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, but you can use a registry value to detect the firewall status.

If Windows firewall is on, the following registry value will be set to one:

  • KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

  • ValueName: EnableFirewall

In FortiOS, use the registry-value-check feature to define the Windows firewall software.

To define the Windows firewall software:
config vpn ssl web host-check-software
    edit "Microsoft-Windows-Firewall"
        set type fw
        config check-item-list
            edit 1
                set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1"
                set type registry
            next
            edit 2
                set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile:EnableFirewall==1"
                set type registry
            next
            edit 3
                set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile:EnableFirewall==1"
                set type registry
            next
        end
    next
end
config vpn ssl web portal
    edit <portal_name>
        set host-check custom
        set host-check-policy Microsoft-Windows-Firewall
    next
end

Troubleshooting

To troubleshoot OS and host check, enable the following real-time debugs from the CLI:

# diagnose debug app sslvpn -1
# diagnose debug enable

From the remote client, connect to SSL VPN. Look for debug output similar to the following:

[263:root:3cca1]host check result:4 0100,10.0.19042,74:78:27:4d:81:93|84:1b:77:3a:95:84

To interpret the above output:

Field

Description

host check result: 4

This is the hex number of portal's host check value:

  • 0: None

  • 1: Check antivirus

  • 2: Check firewall

  • 3: Check antivirus and firewall

  • 4: Custom check

0100

The 4 bytes shows the result of host check checking in the FortiGate Settings. Position counts from left to right, zero to three:

  • Position zero means result of third party firewall.

  • Position one means result of third party antivirus.

  • Position two means result of FortiClient firewall.

  • Position three means result of FortiClient antivirus.

0 means not in use. 1 means in use.

10.0.19042 This is the OS version.
74:78:27:4d:81:93|84:1b:77:3a:95:84 The MAC address of the client machine's network interface, that is used for the mac address check. Multiple MAC address are separately by '|'.