Configuring OS and host check
Beyond the basics of setting up the SSL VPN, you can configure a number of other options that can help to ensure your internal network is secure and can limit the possibility of attacks and viruses entering the network from an outside source. These include verifying OS and performing host checks on software running on the remote device.
Verifying remote user OS
To verify that remote users are using devices with up-to-date Operating Systems to connect to your network, you can configure a host check for Windows and Mac OS. You can configure an OS host check for specific OS versions, such as Windows 7, 8.1, 10, and 11.
To configure an OS host check for specific OS versions:
-
Go to VPN > SSL-VPN.
-
Click Create New.
-
Enable Restrict to Specific OS Versions.
-
Select an OS version and click Edit to change the action.
-
Select the action:
-
Allow: The selected OS version is allowed to connect. This is the default action.
-
Deny: The selected OS version is not allowed to connect.
-
Check up to date: Specify a Tolerance and Latest patch level that is allowed for the selected OS version.
-
-
Click OK.
-
Configure other parameters as needed.
-
Click OK.
Host check
Host check verifies whether the client device has AntiVirus, firewall, both, or other custom security software enabled on their Windows device. Admins may also define their own custom host check software, which supports Windows and Mac OS. See Creating a custom host check list.
Host Check is only available for SSL VPN tunnel mode. |
To configure host checking:
-
Go to VPN > SSL-VPN Portal.
-
Click Create New.
-
Enable Host Check.
-
Set the Type:
-
Realtime AntiVirus: Checks that AntiVirus software recognized by Windows Security Center is enabled.
-
Firewall: Checks that firewall software recognized by Windows Security Center is enabled.
-
Enable both: Checks that both Realtime AntiVirus and Firewall are enabled.
-
Custom: Not configurable from the GUI. See CLI settings below.
-
-
Configure other parameters as needed.
-
Click OK.
You can configure the full-access portal to perform a custom host check for FortiClient Host Security AV and firewall software.
To configure custom host checking:
config vpn ssl web portal edit full-access set host-check custom set host-check-policy FortiClient-AV FortiClient-FW next end
Many other security software can also be configured. Use |
Replacing the host check error message
You can add your own host security check error message using either the GUI or the CLI. The default message reads:
Your PC does not meet the host checking requirements set by the firewall. Please try again in a few minutes. If the issue persists check that your OS version meets the minimum requirements, that your antivirus and firewall applications are installed and running properly, and that you have the correct network interface.
To replace the host check error message in the GUI:
-
Go to System > Replacement Messages.
-
Select Extended View in the upper right corner.
-
Scroll down to SSL-VPN and select Hostcheck Error Message.
-
Click Edit. The Hostcheck Error Message pane opens.
-
Edit the text in the right-hand column.
-
Click Save.
If you are unhappy with the new message, you can restore the message to its default by selecting Restore Defaults instead of Save. |
MAC address check
Aside from OS and Host check, FortiGate can also perform a MAC address check on the remote host.
To configure a MAC address check on the remote host in the CLI:
config vpn ssl web portal edit <portal_name> set mac-addr-check enable config mac-addr-check-rule edit <rule_name> set mac-addr-list <address> [address] set mac-addr-mask <mask between 1-48> next end set set mac-addr-action {allow | deny} next end
Creating a custom host check list
You can add your own software requirements to the host check list using the CLI. Host integrity checking is only possible with client computers running Microsoft Windows platforms.
To add software requirements to the host check list:
config vpn ssl web host-check-software edit <software_name> set os-type {windows | macos} set type {av | fw} set version <version_number> set guid <guid_value> config check-item-list edit <ID> set action {require | deny} set type {file | registry | process} set target <target string> set version <version string> set md5s <hext string> next end next end
If known, enter the Globally Unique Identifier (GUID) for the host check application. Windows uses GUIDs to identify applications in the Windows Registry. The GUID can be found in the Windows registry in the HKEY_CLASSES_ROOT
section.
To obtain the exact versioning, in Windows, right-click on the .EXE file of the application and select Properties, then select the Version tab.
Example: Tunnel Mode Host Check - Registry Key Check
The following example configuration checks if a required registry key is present on a Windows device.
config vpn ssl web host-check-software edit <computer_name> config check-item-list edit 1 set target "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName:ComputerName=WINXP32SP3B62" set type registry next end next end
Example: Tunnel Mode Host Check - Application Running Check
The following example configuration checks if a required application is installed and/or running:
config vpn ssl web host-check-software edit "calc" config check-item-list edit 1 set target "calc.exe" set type process next end next end
Example: Mac OS host check and process check
The os-type
option is available under vpn ssl web host-check-software
; if os-type
is macos
, then type
, version
and guid
are hidden. Furthermore, type
in check-item-list
can only be set to file
or process
.
config vpn ssl web portal edit <portal_name> set os-check enable config os-check-list macos-bigsur-11 set action {allow | deny | check-up-to-date} set tolerance <value> set latest-patch-level <value> end next end config vpn ssl web host-check-software edit <name> set os-type macos config check-item-list edit <name> set type process set target <target process> next end next end
Example: Configuring Windows OS Check with patch version
The Windows patch check enables you to define the minimum Windows version and patch level allowed when connecting to the SSL VPN portal. When the user attempts to connect to the web portal, FortiOS performs a query on the version of Windows the user has installed. If it does not match the minimum requirement, the connection is denied. The Windows patch check is configured in the CLI.
To specify the acceptable patch level, you set the latest-patch-level
and the tolerance
. The lowest acceptable patch level is latest-patch-level
minus tolerance. In this case, latest-patch-level is three and tolerance is one, so two is the lowest acceptable patch level.
To configure OS check:
config vpn ssl web portal edit <portal_name> set os-check enable config os-check-list <windows OS version> set action {allow | check-up-to-date | deny} set latest-patch-level {disable | 0 - 65535} set tolerance <tolerance_num> end next end
Example: Host check for Windows firewall
The Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, but you can use a registry value to detect the firewall status.
If Windows firewall is on, the following registry value will be set to one:
-
KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
-
ValueName: EnableFirewall
In FortiOS, use the registry-value-check
feature to define the Windows firewall software.
To define the Windows firewall software:
config vpn ssl web host-check-software edit "Microsoft-Windows-Firewall" set type fw config check-item-list edit 1 set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1" set type registry next edit 2 set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile:EnableFirewall==1" set type registry next edit 3 set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile:EnableFirewall==1" set type registry next end next end config vpn ssl web portal edit <portal_name> set host-check custom set host-check-policy Microsoft-Windows-Firewall next end
Troubleshooting
To troubleshoot OS and host check, enable the following real-time debugs from the CLI:
# diagnose debug app sslvpn -1
# diagnose debug enable
From the remote client, connect to SSL VPN. Look for debug output similar to the following:
[263:root:3cca1]host check result:4 0100,10.0.19042,74:78:27:4d:81:93|84:1b:77:3a:95:84
To interpret the above output:
Field |
Description |
---|---|
host check result: 4
|
This is the hex number of portal's host check value:
|
0100
|
The 4 bytes shows the result of host check checking in the FortiGate Settings. Position counts from left to right, zero to three:
|
10.0.19042
|
This is the OS version. |
74:78:27:4d:81:93|84:1b:77:3a:95:84
|
The MAC address of the client machine's network interface, that is used for the mac address check. Multiple MAC address are separately by '| '. |