FortiGate SSL VPN Host Check - client checks on connection

Note: The description in the article is based on FortiGate FG-300E with FortiOS version 6.2.3. Which is configured as an FGCP cluster and uses VDOM.

Host Check, or client checks when connecting to the portal

FortiGate, in cooperation with FortiClient, allows verifying various parameters on the client during login and only allowing connection to SSL VPN based on the check result. Fortinet collectively refers to these checks/information as Host Check. Although I didn't find any mention of this feature in the FortiClient documentation.

We can check certain OS versions (Windows and Mac), presence of Antivirus and Firewall on Windows, client MAC address, presence of a certain file, process or registry key.

The settings are configured within the SSL-VPN Portal and most things must be done using the command line (CLI), only a small part can be set in the GUI.

Note: I keep complaining about Fortinet's documentation, so for this area it's even worse. Many things have to be configured in CLI and the command documentation is almost non-existent. So my description is based on tests and describes my understanding of how it works.

Which version of FortiClient to use and error messages

There is one crucial and important thing that cost me a week of time. If we use the free version of the client, we must use FortiClient 6.0.x (I tested 6.0.9) and not FortiClient VPN 6.2.x (I tried 6.2.6). From version FortiClient 6.2.0, it became a paid product that must be managed using EMS (Enterprise Management Server). Fortinet provides a free limited version of FortiClient VPN 6.2. It does not contain components other than SSL and IPsec VPN client (although the installation package is the same size as the full FortiClient), but even these capabilities are limited.

This client (FortiClient VPN 6.2.x) does not support any Host Check function. If Host Check is enabled on the portal, and the client tries to log in, it will always get an error.

Unable to establish the VPN connection. The VPN server may be unreachable. (-14)

I did not find any information in any Fortinet documentation that this client version cannot be used for client checks. So I spent a long time trying to figure out why no check was working for me. Until I came across a small mention in one discussion and tried an older client version. And everything started working. I wanted to find some information about this from Fortinet. For a while I thought it was the Endpoint Telemetry function, where there is a note in the properties of FortiClient EMS and FortiGate Endpoint Licenses saying Requires FortiClient to be managed by EMS. But this function is apparently something different and the same note is also in the older version.

If we have a version of FortiClient that supports client checks, and some check is set. Then if the check doesn't pass, we get an error.

Your PC does not meet the host checking requirements set by the firewall. Please check that your OS version or antivirus
 and firewall applications are installed and running properly or you have the right network interface. (-455)

During tests, I also encountered a bug, which manifested in FortiClient 6.0.9 and 6.2.6 (so it might be a bug in FortiOS 6.2.3). If I have a special Realm where certificate authentication is enabled. And a standard (root) Realm, where a certificate is not required, where I'm now logging in. Both have a portal assigned where there is some host check. So when the check doesn't pass (always on 6.2.6), it returns a nonsensical error that a certificate needs to be used. If the check passes, of course it doesn't require a certificate.

The server you want to connect to requests identification, please choose a certificate and try again. (-455)

Checks for unsupported OS and web browser

To use the Host Check function, we need Windows OS (I haven't tried Linux and Mac yet, but in the FortiOS 5.2 documentation there's a note that host integrity check is only possible for clients running on the Microsoft Windows platform, and one KB states that only Windows client OS is supported, not Windows Server) and the FortiClient application.

Generally, another option is connecting via browser to Web VPN. No checks work in the web (FortiOS 5.2 documentation states that Host Check is applicable to both Web VPN and Tunnel VPN, somewhere I read that there's also a plugin for the browser, but nothing works for me), yet we can log in. But we can change this behavior by disabling skipping checks for browser. On the other hand, we might want the checks to be performed only when establishing a tunnel, but connection to the web to always work (it offers limited features).

config vpn ssl web portal
  edit "VPN1"
    set skip-check-for-browser disable
  next
end

Mobile clients (I tested Android, Legacy and new client) are apparently considered as unsupported OS. Because after setting client checks (which cannot pass) we can connect from the Android client. At the moment we disable skipping checks for unsupported OS, we can no longer connect and we don't even get any informational error. It's a way to easily block connection from mobile clients (and possibly other OSes).

config vpn ssl web portal
  edit "VPN1"
    set skip-check-for-unsupported-os disable
  next
end

MAC Host Check - checking client MAC addresses

Documentation vpn ssl web portal, Technical Tip: MAC host check on SSL VPN, Additional configuration options 6.0 - Host Check, Additional configuration options 5.2 - Host Check

In the portal parameters, we can configure a restriction that connection is only possible from certain MAC addresses. When a remote client logs into the portal, FortiGate verifies its client MAC address and only certain devices connect to the tunnel. It appears that MAC addresses of all network adapters of the client are checked (so it doesn't matter whether we use Ethernet or Wireless adapter in the configuration).

Configuration is done in CLI. We enable MAC address check and set the action for the case that the address matches the rule defined below. We create rules that contain MAC addresses. We can enter either a direct MAC address or a subset of MAC addresses.

In MAC addresses, colon must be used as a separator, multiple addresses are separated by a space. The documentation doesn't provide such details (like input format or which interface address is used), so this is observed from practice. If we try to enter a MAC address in the command with, say, hyphens instead of colons, we immediately get an error that it's not a valid MAC address.

config vpn ssl web portal
  edit <name>
    set mac-addr-check enable
    set mac-addr-action allow
    config mac-addr-check-rule
      edit <name>
        set mac-addr-list <addr1> <addr2>
        set mac-addr-mask {integer 1 - 48}
      next
    end
  end

Example configuration where three MAC addresses are listed as allowed.

config vpn ssl web portal
  edit "VPN1"
    set mac-addr-check enable
    set mac-addr-action allow
    config mac-addr-check-rule
      edit "Rule1"
        set mac-addr-mask 48
        set mac-addr-list 78:2b:cb:ac:2c:a3 00:09:0f:fe:00:01 00:05:9a:3c:7a:00
      next
    end
  end

Example of a rule that uses address subsets (ranges) which should cover all MAC addresses (for testing).

edit "Rule1"
  set mac-addr-mask 1
  set mac-addr-list 00:00:00:00:00:00 80:00:00:00:00:00
next

Debug information

MAC address check should be part of the HostCheck function. Unfortunately, I couldn't find how to debug this function. When we turn on debug for SSL VPN

diagnose debug application sslvpn -1
diagnose debug enable

and the client is FortiClient VPN 6.2.6, only the following appears in the log.

[9314:FWINT:41b]login_succeeded:523 redirect to hostcheck
[9314:FWINT:41b]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

No information even about MAC address verification failing or Host Check at all, let alone anything more detailed. If we have client FortiClient 6.0.9, the situation is slightly better.

[9314:FWINT:6ae]login_succeeded:523 redirect to hostcheck
[9314:FWINT:6ae]User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) [SV{v=01.01;}]
[9314:FWINT:6ae]req: /remote/hostcheck_validate
[9314:FWINT:6ae]host check result:0 0000,10.0.18362,00:05:9a:3c:7a:00|00:09:0f:aa:00:01|2c:d0:5a:b8:42:db

Notes

When the MAC address check wasn't working for me at all initially, I was reading various forums. I found only a few posts, mostly for FortiOS version 5.2. Where people write that it partially works, but for some clients the MAC address is loaded incorrectly (some official bug is also mentioned there). They also often state that blocking doesn't work for connections from mobile devices, which always connect. I found out that this is caused by the default setting where the check should not be performed on unsupported OS (already described above). But that mobile clients are unsupported OS seems very bad to me.

config vpn ssl web portal
  edit "VPN1"
    set skip-check-for-unsupported-os disable
    set skip-check-for-browser disable
  next
end

OS Host Check - restriction to a certain OS version

Documentation Verifying remote user OS and software, vpn ssl web portal, vpn ssl web host-check-software, Additional configuration options 6.0 - Host Check, Additional configuration options 5.2 - Host Check

FortiClient can detect the operating system version and possibly installed patches. Unfortunately, OS support is limited, probably to Windows and Mac. What I really don't like here is that mobile OSes are not detected. The configuration can be done in GUI and CLI.

• (VDOM) > VPN > SSL-VPN Portals
• check Restrict to Specific OS Versions
• we see a table with some versions of Windows and Mac, we can set Allow, Deny, Check up to date

Debug information and Windows version

When we turn on SSL VPN debug, and we have support on the client side, the check result is logged in one line. The second value is the Windows version (BTW again I couldn't find a description of this debug line anywhere).

[9315:FWINT:6d0]host check result:0 0000,10.0.17134,00:05:9a:3c:7a:00|00:ff:8b:e3:54:fa

We can display it in this format for example with the command systeminfo.exe

OS Version: 10.0.17134 N/A Build 17134

Configuration using CLI

When configuring using command line, we first enable OS check and then define behavior for individual supported OS versions. The list of predefined OSes (which we can't change) is offered

FW1 (VPN1) # config os-check-list ?
name   Name.
macos-catalina-10.15  
macos-high-sierra-10.13  
macos-mojave-10.14  
macos-sierra-10.12  
os-x-el-capitan-10.11  
os-x-mavericks-10.9  
os-x-yosemite-10.10  
windows-7  
windows-8  
windows-8.1  
windows-10  
windows-2000  

Configuration in CLI is shown below. The default action is allow (Allow). If we choose check-up-to-date, we can also check Build / Patch Level. We enter the minimum value in the latest-patch-level command. For Windows 10, the build number specified in the OS version is checked. In the example above Build 17134, when we set the value to 17000, the test is OK, value 18000 already fails.

config vpn ssl web portal
  edit "VPN1"
    set os-check enable
    config os-check-list "windows-10"
      set action check-up-to-date
      set tolerance 0
      set latest-patch-level 17000
    end
  next
end

AV, FW Host Check - checking for presence of antivirus and firewall

Documentation SSL VPN tunnel mode host check, , Additional configuration options 6.0 - Host Check, Additional configuration options 5.2 - Host Check, vpn ssl web portal, vpn ssl web host-check-software

Another check on the client that can be performed by FortiClient (the correct client on the correct OS) in cooperation with FortiGate, is the presence of security SW generally Antivirus and Firewall. Configuration is done for a specific portal. We can do basic enabling in GUI, but we set all details in CLI.

• (VDOM) > VPN > SSL-VPN Portals
• check Host Check
• choose AntiVirus, Firewall or both

According to Technical Tip: FortiClient Host Checker Support for Windows Operating Systems including Windows Server (the article also describes how to test that Windows detects our AV/FW) FortiClient detects security software using Windows Security Center (reads WMI namespace or uses Win32API function) and product GUID. FortiOS defines a number of products, if we enable general AV or FW check, it (probably) detects the presence of any of them. We can list them in CLI (in the example below is only the first item).

FW1 (host-check-software) # show 
config vpn ssl web host-check-software
  edit "FortiClient-AV"
    set guid "1A0271D5-3D4F-46DB-0C2C-AB37BA90D9F7"
  next

Configuration using CLI

Using CLI we can set the same as in GUI, enabling using values av, fw or av-fw.

config vpn ssl web portal
  edit "VPN1"
    set host-check [none|av|fw|av-fw|custom]
  next
end

But in CLI we can set more. We can specify detection of only specific AV/FW using custom and predefined product. We can also add periodic check repetition, value 0 means check only at connection.

config vpn ssl web portal
  edit "VPN1"
    set host-check custom
    set host-check-policy AVG-Internet-Security-FW Trend-Micro-FW ESET-Smart-Security-AV
    set host-check-interval 0
  next
end

Adding new security application

If our security software is not in the list on FortiGate, we can add it. Instructions on how to find the product GUID using wbemtest.exe are in the article Adding custom host check definitions for FortiGate SSL VPN host check feature (almost the same Technical Note: How to add non listed 3rd Party AntiVirus and Firewall product to the FortiGate SSL VPN Host check). We create a new definition and we can also restrict a certain minimum product version.

config vpn ssl web host-check-software
  edit MyAV
    set type av
    set guid "768124D7-F5F7-6D2F-DDC2-94DFA4017C95"
    set version "4.9"
  next
end

Debug information

When we turn on SSL VPN debug, and we have support on the client side, the check result is logged in one line. The first value shows the check result (it's the same as for file, registry or process verification). If the check fails, it's 4 0000, if it passes 4 0100.

[9314:FWINT:6e2]host check result:4 0000,10.0.17134,78:2b:cb:ac:2c:a3

File, Registry, Process Host Check - checking existence of registry key, file or process

Documentation vpn ssl web portal, vpn ssl web host-check-software, Technical Tip: Configuring custom registry checks for SSL VPN, Technical Tip: Checking AD domain of host connecting to a SSL VPN tunnel, Configuring SSL VPN host check based on MD5 fingerprint, Additional configuration options 6.0 - Host Check, Additional configuration options 5.2 - Host Check

Using a custom rule we can also check for the existence and possibly value of some registry key. The existence of a file, possibly including MD5 hash. Or the presence of a running process. All configuration is done in CLI. Within a rule, we can perform multiple checks or verify multiple items.

General configuration looks as follows, many commands remain in default values.

config vpn ssl web host-check-software
  edit <name> 
    config check-item-list
      edit <id>
        set action [require|deny]
        set type [file|registry|process]
        set target {string}
        set version {string}
        set md5s <id1>, <id2>, ...
      next
    end
  next
end

Registry key check

For registry check we must enter registry path (Key and Subkey) and value name (Value Name), optionally we can check value data (Value Data). Input format

Key\Subkey\Subkey:ValueName==ValueData

When entering in CLI we must use a single slash for the path, but if we display the configuration, we'll see double slashes (but if we entered them doubled, they would be stored as four). Instead of root key names, we can also use their abbreviations, for example HKEY_LOCAL_MACHINE = HKLM, HKEY_CURRENT_USER = HKCU.

Example of registry check. Value where domain name is stored.

config vpn ssl web host-check-software
  edit TestRegistry 
    config check-item-list
      edit 1 
        set type registry
        set target "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters:Domain==company.local"
    next
  end
end

Applying the rule

Applying the check rule to a portal is done as follows.

config vpn ssl web portal
  edit "VPN1"
    set host-check custom
    set host-check-policy "TestRegistry"
  next
end

File check

If we want to check for the presence of a file. We enter path (with single slash) and file name. If we want a more precise specification, we can use file version (I don't know how it's checked, but in the example below it's enough to enter 11 and it works, 12 doesn't work). Or check MD5 hash of the file.

config vpn ssl web host-check-software
  edit TestFile
    config check-item-list
      edit 1 
        set type file
        set target "%programfiles%\internet explorer\iexplore.exe"
        set version "11.0.17134.1"
        set md5s "6465cb92b25a7bc1df8e01d8ac5e7596"
      next
  end
end

Application/process check

The last option is to check for a running application/process. We identify by file name and can also restrict by version and MD5 hash.

config vpn ssl web host-check-software
  edit TestProcess
    config check-item-list
      edit 1 
        set type process
        set target "iexplore.exe"
      next
  end
end

Debug information

When we turn on SSL VPN debug, and we have support on the client side, the check result is logged in one line. The first value shows the check result for file, registry or process verification. If the check fails, it's 4 0000, if it passes 4 0100. It's exactly the same as when checking AV, FW. I would expect that the digit 4 determines the type of check, but apparently not. Lines from the log

[9314:FWINT:6e2]login_succeeded:523 redirect to hostcheck
[9314:FWINT:6e2]req: /remote/hostcheck_validate
[9314:FWINT:6e2]host check result:4 0000,10.0.17134,78:2b:cb:ac:2c:a3
[9314:FWINT:6e2]rmt_hcvalidate_cb_handler:404 hostcheck validation failed