This document outlines how to setup a host-check for a Fortigate SSL VPN (Web only):
config vpn ssl web portal
edit "portalname"
set web-mode enable
set host-check custom
set host-check-policy "Microsoft-Windows-Firewall"
set os-check-enable
set ip-pools "PoolName"
set split-tunneling disable
set page-layout double-column
set theme orange
config os-check-list "windows-7"
set action check-up-to-date
set latest-patch-level 1
end
config vpn ssl web host-check-software
edit "Microsoft-Windows-Firewall"
config check-item-list
edit 1
set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1"
set type registry
next
edit 2
set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile:EnableFirewall==1"
set type registry
next
edit 3
set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile:EnableFirewall==1"
set type registry
next
end
set type fw
next
With the above commands, it'll basically create a custom web portal that only allows Web Access and allows Windows 7 to connect as long as it is up to date with the latest patch level as least 1 away from current. In addition to that, it applies a host check based on all three Firewalls needing to be enabled as defined by the Registry keys. This can also be used to check other keys if needed.
config vpn ssl web portal
edit "portalname"
set web-mode enable
set host-check custom
set host-check-policy "Microsoft-Windows-Firewall"
set os-check-enable
set ip-pools "PoolName"
set split-tunneling disable
set page-layout double-column
set theme orange
config os-check-list "windows-7"
set action check-up-to-date
set latest-patch-level 1
end
config vpn ssl web host-check-software
edit "Microsoft-Windows-Firewall"
config check-item-list
edit 1
set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1"
set type registry
next
edit 2
set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile:EnableFirewall==1"
set type registry
next
edit 3
set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile:EnableFirewall==1"
set type registry
next
end
set type fw
next
With the above commands, it'll basically create a custom web portal that only allows Web Access and allows Windows 7 to connect as long as it is up to date with the latest patch level as least 1 away from current. In addition to that, it applies a host check based on all three Firewalls needing to be enabled as defined by the Registry keys. This can also be used to check other keys if needed.
ReplyDeleteI would say That a Fortinet NSE4-FortiOS 6.0 Certification is highly respected With Both IT & non-IT communities where strong project management skills are required. I would suggest getting your NSE4-FortiOS 6.0 Certification. You can prepare yourself for the NSE4_FGT-6.0 questions to get Fortinet NSE4-FortiOS 6.0 credentials.
domchimp.com/tools/ssl-checker
ReplyDeletethanks for the blog CISCO Meraki Switches Firewall
ReplyDelete