Skip to main content

How to setup a Host-Check for Fortigate SSL VPN

This document outlines how to setup a host-check for a Fortigate SSL VPN (Web only):

config vpn ssl web portal
edit "portalname"
set web-mode enable
set host-check custom
set host-check-policy "Microsoft-Windows-Firewall"
set os-check-enable
set ip-pools "PoolName"
set split-tunneling disable
set page-layout double-column
set theme orange
config os-check-list "windows-7"
set action check-up-to-date
set latest-patch-level 1
end 

config vpn ssl web host-check-software
edit "Microsoft-Windows-Firewall"
config check-item-list
edit 1
set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1"
set type registry
next
edit 2
set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile:EnableFirewall==1"
set type registry
next
edit 3
set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile:EnableFirewall==1"
set type registry
next
end
set type fw
next

With the above commands, it'll basically create a custom web portal that only allows Web Access and allows Windows 7 to connect as long as it is up to date with the latest patch level as least 1 away from current. In addition to that, it applies a host check based on all three Firewalls needing to be enabled as defined by the Registry keys. This can also be used to check other keys if needed.
Labels:

Comments

  1. bretton atkinMay 13, 2019 at 2:55 AM


    I would say That a Fortinet NSE4-FortiOS 6.0 Certification is highly respected With Both IT & non-IT communities where strong project management skills are required. I would suggest getting your NSE4-FortiOS 6.0 Certification. You can prepare yourself for the NSE4_FGT-6.0 questions to get Fortinet NSE4-FortiOS 6.0 credentials.

    ReplyDelete
  2. Fayaz Ahmed 234December 10, 2019 at 1:31 PM

    domchimp.com/tools/ssl-checker

    ReplyDelete
  3. nikhilApril 16, 2020 at 4:53 PM

    thanks for the blog CISCO Meraki Switches Firewall

    ReplyDelete

Post a Comment

Popular posts from this blog

Implementing 802.1X - Windows 2012R2 + Cisco 4500 Switches

Implementing 802.1X Using Windows Server 2012R2 & Cisco 4500 Series Switches Overview: This document is to outline how the configuration between Windows Server 2012 R2’s NPS Services and Cisco 4500 Series switches has been implemented. High Level Diagram:   Requirements: Windows Server 2012 R2 with NPS Server installed Windows Server 2012 R2 with CA Services Windows AD Environment Cisco 4500 Series Switches Windows 7-10 Clients to connect NPS Configuration: 1. This assumes the above requirement that the NPS Service has already been installed on Windows Server 2012 R2 2. Disable all existing Policies under Connection Request Policies and Network Policies as you will be making your own, except one that states “Catch All” with the below parameters: 3. You will then need to add in a new Radius Client to have Policies built around. Friendly Name will be used going forward for the Policies for referencing the document. 4. Once completed, re
Post a Comment
Read more

Fortigate to USG B2B

Building Site-to-Site B2B from Unifi USG to Fortigate (500D or other models) Fortigate Configuration 1. Build a New VPN Tunnel using Custom VPN Tunnel (No Template) 2. Under Network, point to the Public Side IP of the USG (Public IP, not WAN interface) 3. Leave everything else default (NAT-T Enabled, DPD Disabled..ect) 4. Authentication, use PSK and IKEv1 with Main 5. Phase 1 Purposal, set algorithms to AES128 and SHA1, with DH 14. 6. Phase 2 Purposal, set Local Address and Remote address to 0.0.0.0/0.0.0.0 and 0.0.0.0/0.0.0.0 respectively. 7. Set Encryption to AES128/Sha1, Replay Detection and PFS enabled, along with DH14. Enable Autokey Keep Alive, and Auto-Negotiate, and save changes. 8. Build a Static Route pointing to the Far-End Destination/Segment you want to reach. 9. Build a Policy Stating which Segments can hit the Far-End Destination/B2B USG Configuration 1. This is assuming that USG is already registered to the Unifi Controller. 2. Go t
Post a Comment
Read more