Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
shahary
New Contributor

Remote SSL VPN host check

Hi,

I am running Fortigate 501E with remote SSL VPN (os version 5.6.8). I wanted to know if someone came across a problem with the host check configuration. I want to permit access to the LAN through SSL VPN only with computers with specific parameters, so I tried to configure os-check to allow only win-10 os, registry check (for domain), and av-fw but nothing work. 

 

Some of the configuration:

set os-check enable

config os-check-list "windows-2000" set action deny config os-check-list "windows-xp" set action deny config os-check-list "windows-vista" set action deny config os-check-list "windows-7" set action deny config os-check-list "windows-8" set action deny config os-check-list "windows-8.1" set action deny config os-check-list "windows-10" set host-check custom set host-check-policy "corp.x.com" "WindowsFW-DomainProfile" "Trend-Micro-AV" edit "corp.x.com" set type fw config check-item-list edit 1 set type registry set target "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters:Domain==corp.x.com" next end config vpn ssl web host-check-software edit "WindowsFW-DomainProfile" set type fw config check-item-list edit 1 set type registry set target "Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile:EnableFirewall=1" next end

 

I even tried the command:

set skip-check-for-unsupported-os disable

 

 

 
4 REPLIES 4
emre8083
New Contributor

hi did you find a solution this problem?

 

 

rojekj
New Contributor III

Same problem here. No matter what type of check I want to make, it does not work.

I tried on FortiOS 5.6.11 and FortiClient 5.6.0 and 6.0.8.

 

Is having FortiClient registered necessary? We are only using it as a VPN client, without license, without registration to FortiGate or EMS.

rojekj
New Contributor III

I finally figured out how to get this feature working. Simply.... Update to 6.0.6, as it doesn't work in 5.6.11 (and probably earlier 5.6 releases).

Who would have thought that this might be a firmware bug? Why am I so surprised?! :D

albionsan

My company uses Fortigate 100D. After upgrading from FortiOS 5.4.5 to 5.6.11, we confirmed that SSL-VPN host-check did not work. When the version was upgraded from 5.6.11 to 6.0.8, it was confirmed that normal operation was resumed. Since the 5.6 series seems to have a problem with the host-check function, it is recommended to upgrade to the 6.0 series.

Labels
Top Kudoed Authors