FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff
Article Id 189806
Description
This article describes how to monitor host check definitions periodically when SSL VPN is connected.

Solution
For security reason, configure host check policy in SSL VPN web portal to allow SSL VPN connection.
Monitor the same host check policy thought out SSL VPN connection using 'host-check-interval' option and if host check policy fails FortiGate will terminal the SSL VPN connection.

For example.

FortiGate allows the SSL VPN connection from client PC running with cmd.exe process.
Set 'host-check-interval' to verify the 'cmd.exe' application as a running process in the client PC.
If the 'cmd.exe' is closed by the user then VPN also gets disconnected.
# config  vpn  ssl web  host-check-software
(host-check-software)edit check_process
(check_process) # config check-item-list
(check-item-list)edit 1
(1)set type process
(1)set target chrome.exe
(1)end
(check_process)end
 
# config  vpn ssl web portal
(portal) # edit full-access
(full-access)set host-check custom
(full-access)set host-check-policy check_process
(full-access)set host-check-interval 120                        <----- Value can be set from <120> to <259200> seconds.
(full-access)end

From SSL VPN debug,the hostcheck result is visible  when SSL VPN is connected.
[3144:root:4]req: /remote/hostcheck_validate
[3144:root:4]deconstruct_session_id:399 decode session id ok, user=[sslvpn1],group=[],authserver=[],portal=[full-access],host=[10.5.22.116],realm=[],idx=0,auth=1,sid=4623da2c,login=1590166655,access=1590166655,saml_logout_url=no
[3144:root:4]User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) [SV{v=01.01;}]
[3144:root:4]deconstruct_session_id:399 decode session id ok, user=[sslvpn1],group=[],authserver=[],portal=[full-access],host=[10.5.22.116],realm=[],idx=0,auth=1,sid=4623da2c,login=1590166655,access=1590166655,saml_logout_url=no
[3144:root:4]host check result:4 0100,6.1.1,xx:xx:xx:xx:xx:xx|xx:xx:xx:xx:xx:xx
For every 120 seconds,periodic host check will get trigger and FortiGate will get host check information from FortiClient.
[3144:root:6]req: /remote/hostcheck_periodic?hostcheck=010
[3144:root:6]deconstruct_session_id:399 decode session id ok, user=[sslvpn1],group=[],authserver=[],portal=[full-access],host=[10.5.22.116],realm=[],idx=0,auth=1,sid=4623da2c,login=1590166655,access=1590166655,saml_logout_url=no
[3144:root:6]host check result:4 0100,6.1.1,xx:xx:xx:xx:xx:xx|xx:xx:xx:xx:xx:xx|xx:xx:xx:xx:xx:xx
If the process is killed in the client PC, host check will get failed during periodic host check.
[3144:root:9]req: /remote/hostcheck_periodic?hostcheck=000
[3144:root:9]deconstruct_session_id:399 decode session id ok, user=[sslvpn1],group=[],authserver=[],portal=[full-access],host=[10.5.22.116],realm=[],idx=0,auth=1,sid=4623da2c,login=1590166655,access=1590166655,saml_logout_url=no
[3144:root:9]host check result:4 0000,6.1.1,xx:xx:xx:xx:xx:xx|xx:xx:xx:xx:xx:xx|xx:xx:xx:xx:xx:xx
[3144:root:9]User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) [SV{v=01.01;}]
[3144:root:9]deconstruct_session_id:399 decode session id ok, user=[sslvpn1],group=[],authserver=[],portal=[full-access],host=[10.5.22.116],realm=[],idx=0,auth=1,sid=4623da2c,login=1590166655,access=1590166655,saml_logout_url=no
[3144:root:9]periodic host checked failed
[3144:root:9]session removed s: 0x7f1584487000 (root)
[3144:root:9]deconstruct_session_id:399 decode session id ok, user=[sslvpn1],group=[],authserver=[],portal=[full-access],host=[10.5.22.116],realm=[],idx=0,auth=1,sid=4623da2c,login=1590166655,access=1590166655,saml_logout_url=no
[3144:root:0]sslvpn_internal_remove_one_web_session:2807 web session (root:sslvpn1::10.5.22.116:0 1) removed for Client did something to cause the failure
[3144:root:5]rmt_check_conn_session:2088 delete connection 0x7f1584488900 w/ web session 0
[3144:root:5]Destroy sconn 0x7f1584488900, connSize=1. (root)
[3144:root:5]sslvpn_release_apsession:1628 free app session, idx[0]
[3144:root:5]tunnelStateCleanup:764 0x7f1584488900::0x7f1584704000
[3144:root:0]ipcp: down ppp:0x7f158474f000 caller:0x7f1584488900 tun:39

Contributors