*제약사항 : (1) SSLVPN는, forticlient v5.2만 가능(v5.4이상 연결안됨) (2) Endpoint Control는 5.4이상(v5.6 포함)에서 지원*테스트결과[외부접속 : SSLVPN - Host Check Software]1-0. 환경 : FortiClient v5.2.6.0664 1-1. 단일설정 (3rd party체크프로그램으로 KakaoTalk.exe로 테스트)config vpn ssl web host-check-software edit "KakaoTalk-2.5.6.1543" set type fw set version "2.5.6.1543" config check-item-list edit 1 set type process set target "KakaoTalk.exe" set version "2.5.6.1543" set md5s "62765EA78EABD95DC986EC285165EB7C" next end nextendconfig vpn ssl web portal edit "NICS-SSLVPN" set tunnel-mode enable set host-check custom set auto-connect enable set keep-alive enable set save-password enable set ip-pools "SSLVPN_192.168.221.[100-200]" set split-tunneling disable set host-check-policy "KakaoTalk-2.5.6.1543" nextend1-2. 복합설정 (KakaoTalk.exe와 V3Lite.exe 모두 실행해야 만족 - AND조건)config vpn ssl web host-check-software edit "NICSTECH" set type fw config check-item-list edit 1 set type process set target "V3Lite.exe" set version "3.0.1.181" set md5s "8712E59F299F740DD0B5931788DB94EB" next edit 2 set type process set target "KakaoTalk.exe" set version "2.5.6.1543" set md5s "62765EA78EABD95DC986EC285165EB7C" next end nextendconfig vpn ssl web portal edit "NICS-SSLVPN" set tunnel-mode enable set host-check custom set auto-connect enable set keep-alive enable set save-password enable set ip-pools "SSLVPN_192.168.221.[100-200]" set split-tunneling disable set host-check-policy "NICSTECH" nextend2-1. 테스트결과 (해당 파일 미동작시 : KakaoTalk.exe)
2-1. 단일테스트 (해당파일 동작시 : KakaoTalk.exe)
[내부접속 : endpoint-control profile]1-0. 환경 : FortiClient v5.4.3.0870 / v5.6.0.1075 + FortiGate 5.4.5 1-1. 설정 (3rd party체크프로그램으로 KakaoTalk.exe로 테스트)config endpoint-control profile edit "default" config forticlient-winmac-settings config forticlient-running-app edit 1 set app-name "KakaoTalk-2.5.6.1543" set process-name "KakaoTalk.exe" set app-sha256-signature "D3B4DEB0CAB4DE483CA7769CFC5289DCBBF30502626E15DE4A32B50E9F3287F5" next end set forticlient-log-upload disable set forticlient-vuln-scan disable end config forticlient-android-settings end config forticlient-ios-settings end nextend
2. 테스트 (compliance-action의 설정에 따른 변화)FortiGate-VM64 # config endpoint-control profileFortiGate-VM64 (profile) # edit defaultFortiGate-VM64 (default) # config forticlient-winmac-settingsFortiGate-VM64 (forticlient-winm~ngs) # set compliance-action block Block.warning Warning.auto-update Auto update.2-1. Compliance action=auto-update시, 해당 요소를 자동 다운로드하여 업데이트
2-2. Compliance action=block 및 warning시, 차단팝업 및 로그 알림(가) Compliance에 맞지 않는 경우(KakaoTalk.exe미실행)
(나) Compliance에 일치하는 경우 (KakaoTalk.exe실행후)
3. FortiGate에서의 Monitor(1) FortiClient Monitor
(2) Device Inventory
(3) Endpoint Events Log
4-1. 주의사항 : Forticlient 미설치/삭제이후/하위버전(5.2)설치시, 설치유도 페이지 팝업 발생
FortiCLient 설치후, 초기접속화면
4-2 주의사항 : 수동으로 연결을 끊는 경우 - Disconnect
재연결 및 Compliance만족 전에는 '인터넷 접속불가'
5.기타 : MD5 및 SHA256 checksum
'업무이야기 > Security' 카테고리의 다른 글
| FortiSandbox VM package (0) | 2018.05.08 |
|---|---|
| Fortigate Custom Application Control (0) | 2018.05.08 |
| FortiAnalyzer SQL database delete and rebuild (0) | 2018.05.08 |
| Fortigate IP Macbindging (0) | 2018.05.08 |
| Fortinet Open Ports Diagram (0) | 2018.05.08 |