본문 바로가기

업무이야기/Security

Fortigate SSLVPN Host Check

by 쫑콩아빠 2018. 5. 8.
728x90

*제약사항 (1) SSLVPN는,  forticlient v5.2만 가능(v5.4이상 연결안됨) (2) Endpoint Control는 5.4이상(v5.6 포함)에서 지원*테스트결과[외부접속 : SSLVPN - Host Check Software]1-0. 환경 : FortiClient v5.2.6.0664 1-1. 단일설정 (3rd party체크프로그램으로 KakaoTalk.exe로 테스트)config vpn ssl web host-check-software    edit "KakaoTalk-2.5.6.1543"        set type fw        set version "2.5.6.1543"        config check-item-list            edit 1                set type process                set target "KakaoTalk.exe"                set version "2.5.6.1543"                set md5s "62765EA78EABD95DC986EC285165EB7C"            next        end    nextendconfig vpn ssl web portal    edit "NICS-SSLVPN"        set tunnel-mode enable        set host-check custom        set auto-connect enable        set keep-alive enable        set save-password enable        set ip-pools "SSLVPN_192.168.221.[100-200]"        set split-tunneling disable        set host-check-policy "KakaoTalk-2.5.6.1543"    nextend1-2. 복합설정 (KakaoTalk.exe와 V3Lite.exe 모두 실행해야 만족 - AND조건)config vpn ssl web host-check-software    edit "NICSTECH"        set type fw        config check-item-list            edit 1                set type process                set target "V3Lite.exe"                set version "3.0.1.181"                set md5s "8712E59F299F740DD0B5931788DB94EB"            next            edit 2                set type process                set target "KakaoTalk.exe"                set version "2.5.6.1543"                set md5s "62765EA78EABD95DC986EC285165EB7C"            next        end    nextendconfig vpn ssl web portal    edit "NICS-SSLVPN"        set tunnel-mode enable        set host-check custom        set auto-connect enable        set keep-alive enable        set save-password enable        set ip-pools "SSLVPN_192.168.221.[100-200]"        set split-tunneling disable        set host-check-policy "NICSTECH"    nextend2-1. 테스트결과 (해당 파일 미동작시 : KakaoTalk.exe)

2-1. 단일테스트 (해당파일 동작시 : KakaoTalk.exe)

[내부접속 : endpoint-control profile]1-0. 환경 : FortiClient v5.4.3.0870 / v5.6.0.1075 + FortiGate 5.4.5 1-1. 설정 (3rd party체크프로그램으로 KakaoTalk.exe로 테스트)config endpoint-control profile    edit "default"        config forticlient-winmac-settings            config forticlient-running-app                edit 1                    set app-name "KakaoTalk-2.5.6.1543"                    set process-name "KakaoTalk.exe"                    set app-sha256-signature "D3B4DEB0CAB4DE483CA7769CFC5289DCBBF30502626E15DE4A32B50E9F3287F5"                 next            end            set forticlient-log-upload disable            set forticlient-vuln-scan disable        end        config forticlient-android-settings        end        config forticlient-ios-settings        end    nextend

2. 테스트 (compliance-action의 설정에 따른 변화)FortiGate-VM64 # config endpoint-control profileFortiGate-VM64 (profile) # edit defaultFortiGate-VM64 (default) # config forticlient-winmac-settingsFortiGate-VM64 (forticlient-winm~ngs) # set compliance-action block          Block.warning        Warning.auto-update    Auto update.2-1. Compliance action=auto-update시해당 요소를 자동 다운로드하여 업데이트

2-2. Compliance action=block 및 warning시, 차단팝업 및 로그 알림(가) Compliance에 맞지 않는 경우(KakaoTalk.exe미실행)

(나) Compliance에 일치하는 경우 (KakaoTalk.exe실행후)

3. FortiGate에서의 Monitor(1) FortiClient Monitor

(2) Device Inventory

(3) Endpoint Events Log

4-1. 주의사항 : Forticlient 미설치/삭제이후/하위버전(5.2)설치시, 설치유도 페이지 팝업 발생

FortiCLient 설치후,  초기접속화면

4-2 주의사항 : 수동으로 연결을 끊는 경우 - Disconnect

재연결 및 Compliance만족 전에는 '인터넷 접속불가'

5.기타 :  MD5 및 SHA256 checksum

 

 

 

728x90

'업무이야기 > Security' 카테고리의 다른 글

FortiSandbox VM package  (0) 2018.05.08
Fortigate Custom Application Control  (0) 2018.05.08
FortiAnalyzer SQL database delete and rebuild  (0) 2018.05.08
Fortigate IP Macbindging  (0) 2018.05.08
Fortinet Open Ports Diagram  (0) 2018.05.08