FortiClient

Opciones de Host Check sobre VPN-SSL modo túnel

Al establecer conexiones VPN-SSL utilizando Forticlient en modo túnel es posible chequear ciertos parámetros en el host cliente, muchos de ellos configurables dentro del portal creado para la VPN-SSL:

FWACCESOLABO # config vpn ssl web portal
FWACCESOLABO (portal) #
FWACCESOLABO (portal) # edit full-access
FWACCESOLABO (full-access) # set host-check
none No host checking.
av AntiVirus software recognized by the Windows Security Center.
fw Firewall software recognized by the Windows Security Center.
av-fw AntiVirus and firewall software recognized by the Windows Security Center.
custom Custom.FWACCESOLABO (full-access) # set host-check-interval
host-check-interval Enter an integer value from <120> to <259200>.

Podemos controlar la presencia de antivirus y/o cortafuegos de escritorio habilitados o utilizar predefinidos de forma explícita:

FWACCESOLABO (full-access) # set host-check-policy
name Host check software list name.
AVG-Internet-Security-AV host-check-software
AVG-Internet-Security-AV-Vista-Win7 host-check-software
AVG-Internet-Security-FW host-check-software
AVG-Internet-Security-FW-Vista-Win7 host-check-software
CA-Anti-Virus host-check-software
CA-Internet-Security-AV host-check-software
CA-Internet-Security-AV-Vista-Win7 host-check-software
CA-Internet-Security-FW host-check-software
CA-Internet-Security-FW-Vista-Win7 host-check-software
CA-Personal-Firewall host-check-software
ESET-Smart-Security-AV host-check-software
ESET-Smart-Security-FW host-check-software
F-Secure-Internet-Security-AV host-check-software
F-Secure-Internet-Security-AV-Vista-Win7 host-check-software
F-Secure-Internet-Security-FW host-check-software
F-Secure-Internet-Security-FW-Vista-Win7 host-check-software
FortiClient-AV host-check-software
FortiClient-AV-Vista host-check-software
FortiClient-AV-Vista-Win7 host-check-software
FortiClient-AV-Win7 host-check-software
FortiClient-FW host-check-software
FortiClient-FW-Vista host-check-software
Kaspersky-AV host-check-software
Kaspersky-AV-Vista-Win7 host-check-software
Kaspersky-FW host-check-software
Kaspersky-FW-Vista-Win7 host-check-software
McAfee-Internet-Security-Suite-AV host-check-software
McAfee-Internet-Security-Suite-AV-Vista-Win7 host-check-software
McAfee-Internet-Security-Suite-FW host-check-software
McAfee-Internet-Security-Suite-FW-Vista-Win7 host-check-software
McAfee-Virus-Scan-Enterprise host-check-software
Norton-360-2.0-AV host-check-software
Norton-360-2.0-FW host-check-software
Norton-360-3.0-AV host-check-software
Norton-360-3.0-FW host-check-software
Norton-Internet-Security-AV host-check-software
Norton-Internet-Security-AV-Vista-Win7 host-check-software
Norton-Internet-Security-FW host-check-software
Norton-Internet-Security-FW-Vista-Win7 host-check-software
Panda-Antivirus+Firewall-2008-AV host-check-software
Panda-Antivirus+Firewall-2008-FW host-check-software
Panda-Internet-Security-2006~2007-FW host-check-software
Panda-Internet-Security-2008~2009-FW host-check-software
Panda-Internet-Security-AV host-check-software
Sophos-Anti-Virus host-check-software
Sophos-Enpoint-Secuirty-and-Control-AV-Vista-Win7 host-check-software
Sophos-Enpoint-Secuirty-and-Control-FW host-check-software
Sophos-Enpoint-Secuirty-and-Control-FW-Vista-Win7 host-checksoftware
Symantec-Endpoint-Protection-AV host-check-software
Symantec-Endpoint-Protection-AV-Vista-Win7 host-check-software
Symantec-Endpoint-Protection-FW host-check-software
Symantec-Endpoint-Protection-FW-Vista-Win7 host-check-software
Trend-Micro-AV host-check-software
Trend-Micro-AV-Vista-Win7 host-check-software
Trend-Micro-FW host-check-software
Trend-Micro-FW-Vista-Win7 host-check-software
ZoneAlarm-AV host-check-software
ZoneAlarm-AV-Vista-Win7 host-check-software
ZoneAlarm-FW host-check-software
ZoneAlarm-FW-Vista-Win7 host-check-software

Así como crear nuestros chequeos propios sobre determinados ss.oo (win/mac):

FWACCESOLABO # config vpn ssl web host-check-software

FWACCESOLABO (host-check-software) # edit misoftware
new entry ‘misoftware’ addedFWACCESOLABO (misoftware) # show
config vpn ssl web host-check-software
edit “misoftware”
next
end

FWACCESOLABO (misoftware) # get
name : misoftware
os-type : windows
type : av
version :
guid : “00000000-0000-0000-0000-000000000000”
check-item-list:

FWACCESOLABO (misoftware) # set os-type
windows Microsoft Windows operating system.
macos Apple MacOS operating system.

FWACCESOLABO (misoftware) # set type
av AntiVirus.
fw Firewall.
Por ejemplo, tenemos la posibilidad de chequear que nuestras propias aplicaciones estén corriendo (no tienen porque ser de seguridad). Para ellos nos basamos en el GUID que da el Windows para identificar estas aplicaciones en el registro o bien ver procesos corriendo, ficheros o chequear entradas del registro:FWACCESOLABO (misoftware) # config check-item-list

FWACCESOLABO (check-item-list) # edit 1
new entry ‘1’ added
FWACCESOLABO (1) # set target “cmd.exe”
FWACCESOLABO (1) # set type
file File.
registry Registry.
process Process.

FWACCESOLABO (1) # set type process
Tenemos también la posibilidad de hacer un controles de acceso a la VPN-SSL basados en el SS.OO y su nivel de parcheo:

FWACCESOLABO # config vpn ssl web portal
FWACCESOLABO (portal) # edit full-access
FWACCESOLABO (full-access) # set os-check enable

FWACCESOLABO (full-access) # config os-check-list
name Name.
macos-high-sierra-10.13
macos-sierra-10.12
os-x-el-capitan-10.11
os-x-mavericks-10.9
os-x-yosemite-10.10
windows-7
windows-8
windows-8.1
windows-10
windows-2000
windows-vista
windows-xpFWACCESOLABO (full-access) # config os-check-list macos-high-sierra-10.13

FWACCESOLABO (macos-high-sierr~.13) # set action
deny Deny all OS versions.
allow Allow any OS version.
check-up-to-date Verify OS is up-to-date.

FWACCESOLABO (macos-high-sierr~.13) # set action check-up-to-date

FWACCESOLABO (macos-high-sierr~.13) # get
name : macos-high-sierra-10.13
action : check-up-to-date
tolerance : 0
latest-patch-level : 1

Tags

Contenidos relacionados

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *