I work as a penetration tester in a company that is related to software development (most employees are software developers). Currently our InfoSec team is rolling out FortiClient VPN solution instead of company supported VPN infrastructure.
I’m as a pentester concerned about Forticlient VPN will prevent me from doing my job. I’m a good guy but my network traffic will scare any smart firewall. I don’t see any guidance on the Internet, maybe you guys can help me. For developers there will be no problems from this perspective, but for security engineers… Our pentesting activities can be network pentests (e.g. nmap scanning) and web application pentests. Current Forticlient license allows us to use web-filter, but not firewall (at least for now, so I guess it will be also available later).
Is forticlient vpn actively monitors the traffic? Can it ruin my pentesting activities? Can it block/sanitize/cut any traffic based on my pentesting payloads spotted in requests or responses? Is it possible to understand the cause of the blocked traffic, for instance Forticlient VPN will tell me that it blocked my request/response because of this-and-that instead of silently blocking it (acting like the actual server to respond).
Is it possible to configure forticlient to have exceptions for certain groups of engineers, so pentesters can do whatever they need without traffic inspection? Is it flexible enough?
Forticlient is a client, of course the client not going to reveal anything more than anything protocol related, like connection refused.
And no the forticlient can’t do exception, the exceptions are in the firewall
I am amazed to read such a comment from someone who work in a company as a Pen tester, a specialized job that needs deep knowledge of networks and systems
If it’s truly FortiClient VPN and not the fabric agent, it’s just going to broker VPN connections. It can’t block.
There’s a paid version that comes with EMS that does more, but you’ll need to work with your OT/Infosec team to understand what may or may not be there.
Thanks, I wrote them an email. I just want to understand if they are even capable of configuring policies or it’s not possible with forticlient or there are subscription limitations, etc. Or maybe there is nothing to worry about and pentests won’t be affected.
There’s nothing to be amazed about I have zero knowledge about forticlient and what is inside, so I decided to ask more experienced people here. It’s not like I’m bad at networking
Yeah, The VPN only it’s just for Vpn but in the firewall you can adjust the firewall policy to permit or certain permissions, the pay version “ZTNA” it’s more granular with tags and so on , so yeah the firewall can block you depends your activity and the security profiles configures in the policy like iPS , WAF , Protocols etc
Unless they do a split tunnel and only do some routes. They could also have policies set so people who do pen testing don’t get hit with the IPS/IDS rules.
Yeah. I’d suspect if they’re hooking you into EMS for managing the endpoints with Forticlient, they’ll build out specific deployments on EMS based on who should be handled with kids gloves vs those that might not require such stringent oversight/filtering. Our network admin profiles are wildly different from our non-tech profiles in terms of what kind and how much firewalling/web filtering we might do, as network admins are legitimately going to use tools that hit those policies.
As others have said, checking with the team who’s setting this up is the way to go. This isn’t a one-sized answer.
