Can my employer see my history if using the VPN on my personal machine?
I did switch user and log into another account but don’t think that will help.
I know we use Forticlient.
It completely depends on how the service is configured. Maybe yes, maybe no, but for sure you’ll have to ask them to find out.
General rule is don’t access sites and files for personal reasons while on the company VPN (and really, personal machines shouldn’t access the corporate VPN but we all know some employers don’t care to invest properly in IT security).
This is not solely an issue for the Fortigate.
I have had the miserable experience of catching network users with their pants around their ankles (literally, in one case).
I have discovered that my usage reporting engine does not distinguish VPN users vs users directly on the network. And so I have had the pleasure of telling teleworkers to disable their VPNs when surfing to porn sites.
I think a lot of responses are missing the part about “internet history” and switching users. The fortigate can only log web traffic that crosses the device. This would be the case for being on the local company wifi or full tunnel vpn setup. If you browse to an inappropriate site, it’s safe to assume they know. Here is an easy way to check full tunnel vs split tunnel. If you have you laptop on the vpn and your phone on wifi, go to ipchicken.com on both your phone and laptop. Your laptop must have the vpn up. If the ip address that the website gives you is the same, the vpn is in split tunnel mode. If the ip address is different, the vpn is in full tunnel mode. For split tunnel, it’s safe to assume they can only see your connections to inside the company. Other things of note with the forticlient, it can scan local system files and reports local username and computer hostname. If you have programs that get flagged by av like utorrent, uninstall them. If you username or hostname are inappropriate, change them.
Pro tip, never connect any personal computer to a work domain or allow the IT staff to install any “support” software. All of my info above was exclusively what the fortigate dose. I worked as an IT consultant for a while. The screensharing software we used basically spyed on the users 24/7. We found multiple people browsing porn from work computers. The worst thing I ever got asked in to do was join a guy’s personal laptop to the domain. The company wanted me to call him to remote in, join it to the domain, lock him out of the laptop. They also wanted me to fire him as well during the call, but my company pushed back. I refused, but another tech called him and did it. The company fired him and made him send them his personal laptop, that he paid for. The true take away is once you allow a company to install their software/ join it to their systems, the device is theirs and not yours. I’m quite confident most of what went down wouldn’t hold up in court. You don’t want to be in the position of suing you former employer for you personal belongings, while looking for a job.
depending on how they have the logging configured on the fortgate, yes they will be able to see all DNS entries, all services you are connecting to while logged into the VPN
Yes. Depending upon how they have things implemented.
So, the answer might be that their tech is not currently setup to do so. Or they might not be setup to easily do so. But, changes to make that happen are outside of your control.
If you’re using corporate assets, then assume that everything you do there is visible in some form or another. Your corporations logon banner should say something to that effect already.
Depends on the config, if they are doing cert replacement then yes, but you can easy detect this by checking if the certs issuer changes for the same site off and on vpn.
If the certs not changing then they can only get basic info but not the raw content/calls.
Now our users are remote working we can see all activity on their remote work machine - as long as the VPN is up it’s running through the corporate firewall
Can we pin this question to the top of the sub? It comes up a lot.
If you check your DNS settings before and after connecting (ipconfig or ipconfig /all) you can see what DNS server you are using. If it changes then you are using work’s DNS, they may or may not look at those logs. Next, depending on what’s licensed on the fortigate and if the fortigate is logging to a collector or not. Potentially they have detailed logs about what you are connecting to/doing when on the VPN.
A corporate device could benefit from the security by configuring a full VPN tunnel to push all the traffic through the tunnel. You could configure a separate VPN portal for “BYOD” devices configured as a split tunnel and use policy based routing for private subnets. Less traffic pushing your network and privacy for users.
Are you asking if they can look at your browser history of past sites that you visited even when not connected to the VPN, or are you just concerned about them seeing your traffic while on the VPN?
In the first case, unless you let them install an agent of some sort that gives them local admin rights, they probably cannot see your browser history.
If you’re concerned about what they see while you are connected to their VPN, just assume that they will see all. Don’t do anything not related to the company while connected to their VPN. At least in the USA an individual has no reasonable expectation of privacy when using company resources. Note that the VPN and Internet connection on the Corporate network are considered company resources so they are within their rights to monitor and track all access.
Standard disclaimer - I am not a lawyer, do not take anything presented here as legal advice.
Do employers actually have the time to watch in on what their employees are doing in their free time.
I don’t at least.
I mean, that’s not entirely true. You can enable split-tunnel so only traffic to certain subnets goes through the VPN, and internet traffic does not.
Don’t know why we should help people. When everyone’s forced back in to the office full time, shitters like this guy will be the reason.
Yes we could but we don’t, so the Internet traffic is through the while their VPN is up on their remote PC. Not a bad thing as that’s a work machine on work time if the VPN is up - we don’t leave it up 24/7 just working hours.