SSL VPN (5.6)
New SSL VPN features added to FortiOS 5.6.
Remote desktop configuration changes (410648)
If NLA security is chosen when creating an RDP bookmark, a username and password must be provided. However there may be instances where the user might want to use a blank password, despite being highly unrecommended. If a username is provided but the password is empty, the CLI will display a warning. See example CLI below, where the warning appears as a caution before finishing the command:
config vpn ssl web user-group-bookmark edit <group-name> config bookmarks edit <bookmark-name> set apptype rdp set host 172.16.200.121 set security nla set port 3389 set logon-user <username>
next
end
Warning: password is empty. It might fail user authentication and remote desktop connection would be failed.
end
If no username (logon-user) is specified, the following warning message will appear:
Please enter user name for RDP security method NLA. object set operator error, -2010 discard the setting Command fail. Return code -2010
SSL VPN supports WAN link load balancing interface (396236)
New CLI command to set virtual-wan-link as the destination interface in a firewall policy (when SSL VPN is the source interface) for WAN link load balancing. This allows logging into a FortiGate via SSL VPN for traffic inspection and then have outbound traffic load balanced by WAN link load balancing.
CLI syntax
config firewall policy edit <example> set dstintf virtual-wan-link
end
SSL VPN login timeout to support high latency (394583)
With long network latency, the FortiGate can timeout the client before it can finish negotiation processes, such as DNS lookup and time to enter a token. Two new CLI commands under config vpn ssl settings have been added that allow the login timeout to be configured, replacing the previous hard timeout value. The second command can be used to set the SSL VPN maximum DTLS hello timeout.
SSL VPN (5.6)
CLI syntax
config vpn ssl settings edit <example> set login-timeout [10-180] Default is 30 seconds.
set dtls-hello-timeout [10-60] Default is 10 seconds.
end
SSL VPN supports Windows 10 OS check (387276)
A new CLI field has been added to the os-check-list under config vpn ssl web portal to allow OS checking for Windows 10.
CLI syntax
config vpn ssl web portal edit <example> set os-check enable config os-check-list windows-10 set action {deny | allow | check-up-to-date}
end
end
SSL VPN DNS suffix per portal and number of portals (383754)
A new CLI command under config vpn ssl web portal to implement a DNS suffix per SSL VPN portal. Each suffix setting for each specific portal will override the dns-suffix setting under config vpn ssl settings.
This feature also raises bookmark limits and the number of portals that can be supported, depending on what FortiGate series model is used:
l 650 portals on 1000D series l 1300 portals on 2000E series l 2600 portals on 3000D series
The previous limit for 1000D series models, for example, was 256 portals.
CLI syntax
config vpn ssl web portal edit <example> set dns-suffix <string>
end
New SSL VPN timeout settings (379870)
New SSL VPN timeout settings have been introduced to counter ‘Slowloris’ and ‘R-U-Dead-Yet’ vulnerabilities that allow remote attackers to cause a denial of service via partial HTTP requests.
The FortiGate solution is to add two attributes (http-request-header-timeout and http-requestbody-timeout).
(5.6)
CLI syntax
config vpn ssl settings set http-request-header-timeout [1-60] (seconds) set http-request-body-timeout [1-60] (seconds)
end
Personal bookmark improvements (377500)
You can now move and clone personal bookmarks in the GUI and CLI.
CLI syntax
config vpn ssl web user-bookmark edit ‘name’ config bookmarks move bookmark1 after/before clone bookmark1 to
next
end
New controls for SSL VPN client login limits (376983)
Removed the limitation of SSL VPN user login failure time, by linking SSL VPN user setting with config user settings and provided a new option to remove SSL VPN login attempts limitation. New CLI allows the administrator to configure the number of times wrong credentials are allowed before SSL VPN server blocks an IP address, and also how long the block would last.
CLI syntax
config vpn ssl settings set login-attempt-limit [0-10] Default is 2.
set login-block-time [0-86400] Default is 60 seconds. end
Unrated category removed from ssl-exempt (356428)
The “Unrated” category has been removed from the SSL Exempt/Web Category list.
Clipboard support for SSL VPN remote desktop connections (307465)
A remote desktop clipboard viewer pane has been added which allows user to copy, interact with and overwrite remote desktop clipboard contents.
System (5.6.1)
