SSL VPN tunnel mode host check

3 Replies

SSL VPN tunnel mode host check

This topic provides a sample configuration of remote users accessing the corporate network through an SSL VPN by tunnel mode using FortiClient with AV host check.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

  1. Configure the interface and firewall address. Port1 interface connects to the internal network.
    1. Go to Network > Interface and edit the wan1
    2. Set IP/Network Mask to 20.120.123/255.255.255.0.
    3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
    4. Click OK.
    5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
  2. Configure user and user group.
    1. Go to User& Device > UserDefinition to create a local user sslvpnuser1.
    2. Go to User& Device > UserGroups to create a group sslvpngroup with the member sslvpnuser1.
  3. SSL VPN web portal configuration.
    1. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-split-tunnel-portal. Enable Split Tunneling.
    2. Select Routing Address.
  4. SSL VPN settings configuration.
    1. Go to VPN > SSL-VPN Settings.
    2. Choose proper Listen on Interface, in this example, wan1.
    3. Listen on Port 10443.
    4. Choose a certificate for ServerCertificate. The default is Fortinet_Factory.
    5. Under Authentication/Portal Mapping, set default Portal tunnel-access for All OtherUsers/Groups.
    6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-split-tunnel-portal.
  5. SSL VPN firewall policy configuration.
    1. Go to Policy & Objects > IPv4 Policy.
    2. Fill in the firewall policy name. In this example: sslvpn tunnel access with av check.
    3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
    4. Choose an Outgoing Interface. In this example: port1.
    5. Set the source to all and group to sslvpngroup.
    6. In this example, the destination is all.
    7. Set schedule to always, service to ALL, and Action to Accept.
    8. Click OK.
  6. Configure SSL VPN web portal to enable AV host-check.
    1. Open the CLI Console at the top right of the screen.
    2. Enter the following commands to enable the host to check for compliant AntiVirus software on the user’s computer:

config vpn ssl web portal

edit my-split-tunnel-access

set host-check av end

To configure SSL VPN using the CLI:

  1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root” set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root” set ip 192.168.1.99 255.255.255.0

next

endconfig firewall address edit “192.168.1.0” set subnet 192.168.1.0 255.255.255.0

next

end

  1. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

  1. Configure SSL VPN web portal.

config vpn ssl web portal edit “my-split-tunnel-portal” set tunnel-mode enable set split-tunneling enable

set split-tunneling-routing-address “192.168.1.0” set ip-pools “SSLVPN_TUNNEL_ADDR1”

next

end

  1. Configure SSL VPN settings.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1” set source-interface “wan1” set source-address “all” set source-address6 “all”

set default-portal “full-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “my-split-tunnel-portal”

next

end

  1. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network. Traffic is dropped from internal to remote client.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure SSL VPN web portal to enable AV host-check.

Configure SSL VPN web portal to enable the host to check for compliant AntiVirus software on the user’s computer:

config vpn ssl web portal

edit my-split-tunnel-access

set host-check av

end

To see the results:

  1. Download FortiClient from forticlient.com.
  2. Open the FortiClient Console and go to Remote Access.
  3. Add a new connection.

l Set VPN Type to SSL VPN. l Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 172.20.120.123.

  1. Select Customize Port and set it to 10443.
  2. Save your settings.
  3. Use the credentials you’ve set up to connect to the SSL VPN tunnel.

If the user’s computer has AntiVirus software installed, a connection is established; otherwise FortiClient shows a compliance warning.

  1. After connection, traffic to 168.1.0 goes through the tunnel. Other traffic goes through local gateway.
  2. In FGT, go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
  3. In FGT, go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

3 thoughts on “SSL VPN tunnel mode host check

  1. Stan

    Hi Mike, I would like to ask you something related to the post you published. If you have Active Directory and your users have Windows and Apple laptops, how can you make sure that that they can connect SSL VPN from domain joined machine only? As the solution presented is applicable for Windows only machines and cannot be used in parallel with Apple Laptops – for example, checking registry keys or AV running and etc.

    Reply
  2. Jesse Duell

    Got a question for you Mike. When users connect to the SSLVPN their machines are isolated. No traffic is allowed like Wifi isolation. Is there a way to allow all traffic on all user workstations connected to the VPN via the Fortinet VPN client? I was thinking of adding a the that sets the FROM interface to SSL-VPN tunnel interface (ssl.root) and the TO interface to SSL-VPN tunnel interface (ssl.root). But it sounds risky and I don’t want to mess things up. And I don’t see a check box for isolating clients like on Wifi. Any help would be appreciated?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.