Category Archives: FortiOS 6.2

SSL VPN with local user password policy

SSL VPN with local user password policy

This topic provides a sample configuration of SSL VPN for users with passwords that expire after two days. Users are warned after one day about the password expiring. The password policy can be applied to any local user password. The password policy cannot be applied to a user group or a local remote user such as LDAP/RADIUS/TACACS+.

In FortiOS 6.2, users are warned after one day about the password expiring and have one day to renew it. When the expiration time is reached, the user cannot renew the password and must contact the administrator for assistance.

In FortiOS 6.0/5.6, users are warned after one day about the password expiring and have to renew it. When the expiration time is reached, the user can still renew the password.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

Configure the interface and firewall address. Port1 interface connects to the internal network.
1. Go to Network > Interface and edit the wan1
2. Set IP/Network Mask to 20.120.123/255.255.255.0.
3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
4. Click OK.
5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
Configure user and user group.
1. Go to User& Device > UserDefinition to create a local user.
2. Enter the user’s Email Address.
3. If you want, enable Two-factorAuthentication,
4. Click Next and click Submit.
5. Go to User& Device > UserGroups to create a user group and add that local user to it.
Configure and assign the password policy using the CLI.
1. Configure a password policy that includes an expiration date and warning time. The default start time for the password is the time the user was created.

config user password-policy

edit “pwpolicy1” set expire-days 2 set warn-days 1

next end

Assign the password policy to the user you just created.

config user local

edit “sslvpnuser1”

set type password set passwd-policy “pwpolicy1”

end

Configure SSL VPN web portal.
1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

Configure SSL VPN settings.
1. Go to VPN > SSL-VPN Settings.
2. Choose proper Listen on Interface, in this example, wan1.
3. Listen on Port 10443.
4. Set ServerCertificate to the authentication certificate.
5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
Configure SSL VPN firewall policy.
1. Go to Policy & Objects > IPv4 Policy.
2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
4. Set the Source Address to all and Source User to sslvpngroup.
5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
6. Set Destination Address to the internal protected subnet 168.1.0.
7. Set schedule to always, service to ALL, and Action to Accept.
8. Enable NAT.
9. Configure any remaining firewall and security options as desired.
10. Click OK.

To configure SSL VPN using the CLI:

Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

end

Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

end config user group edit “sslvpngroup” set member”vpnuser1″

end

Configure and assign the password policy.
1. Configure a password policy that includes an expiration date and warning time. The default start time for the password is the time the user was created.

config user password-policy

edit “pwpolicy1” set expire-days 2 set warn-days 1

end

Assign the password policy to the user you just created.

config user local

edit “sslvpnuser1”

set type password set passwd-policy “pwpolicy1”

end

Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

end

Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1”

set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

end

Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable

end

To see the results of the SSL VPN web connection:

From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
Log in using the sslvpnuser1

When the warning time is reached , the user is prompted to enter a new password.

In FortiOS 6.2, when the expiration time is reached, the user cannot renew the password and must contact the administrator.

In FortiOS 6.0/5.6, when the expiration time is reached, the user can still renew the password.

On the FortiGate, go to Monitor> SSL-VPN Monitor to confirm the user connection.

To see the results of the SSL VPN tunnel connection:

Download FortiClient from forticlient.com.
Open the FortiClient Console and go to Remote Access > Configure VPN.
Add a new connection.
- Set the connection name.
- Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 20.120.123.
Select Customize Port and set it to 10443.
Save your settings.
Log in using the sslvpnuser1

When the warning time is reached , the user is prompted to enter a new password.

To check the SSL VPN connection using the GUI:

Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check that login failed due to password expired on GUI:

Go to Log & Report > VPN Events to see the SSL VPN alert labeled ssl-login-fail.
Click Details to see the log details about the Reason sslvpn_login_password_expired.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:
Index User Auth Type Timeout	From HTTP in/out HTTPS in/out
0 sslvpnuser1 1(1) SSL VPN sessions:	229 10.1.100.254 0/0 0/0
Index User Source IP Duration To check the tunnel login using the CLI: get vpn ssl monitor SSL VPN Login Users:	I/O Bytes Tunnel/Dest IP
Index User Auth Type Timeout	From HTTP in/out HTTPS in/out
0 sslvpnuser1 1(1) SSL VPN sessions:	291 10.1.100.254 0/0 0/0
Index User Source IP Duration	I/O Bytes Tunnel/Dest IP
0 sslvpnuser1 10.1.100.254	9 22099/43228 10.212.134.200

To check the FortiOS 6.2 login password expired event log:

FG201E4Q17901354 # execute log	filter category event
FG201E4Q17901354 # execute log	filter field subtype vpn
FG201E4Q17901354 # execute log	filter field action ssl-login-fail
FG201E4Q17901354 # execute log	display
1: date=2019-02-15 time=10:57:56 logid=”0101039426″ type=”event” subtype=”vpn” level=”alert”

vd=”root” eventtime=1550257076 logdesc=”SSL VPN login fail” action=”ssl-login-fail” tunneltype=”ssl-web” tunnelid=0 remip=10.1.100.254 user=”u1″ group=”g1″ dst_host=”N/A” reason=”sslvpn_login_password_expired” msg=”SSL user failed to logged in”

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

SSL VPN with RADIUS and FortiToken mobile push on FortiAuthenticator

Leave a reply

SSL VPN with RADIUS and FortiToken mobile push on FortiAuthenticator

This topic provides a sample configuration of SSL VPN that uses FortiAuthenticator as a RADIUS authentication server and FortiToken Mobile Push two-factor authentication. If you enable push notifications, the user can easily accept or deny the authentication request.

Sample network topology

Sample configuration

To configure FortiAuthenticator using the GUI:

Add a FortiToken mobile license on the FortiAuthenticator.
1. On the FortiAuthenticator, go to Authentication > UserManagement > FortiTokens. Click Create New.
2. Set Token type to FortiToken Mobile and enter the FortiToken Activation codes.
Create the RADIUS client (FortiGate) on the FortiAuthenticator.
1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients to add the FortiGate as a RADIUS client OfficeServer).
2. Enter the FortiGate IP address and set a Secret.

The secret is a pre-shared secure password that the FortiGate uses to authenticate to the FortiAuthenticator.

Set Authentication method to Enforce two-factorauthentication.
Select Enable FortiToken Mobile push notifications authentication.
Set Realms to local |Local users.

Create a user and assign FortiToken Mobile to the user on the FortiAuthenticator.
1. On the FortiAuthenticator, go to Authentication > UserManagement > Local Users to create a user sslvpnuser1.
2. Enable Allow RADIUS authentication and click OK to access additional settings.
3. Enable Token-based authentication and select to deliver the token code by FortiToken.
4. Select the FortiToken added from the FortiToken Mobile dropdown menu.
5. Set Delivery method to Email and fill in the UserInformation
6. Go to Authentication > UserManagement > UserGroups to create a group sslvpngroup.
7. Add sslvpnuser1 to the group by moving the user from Available users to Selected users.
Install the FortiToken Mobile application on your smartphone, for Android or iOS.

The FortiAuthenticator sends the FortiToken Mobile activation to the user’s email address.

Activate the FortiToken Mobile through the FortiToken Mobile application by either entering the activation code or by scanning the QR code.

To configure SSL VPN using the GUI:

Configure the interface and firewall address.

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

Port1 interface connects to the internal network.

Go to Network > Interface and edit the wan1
Set IP/Network Mask to 20.120.123/255.255.255.0.
Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
Click OK.
Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.

Create a RADIUS user and user group.
1. On the FortiGate, go to User& Device > RADIUS Servers to create a user to connect to the RADIUS server

(FortiAuthenticator).

For Name, use FAC-RADIUS.
Enter the IP address of the FortiAuthenticator, and enter the Secret created above.
Click Test Connectivity to ensure you can connect to the RADIUS server.
Select Test UserCredentials and enter the credentials for sslvpnuser1.

The FortiGate can now connect to the FortiAuthenticator as the RADIUS client.

Go to User& Device > UserGroups and click Create New to map authenticated remote users to a user group on the FortiGate.
For Name, use SSLVPNGroup.
In Remote Groups, click Add.
In the Remote Server dropdown list, select FAC-RADIUS.
Leave the Groups field blank.

Configure SSL VPN web portal.
1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

Configure SSL VPN settings.
1. Go to VPN > SSL-VPN Settings.
2. Choose proper Listen on Interface, in this example, wan1.
3. Listen on Port 10443.
4. Set ServerCertificate to the authentication certificate.
5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
Configure SSL VPN firewall policy.
1. Go to Policy & Objects > IPv4 Policy.
2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
4. Set the Source Address to all and Source User to sslvpngroup.
5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
6. Set Destination Address to the internal protected subnet 168.1.0.
7. Set schedule to always, service to ALL, and Action to Accept.
8. Enable NAT.
9. Configure any remaining firewall and security options as desired.
10. Click OK.

To configure SSL VPN using the CLI:

Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

end

Create a RADIUS user and user group.

config user radius edit “FAC-RADIUS” set server “172.20.120.161” set secret <FAC client secret>

end

config user group edit “sslvpngroup” set member “FAC-RADIUS”

next end

Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

end

Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

end

Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

end

To see the results of web portal:

From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
Log in using the sslvpnuser1

The FortiAuthenticator pushes a login request notification through the FortiToken Mobile application.

Check your mobile device and select Approve.

When the authentication is approved, sslvpnuser1 is logged into the SSL VPN portal.

On the FortiGate, go to Monitor> SSL-VPN Monitor to confirm the user connection.

To see the results of tunnel connection:

Download FortiClient from forticlient.com.
Open the FortiClient Console and go to Remote Access > Configure VPN.
Add a new connection.
- Set the connection name.
- Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 20.120.123.
Select Customize Port and set it to 10443.
Save your settings.
Log in using the sslvpnuser1 credentials and click FTM Push.

The FortiAuthenticator pushes a login request notification through the FortiToken Mobile application.

Check your mobile device and select Approve.

When the authentication is approved, sslvpnuser1 is logged into the SSL VPN tunnel.

To check the SSL VPN connection using the GUI:

Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:
Index User Auth Type	Timeout	From HTTP in/out HTTPS in/out
0 sslvpnuser1 SSL VPN sessions:	1(1)	229 10.1.100.254 0/0 0/0
Index User Source IP To check the tunnel login on CLI: get vpn ssl monitor SSL VPN Login Users:	Duration	I/O Bytes Tunnel/Dest IP
Index User Auth Type	Timeout	From HTTP in/out HTTPS in/out
0 sslvpnuser1 SSL VPN sessions:	1(1)	291 10.1.100.254 0/0 0/0
Index User Source IP	Duration	I/O Bytes Tunnel/Dest IP
0 sslvpnuser1	10.1.100.254	9 22099/43228 10.212.134.200

SSL VPN with RADIUS on FortiAuthenticator

Leave a reply

SSL VPN with RADIUS on FortiAuthenticator

This topic provides a sample configuration of SSL VPN that uses FortiAuthenticator as a RADIUS authentication server.

Sample network topology

Sample configuration

To configure FortiAuthenticator using the GUI:

Create a user on the FortiAuthenticator.
1. On the FortiAuthenticator, go to Authentication > UserManagement > Local Users to create a user sslvpnuser1.
2. Enable Allow RADIUS authentication and click OK to access additional settings.
3. Go to Authentication > UserManagement > UserGroups to create a group sslvpngroup.
4. Add sslvpnuser1 to the group by moving the user from Available users to Selected users.
Create the RADIUS client (FortiGate) on the FortiAuthenticator.
1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients to add the FortiGate as a RADIUS client OfficeServer).
2. Enter the FortiGate IP address and set a Secret.

The secret is a pre-shared secure password that the FortiGate uses to authenticate to the FortiAuthenticator. c. Set Realms to local |Local users.

To configure SSL VPN using the GUI:

Configure the interface and firewall address.

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

Port1 interface connects to the internal network.

Go to Network > Interface and edit the wan1
Set IP/Network Mask to 20.120.123/255.255.255.0.
Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
Click OK.
Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.

Create a RADIUS user and user group .
1. On the FortiGate, go to User& Device > RADIUS Servers to create a user to connect to the RADIUS server

(FortiAuthenticator).

For Name, use FAC-RADIUS.
Enter the IP address of the FortiAuthenticator, and enter the Secret created above.
Click Test Connectivity to ensure you can connect to the RADIUS server.
Select Test UserCredentials and enter the credentials for sslvpnuser1.

The FortiGate can now connect to the FortiAuthenticator as the RADIUS client.

Go to User& Device > UserGroups and click Create New to map authenticated remote users to a user group on the FortiGate.
For Name, use SSLVPNGroup.
In Remote Groups, click Add.
In the Remote Server dropdown list, select FAC-RADIUS.
Leave the Groups field blank.

Configure SSL VPN web portal.
1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

Configure SSL VPN settings.
1. Go to VPN > SSL-VPN Settings.
2. Choose proper Listen on Interface, in this example, wan1.
3. Listen on Port 10443.
4. Set ServerCertificate to the authentication certificate.
5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
Configure SSL VPN firewall policy.
1. Go to Policy & Objects > IPv4 Policy.
2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
4. Set the Source Address to all and Source User to sslvpngroup.
5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
6. Set Destination Address to the internal protected subnet 168.1.0.
7. Set schedule to always, service to ALL, and Action to Accept.
8. Enable NAT.
9. Configure any remaining firewall and security options as desired.
10. Click OK.

To configure SSL VPN using the CLI:

Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

end

Configure internal interface and protected subnet.

Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root” set ip 192.168.1.99 255.255.255.0

end config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

end

Create a RADIUS user and user group.

config user radius edit “FAC-RADIUS” set server “172.20.120.161” set secret <FAC client secret>

end

config user group edit “sslvpngroup” set member “FAC-RADIUS”

end

Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

end

Configure SSL VPN settings.

end

Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

end

To see the results of web portal:

From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
Log in using the sslvpnuser1
On the FortiGate, go to Monitor> SSL-VPN Monitor to confirm the user connection.

To see the results of tunnel connection:

Download FortiClient from forticlient.com.
Open the FortiClient Console and go to Remote Access > Configure VPN.
Add a new connection.
- Set the connection name.
- Set Remote Gateway to 20.120.123.
Select Customize Port and set it to 10443.
Save your settings.
Log in using the sslvpnuser1 credentials and check that you are logged into the SSL VPN tunnel.

To check the SSL VPN connection using the GUI:

Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:
Index User Auth Type Timeout	From HTTP in/out HTTPS in/out
0 sslvpnuser1 1(1) SSL VPN sessions:	229 10.1.100.254 0/0 0/0
Index User Source IP Duration To check the tunnel login using the CLI: get vpn ssl monitor SSL VPN Login Users:	I/O Bytes Tunnel/Dest IP
Index User Auth Type Timeout	From HTTP in/out HTTPS in/out
0 sslvpnuser1 1(1)	291 10.1.100.254 0/0 0/0

SSL VPN sessions:

Index User Source IP Duration I/O Bytes Tunnel/Dest IP 0 sslvpnuser1 10.1.100.254 9 22099/43228 10.212.134.200

SSL VPN with FortiToken Mobile Push authentication

Leave a reply

SSL VPN with FortiToken Mobile Push authentication

This topic provides a sample configuration of SSL VPN that uses FortiToken Mobile Push two-factor authentication. If you enable push notifications, the user can easily accept or deny the authentication request.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

Configure the interface and firewall address. Port1 interface connects to the internal network.
1. Go to Network > Interface and edit the wan1
2. Set IP/Network Mask to 20.120.123/255.255.255.0.
3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
4. Click OK.
5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
Register FortiGate for FortiCare Support.

To add or download a Mobile token on FortiGate, FortiGate must be registered for FortiCare Support. If your FortiGate is registered, skip this step. a. Go to Dashboard > Licenses.

Hover the pointer on FortiCare Support to check if FortiCare registered. If not, click it and select Register.
Add FortiToken Mobile to FortiGate.

If your FortiGate has FortiToken installed, skip this step.

Go to User& Device > FortiTokens and click Create New.
Select Mobile Token and type in Activation Code.
Every FortiGate has two free Mobile Tokens. Go to User& Device > FortiTokens and click Import Free Trial Tokens.

Enable FortiToken Mobile Push.

To use FTM-push authentication, use CLI to enable FTM-Push in the FortiGate.

Ensure server-ip is reachable from the Internet and enter the following CLI commands:

config system ftm-push set server-ip 172.20.120.123 set status enable

end

Go to Network > Interfaces.
Edit the wan1
Under Administrative Access > IPv4, select FTM.
Click OK.

Configure user and user group.
1. Go to User& Device > UserDefinition to create a local user sslvpnuser1.
2. Enter the user’s Email Address.
3. Enable Two-factorAuthentication and select one Mobile token from the list,
4. Enable Send Activation Code from Email.
5. Click Next and click Submit.
6. Go to User& Device > UserGroups to create a group sslvpngroup with the member sslvpnuser1.
Activate the Mobile token.
1. When the user sslvpnuser1 is created, an email is sent to the user’s email address. Follow the instructions to install your FortiToken Mobile application on your device and activate your token.
Configure SSL VPN web portal.
1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

Configure SSL VPN settings.
1. Go to VPN > SSL-VPN Settings.
2. Choose proper Listen on Interface, in this example, wan1.
3. Listen on Port 10443.
4. Set ServerCertificate to the authentication certificate.
5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
Configure SSL VPN firewall policy.
1. Go to Policy & Objects > IPv4 Policy.
2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
4. Set the Source Address to all and Source User to sslvpngroup.
5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
6. Set Destination Address to the internal protected subnet 168.1.0.
7. Set schedule to always, service to ALL, and Action to Accept.
8. Enable NAT.
9. Configure any remaining firewall and security options as desired.
10. Click OK.

To configure SSL VPN using the CLI:

Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

end

To add or download a Mobile token on FortiGate, FortiGate must be registered for FortiCare Support. If your FortiGate is registered, skip this step.

diagnose forticare direct-registration product-registration -a “your account@xxx.com” -p

“your password” -T “Your Country/Region” -R “Your Reseller” -e 1

Add FortiToken Mobile to FortiGate.
1. If your FortiGate has FortiToken installed, skip this step. execute fortitoken-mobile import <your FTM code>
2. Every FortiGate has two free Mobile Tokens. You can download the free token.

execute fortitoken-mobile import 0000-0000-0000-0000-0000

Enable FortiToken Mobile Push.
1. To use FTM-push authentication, ensure server-ip is reachable from the Internet and enable FTM-Push in the FortiGate.

config system ftm-push set server-ip 172.20.120.123 set status enable

end

Enable FTM service on WAN interface.

config system interface edit “wan1” append allowaccess ftm

end

Configure user and user group.

config user local edit “sslvpnuser1” set type password set two-factor fortitoken

set fortitoken <select mobile token for the option list> set email-to <user’s email address> set passwd <user’s password>

end config user group edit “sslvpngroup” set member “sslvpnuser1”

end

Activate the Mobile token.
When the user sslvpnuser1 is created, an email is sent to the user’s email address. Follow the instructions to install your FortiToken Mobile application on your device and activate your token.
Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

end

Configure SSL VPN settings.

end

Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

end

To see the results of web portal:

From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
Log in using the sslvpnuser1

The FortiGate pushes a login request notification through the FortiToken Mobile application.

Check your mobile device and select Approve.

When the authentication is approved, sslvpnuser1 is logged into the SSL VPN portal.

On the FortiGate, go to Monitor> SSL-VPN Monitor to confirm the user connection.

To see the results of tunnel connection:

Download FortiClient from forticlient.com.
Open the FortiClient Console and go to Remote Access > Configure VPN.
Add a new connection.
- Set the connection name.
- Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 20.120.123.
Select Customize Port and set it to 10443.
Save your settings.
Log in using the sslvpnuser1 credentials and click FTM Push.

The FortiGate pushes a login request notification through the FortiToken Mobile application.

Check your mobile device and select Approve.

When the authentication is approved, sslvpnuser1 is logged into the SSL VPN tunnel.

To check the SSL VPN connection using the GUI:

Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:
Index User Auth Type Timeout	From HTTP in/out HTTPS in/out
0 sslvpnuser1 1(1) SSL VPN sessions:	229 10.1.100.254 0/0 0/0
Index User Source IP Duration To check the tunnel login using the CLI: get vpn ssl monitor SSL VPN Login Users:	I/O Bytes Tunnel/Dest IP
Index User Auth Type Timeout	From HTTP in/out HTTPS in/out
0 sslvpnuser1 1(1) SSL VPN sessions:	291 10.1.100.254 0/0 0/0
Index User Source IP Duration	I/O Bytes Tunnel/Dest IP
0 sslvpnuser1 10.1.100.254	9 22099/43228 10.212.134.200

SSL VPN with LDAP-integrated certificate authentication

Leave a reply

SSL VPN with LDAP-integrated certificate authentication

This topic provides a sample configuration of SSL VPN that requires users to authenticate using a certificate with LDAP UserPrincipalName checking.

This sample uses Windows 2012R2 Active Directory acting as both the user certificate issuer, the certificate authority, and the LDAP server.

Sample network topology

Sample configuration

In this sample, the UserPrincipal Name is included in the subject name of the issued certificate. This is the user field we use to search LDAP in the connection attempt.

To use the user certificate, you must first install it on the user’s PC. When the user tries to authenticate, the user certificate is checked against the CA certificate to verify that they match.

Every user should have a unique user certificate. This allows you to distinguish each user and revoke a specific user’s certificate, such as if a user no longer has VPN access.

To install the server certificate:

The server certificate is used for encrypting SSL VPN traffic and will be used for authentication.

Go to System > Feature Visibility and ensure Certificates is enabled.
Go to System > Certificates and select Import > Local Certificate.

l Set Type to Certificate. l Choose the Certificate file and the Key file for your certificate, and enter the Password. l If desired, you can change the Certificate Name.

The server certificate now appears in the list of Certificates.

To install the CA certificate:

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.

Go to System > Certificates and select Import > CA Certificate.
Select Local PC and then select the certificate file.

The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.

To configure SSL VPN using the GUI:

Configure the interface and firewall address.

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

Port1 interface connects to the internal network.

Go to Network > Interface and edit the wan1
Set IP/Network Mask to 20.120.123/255.255.255.0.
Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
Click OK.
Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.

Configure the LDAP server.
1. Go to User& Device > LDAP Servers > Create New. l Specify Name and ServerIP/Name.

l Set Distinguished Name to dc=fortinet-fsso,dc=com. l Set Bind Type to Regular. l Set Username to cn=admin,ou=testing,dc=fortinet-fsso,dc=com. l Set password.

Configure PKI users and a user group.

To use certificate authentication, PKI users must be created in the CLI. Use the CLI console to enter the following commands:

config user peer

edit user1

set ca CA_Cert_1 set ldap-server “ldap-AD” set ldap-mode principal-name

end

Now that you have created a PKI user, a new menu is added to the GUI. a. Go to User& Device > PKI to see the new user.

Go to User& Device > User> UserGroups and create a group sslvpn-group.
Add the PKI peer object you created as a local member of the group.
Add a remote group on the LDAP server and select the group of interest. You need these users to be members using the LDAP browser window.

Configure SSL VPN web portal.
1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

Configure SSL VPN settings.
1. Go to VPN > SSL-VPN Settings.
2. Choose proper Listen on Interface, in this example, wan1.
3. Listen on Port 10443.
4. Set ServerCertificate to the authentication certificate.
5. Enable Require Client Certificate.
6. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
7. Create new Authentication/Portal Mapping for group sslvpn-group mapping portal full-access.
Configure SSL VPN firewall policy.
1. Go to Policy & Objects > IPv4 Policy.
2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
4. Set the Source Address to all and Source User to sslvpn-group.
5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
6. Set Destination Address to the internal protected subnet 168.1.0.
7. Set schedule to always, service to ALL, and Action to Accept.
8. Enable NAT.
9. Configure any remaining firewall and security options as desired.
10. Click OK.

To configure SSL VPN using the CLI:

Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

end

Configure the LDAP server.

config user ldap edit “ldap-AD” set server “172.18.60.206” set cnid “cn”

set dn “dc=fortinet-fsso,dc=com”

set type regular

set username “cn=admin,ou=testing,dc=fortinet-fsso,dc=com” set password ldap-server-password

end

Configure PKI users and a user group.

config user peer

edit user1

set ca CA_Cert_1 set ldap-server “ldap-AD” set ldap-mode principal-name

end

config user group edit “sslvpn-group” set member “ldap-AD” “test3” config match edit 1 set server-name “ldap-AD”

set group-name “CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM”

next end

end

Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

end

Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” set reqclientcert enable config authentication-rule edit 1 set groups “sslvpn-group” set portal “full-access”

end

Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access” set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpn-group” set action accept set schedule “always” set service “ALL” set nat enable

end

To see the results of tunnel connection:

Download FortiClient from forticlient.com.
Open the FortiClient Console and go to Remote Access > Configure VPN.
Add a new connection.
- Set the connection name.
- Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 20.120.123.
Select Customize Port and set it to 10443.
Enable Client Certificate and select the authentication certificate.
Save your settings.

Connecting to the VPN only requires the user’s certificate. It does not require username or password.

To see the results of web portal:

In a web browser, log into the portal http://172.20.120.123:10443.

A message requests a certificate for authentication.

Select the user certificate.

You can connect to the SSL VPN web portal.

To check the SSL VPN connection using the GUI:

Go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
Go to Log & Report > VPN Events to view the details of the SSL VPN connection event log.
Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the SSL VPN connection using the CLI:

Below is a sample output of diag debug app fnbamd -1 while the user connects. This is a shortened output sample of a few locations to show the important parts. This sample shows lookups to find the group memberships (three groups total) of the user and that the correct group being found results in a match.

[1148] fnbamd_ldap_recv-Response len: 16, svr: 172.18.60.206

[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-result

[864] fnbamd_ldap_parse_response-ret=0

[1386] __fnbamd_ldap_primary_grp_next-Auth accepted

[910] __ldap_rxtx-Change state to ‘Done’

[843] __ldap_rxtx-state 23(Done)

[925] fnbamd_ldap_send-sending 7 bytes to 172.18.60.206

[937] fnbamd_ldap_send-Request is sent. ID 5

[753] __ldap_stop-svr ‘ldap-AD’

[53] ldap_dn_list_del_all-Del CN=test3,OU=Testing,DC=Fortinet-FSSO,DC=COM

[399] ldap_copy_grp_list-copied CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM

[399] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=Fortinet-FSSO,DC=COM

[2088] fnbamd_auth_cert_check-Matching group ‘sslvpn-group’

[2007] __match_ldap_group-Matching server ‘ldap-AD’ – ‘ldap-AD’

[2015] __match_ldap_group-Matching group ‘CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM’ ‘CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM’

[2091] fnbamd_auth_cert_check-Group ‘sslvpn-group’ matched

[2120] fnbamd_auth_cert_result-Result for ldap svr[0] ‘ldap-AD’ is SUCCESS

[2126] fnbamd_auth_cert_result-matched user ‘test3’, matched group ‘sslvpn-group’

You can also use diag firewall auth list to validate that a firewall user entry exists for the SSL VPN user and is part of the right groups.

SSL VPN with certificate authentication

2 Replies

SSL VPN with certificate authentication

This topic provides a sample configuration of SSL VPN that requires users to authenticate using a certificate.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

Configure the interface and firewall address.

Port1 interface connects to the internal network.

Go to Network > Interface and edit the wan1
Set IP/Network Mask to 20.120.123/255.255.255.0.
Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
Click OK.
Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
Install the server certificate.

The server certificate is used for encrypting SSL VPN traffic and will be used for authentication. a. Go to System > Feature Visibility and ensure Certificates is enabled.

Go to System > Certificates and select Import > Local Certificate.
- Set Type to Certificate. l Choose the Certificate file and the Key file for your certificate, and enter the Password.
- If desired, you can change the Certificate Name.

The server certificate now appears in the list of Certificates.

Install the CA certificate.

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.

Go to System > Certificates and select Import > CA Certificate.
Select Local PC and then select the certificate file.

The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.

Configure PKI users and a user group.

To use certificate authentication, PKI users must be created in the CLI. Use the CLI console to enter the following commands:

config user peer

edit pki01

set ca CA_Cert_1 set subject User01

end l Ensure the subject matches the name of the user certificate. In this example, User01. Now that you have created a PKI user, a new menu is added to the GUI. a. Go to User& Device > PKI to see the new user.

Edit the user account and expand Two-factorauthentication.
Enable Require two-factorauthentication and set a Password for the account.
Go to User& Device > User> UserGroups and create a group sslvpngroup.
Add the PKI user pki01 to the group.

Configure SSL VPN web portal.
1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

Configure SSL VPN settings.
1. Go to VPN > SSL-VPN Settings.
2. Choose proper Listen on Interface, in this example, wan1.
3. Listen on Port 10443.
4. Set ServerCertificate to the authentication certificate.
5. Enable Require Client Certificate.
6. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
7. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
Configure SSL VPN firewall policy.
1. Go to Policy & Objects > IPv4 Policy.
2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
4. Set the Source Address to all and Source User to sslvpngroup.
5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
6. Set Destination Address to the internal protected subnet 168.1.0.
7. Set schedule to always, service to ALL, and Action to Accept.
8. Enable NAT.
9. Configure any remaining firewall and security options as desired.
10. Click OK.

To configure SSL VPN using the CLI:

Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

end

Install the CA certificate.

The server certificate is used for encrypting SSL VPN traffic and will be used for authentication. It is easier to install the server certificate from GUI. However, CLI can import a p12 certificate from a tftp server.

If you want to import a p12 certificate, put the certificate server_certificate.p12 on your tftp server, then run following command on the FortiGate.

execute vpn certificate local import tftp server_certificate.p12 <your tftp_server> p12 <your password for PKCS12 file>

To check server certificate is installed:

show vpn certificate local server_certificate

Install the CA certificate.

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.

It is easier to install the server certificate from GUI. However, CLI can import a CA certificates from a tftp server. If you want to import a CA certificate, put the CA certificate on your tftp server, then run following command on the FortiGate.

execute vpn certificate ca import tftp <your CA certificate name> <your tftp server>

To check that a new CA certificate is installed:

show vpn certificate ca

Configure PKI users and a user group.

config user peer

edit pki01

set ca CA_Cert_1 set subject User01 set two-factor enable set passwd <your-password>

end config user group edit “sslvpngroup” set member “pki01”

end

Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

end

Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” set reqclientcert enable config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

end

Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

end

Sample installation

To use the user certificate, you must first install it on the user’s PC. When the user tries to authenticate, the user certificate is checked against the CA certificate to verify that they match.

Every user should have a unique user certificate. This allows you to distinguish each user and revoke a specific user’s certificate, such as if a user no longer has VPN access.

To install the user certificate on Windows 7, 8, and 10:

Double-click the certificate file to open the Import Wizard.
Use the Import Wizard to import the certificate into the Personal store.

To install the user certificate on Mac OS X:

Open the certificate file, to open Keychain Access.
Double-click the certificate.
Expand Trust and select Always Trust.

To see the results of tunnel connection:

Download FortiClient from forticlient.com.
Open the FortiClient Console and go to Remote Access > Configure VPN.
Add a new connection.

l Set VPN Type to SSL VPN. l Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 172.20.120.123.

Select Customize Port and set it to 10443.
Enable Client Certificate and select the authentication certificate.
Save your settings.
Use the credentials you’ve set up to connect to the SSL VPN tunnel.

If the certificate is correct, you can connect.

To see the results of web portal:

In a web browser, log into the portal http://172.20.120.123:10443.

A message requests a certificate for authentication.

Select the user certificate.
Enter your user credentials.

If the certificate is correct, you can connect to the SSL VPN web portal.

To check the SSL VPN connection using the GUI:

Go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
Go to Log & Report > VPN Events and view the details for the SSL connection log.

To check the SSL VPN connection using the CLI:

get vpn ssl monitor SSL VPN Login Users:
Index User Auth Type	Timeout	From HTTP in/out HTTPS in/out
0 pki01,cn=User01	1(1)	229 10.1.100.254 0/0 0/0
1 pki01,cn=User01 SSL VPN sessions:	1(1)	291 10.1.100.254 0/0 0/0
Index User Source IP	Duration	I/O Bytes Tunnel/Dest IP
0 pki01,cn=User01	10.1.100.254	9 22099/43228 10.212.134.200

SSL VPN multi-realm

1 Reply

SSL VPN multi-realm

This sample recipe shows how to create a multi-realm SSL VPN that provides different portals for different user groups.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

Configure the interface and firewall address. Port1 interface connects to the internal network.
1. Go to Network > Interface and edit the wan1
2. Set IP/Network Mask to 20.120.123/255.255.255.0.
3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0. d. Click OK.
4. Go to Firewall & Objects > Address and create an address for internet QA_subnet with subnet 192.168.1.0/24 and HR_subnet with subnet 10.1.100.0/24.
Configure user and user group.
1. Go to User& Device > UserDefinition to create local users qa-user1 and hr-user1.
2. Go to User& Device > UserGroups to create separate user groups for web-only and full-access portals:
  - QA_group with member qa-user1.
  - HR_group with the member hr-user1.
3. SSL VPN web portal configuration.
  1. Go to VPN > SSL-VPN Portals to create portal qa-tunnel.
  2. Enable tunnel-mode.
  3. Create a portal hr-web with web-mode enabled.
4. SSL VPN realms configuration.
  1. Go to System > Feature Visibility to enable SSL-VPN Realms.
  2. Go to VPN > SSL-VPN Realms to create realms for qa and hr.
5. SSL VPN settings configuration.
  1. Go to VPN > SSL-VPN Settings.
  2. Choose proper Listen on Interface, in this example, wan1.
  3. Listen on Port 10443.
  4. Choose a certificate for ServerCertificate. The default is Fortinet_Factory.
  5. Under Authentication/Portal Mapping, set default Portal Web-access for All OtherUsers/Groups.
  6. Create new Authentication/Portal Mapping for group QA_group mapping portal qa-tunnel.
  7. Specify realm with qa.
  8. Add another entry for group HR_group mapping portal hr-web.
  9. Specify realm with hr.
6. SSL VPN firewall policy configuration.
  1. Go to Policy & Objects > IPv4 Policy.
  2. Create a firewall policy for QA access.
  3. Fill in the firewall policy name. In this example: QA sslvpn tunnel mode access.
  4. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
  5. Choose an Outgoing Interface. In this example: port1.
  6. Set the source to all and group to QA_group.
  7. In this example, the destination is the internal protected subnet QA_subnet.
  8. Set schedule to always, service to ALL, and Action to Accept.
  9. Click OK.
  10. Create a firewall policy for HR access.
  11. Fill in the firewall policy name. In this example: HR sslvpn web mode access.
  12. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
  13. Choose an Outgoing Interface. In this example: port1.
  14. Set the source to all and group to HR_group.
  15. In this example, the destination is the internal protected subnet HR_subnet.
  16. Set schedule to always, service to ALL, and Action to Accept.
  17. Click OK.

To configure SSL VPN using the CLI:

Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0 next

end config firewall address edit “QA_subnet” set subnet 192.168.1.0 255.255.255.0

next edit “HR_subnet” set subnet 10.1.100.0 255.255.255.0

end

Configure user and user group.

config user local edit “qa_user1” set type password set passwd your-password

end config user group edit “QA_group” set member “qa_user1”

end config user local edit “hr_user1” set type password set passwd your-password

end config user group edit “HR_group” set member “hr_user1”

end

Configure SSL VPN web portal.

config vpn ssl web portal edit “qa-tunnel” set tunnel-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling enable set split-tunneling-routing-address “QA_subnet”

end config vpn ssl web portal edit “hr-web” set web-mode enable

end

Configure SSL VPN realms.

Using the GUI is the easiest way to configure SSL VPN realms.

Go to System > Feature Visibility to enable SSL-VPN Realms.
Go to VPN > SSL-VPN Realms to create realms for qa and hr.

Configure SSL VPN settings.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1” set source-interface “wan1” set source-address “all” set source-address6 “all” set default-portal “full-access” config authentication-rule edit 1 set groups “QA_group” set portal “qa-tunnel” set realm qa

next edit 2 set groups “HR_group” set portal “hr-web” set realm hr

end

Configure SSL VPN firewall policy.

Configure two firewall policies to allow remote QA user to access internal QA network and HR user to access HR network.

config firewall policy edit 1 set name “QA sslvnpn tunnel access” set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “QA_subnet” set groups “QA_group” set action accept set schedule “always” set service “ALL”

next edit 2 set name “HR sslvpn web access” set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “HR_subnet” set groups “HR_group” set action accept set schedule “always” set service “ALL”

end

To see the results for QA user:

Download FortiClient from forticlient.com.
Open the FortiClient Console and go to Remote Access.
Add a new connection.

l Set VPN Type to SSL VPN. l Set Remote Gateway to https://172.20.120.123:10443/qa..

Select Customize Port and set it to 10443.
Save your settings.
Use the credentials you’ve set up to connect to the SSL VPN tunnel.

If the user’s computer has AntiVirus software installed, a connection is established; otherwise FortiClient shows a compliance warning.

After connection, traffic to subnet 168.1.0 goes through the tunnel.
In FGT, go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
In FGT, go to Log & Report > Traffic Log > Forward Traffic and view the details of the traffic.

To see the results for HR user:

In a web browser, log into the portal https://172.20.120.123:10443/hr using the credentials you’ve set up to connect to the SSL VPN tunnel.
Go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
Go to Log & Report > Traffic Log > Forward Traffic and view the details of the traffic.

SSL VPN tunnel mode host check

3 Replies

SSL VPN tunnel mode host check

This topic provides a sample configuration of remote users accessing the corporate network through an SSL VPN by tunnel mode using FortiClient with AV host check.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

Configure the interface and firewall address. Port1 interface connects to the internal network.
1. Go to Network > Interface and edit the wan1
2. Set IP/Network Mask to 20.120.123/255.255.255.0.
3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
4. Click OK.
5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
Configure user and user group.
1. Go to User& Device > UserDefinition to create a local user sslvpnuser1.
2. Go to User& Device > UserGroups to create a group sslvpngroup with the member sslvpnuser1.
SSL VPN web portal configuration.
1. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-split-tunnel-portal. Enable Split Tunneling.
2. Select Routing Address.
SSL VPN settings configuration.
1. Go to VPN > SSL-VPN Settings.
2. Choose proper Listen on Interface, in this example, wan1.
3. Listen on Port 10443.
4. Choose a certificate for ServerCertificate. The default is Fortinet_Factory.
5. Under Authentication/Portal Mapping, set default Portal tunnel-access for All OtherUsers/Groups.
6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-split-tunnel-portal.
SSL VPN firewall policy configuration.
1. Go to Policy & Objects > IPv4 Policy.
2. Fill in the firewall policy name. In this example: sslvpn tunnel access with av check.
3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
4. Choose an Outgoing Interface. In this example: port1.
5. Set the source to all and group to sslvpngroup.
6. In this example, the destination is all.
7. Set schedule to always, service to ALL, and Action to Accept.
8. Click OK.
Configure SSL VPN web portal to enable AV host-check.
1. Open the CLI Console at the top right of the screen.
2. Enter the following commands to enable the host to check for compliant AntiVirus software on the user’s computer:

config vpn ssl web portal

edit my-split-tunnel-access

set host-check av end

To configure SSL VPN using the CLI:

Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root” set ip 172.20.120.123 255.255.255.0

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root” set ip 192.168.1.99 255.255.255.0

endconfig firewall address edit “192.168.1.0” set subnet 192.168.1.0 255.255.255.0

end

Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

end config user group edit “sslvpngroup” set member”vpnuser1″

end

Configure SSL VPN web portal.

config vpn ssl web portal edit “my-split-tunnel-portal” set tunnel-mode enable set split-tunneling enable

set split-tunneling-routing-address “192.168.1.0” set ip-pools “SSLVPN_TUNNEL_ADDR1”

end

Configure SSL VPN settings.

set default-portal “full-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “my-split-tunnel-portal”

end

Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network. Traffic is dropped from internal to remote client.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL”

end

Configure SSL VPN web portal to enable AV host-check.

Configure SSL VPN web portal to enable the host to check for compliant AntiVirus software on the user’s computer:

config vpn ssl web portal

edit my-split-tunnel-access

set host-check av

end

To see the results:

Download FortiClient from forticlient.com.
Open the FortiClient Console and go to Remote Access.
Add a new connection.

l Set VPN Type to SSL VPN. l Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 172.20.120.123.

Select Customize Port and set it to 10443.
Save your settings.
Use the credentials you’ve set up to connect to the SSL VPN tunnel.

If the user’s computer has AntiVirus software installed, a connection is established; otherwise FortiClient shows a compliance warning.

After connection, traffic to 168.1.0 goes through the tunnel. Other traffic goes through local gateway.
In FGT, go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
In FGT, go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.