[FortiGate] SSL-VPN basic settings

Firewall (UTM)

Work environment

  • FortiGate 60E
    • version 7.0.2

Establish SSL VPN from external client to FortiGate

Establish an SSL VPN from a client outside the base network to FortiGate inside the base network so that external clients can access the inside of the base network.

You need to install the VPN client software called FortiClient on the external client. FortiClient can be downloaded from the Fortinet download page.

  • SSL-VPN image

SSL VPN setting procedure

  1. Creating an Address Object for SSL-VPN Client
  2. Creating an SSL-VPN Portal
  3. SSL VPN basic settings
  4. Creating SSL-VPN users and groups
  5. Policy settings

Creating an Address Object for SSL-VPN Client

Create an address object as an address pool for issuing IP addresses to SSL-VPN clients.

Here, as an example, create an address object as shown in the image below.

Creating an SSL-VPN Portal

The SSL-VPN portal includes SSL-VPN mode (Tunnel / Web) settings and various option settings.

Click VPN > SSL-VPN Portals > Create New to create a new SSL-VPN Portal.

As an example, create an SSL-VPN Portal in Tunnel mode.

  • Enter any portal name in the Name field.
  • Enable Tunnel Mode.
  • Specify the address object created in advance in the Tunnel Mode> Source IP Pools field.
  • Disable Web Mode.

CLI config

If you want to configure it in the CLI, the SSL-VPN Portals config is config vpn ssl web portal.

FortiGate-60E (SampleSSL-VPNPor~nel) # show
config vpn ssl web portal
    edit "SampleSSL-VPNPortal_Tunnel"
        set tunnel-mode enable
        set ip-pools "SSLVPN_ClientAddresses"
    next
end

FortiGate-60E (SampleSSL-VPNPor~nel) # show full-configuration
config vpn ssl web portal
    edit "SampleSSL-VPNPortal_Tunnel"
        set tunnel-mode enable
        set ipv6-tunnel-mode disable
        set web-mode disable
        set allow-user-access web ftp smb sftp telnet ssh vnc rdp ping
        set limit-user-logins disable
        set forticlient-download enable
        set ip-mode range
        set auto-connect disable
        set keep-alive disable
        set save-password disable
        set ip-pools "SSLVPN_ClientAddresses"
        set split-tunneling enable
        set split-tunneling-routing-negate disable
        set dns-server1 0.0.0.0
        set dns-server2 0.0.0.0
        set dns-suffix ''
        set wins-server1 0.0.0.0
        set wins-server2 0.0.0.0
        set host-check none
        set mac-addr-check disable
        set os-check disable
        set forticlient-download-method direct
        set customize-forticlient-download-url disable
    next
end

SSL VPN basic settings

Click VPN > SSL-VPN Settings to configure SSL-VPN settings.

Connection Settings

  • Listen on Interface(s):
    • Specify the interface that accepts communication from SSL-VPN clients.
  • Listen on Port:
    • Specify the port number to listen for SSL-VPN connections. (VPN clients must connect to this port.)
    • Default: 443

Tunnel Mode Client Settings

  • Address Range: Specify Specify custom IP ranges.
  • IP Ranges: Specify the same address object as the one specified in the Tunnel Mode> Source IP Pools field of the SSL-VPN portal.

Authentication/Portal Mapping

Set to associate the SSL-VPN Portal created in advance with All Other Users/Groups.

Apply

After setting all items, click Apply at the bottom of the screen.

CLI config

If you want to configure it in the CLI, the SSL-VPN settings config is config vpn ssl settings.

The default config is as follows.

FortiGate-60E # show vpn ssl settings
config vpn ssl settings
    set servercert "Fortinet_Factory"
    set port 443
end

The config after setting according to the above setting example is as follows.

FortiGate-60E # show vpn ssl settings
config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_ClientAddresses"
    set port 12345
    set source-interface "wan1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "SampleSSL-VPNPortal_Tunnel"
end

FortiGate-60E # show full-configuration vpn ssl settings
config vpn ssl settings
    set status enable
    set reqclientcert disable
    set ssl-max-proto-ver tls1-3
    set ssl-min-proto-ver tls1-2
    unset banned-cipher
    set ciphersuite TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
    set ssl-insert-empty-fragment enable
    set https-redirect disable
    set x-content-type-options enable
    set ssl-client-renegotiation disable
    set force-two-factor-auth disable
    set servercert "Fortinet_Factory"
    set algorithm high
    set idle-timeout 300
    set auth-timeout 28800
    set login-attempt-limit 2
    set login-block-time 60
    set login-timeout 30
    set dtls-hello-timeout 10
    set tunnel-ip-pools "SSLVPN_ClientAddresses"
    set dns-suffix ''
    set dns-server1 0.0.0.0
    set dns-server2 0.0.0.0
    set wins-server1 0.0.0.0
    set wins-server2 0.0.0.0
    set ipv6-dns-server1 ::
    set ipv6-dns-server2 ::
    set ipv6-wins-server1 ::
    set ipv6-wins-server2 ::
    set url-obscuration disable
    set http-compression disable
    set http-only-cookie enable
    set port 12345
    set port-precedence enable
    set auto-tunnel-static-route enable
    set header-x-forwarded-for add
    set source-interface "wan1"
    set source-address "all"
    set source-address-negate disable
    set source-address6 "all"
    set source-address6-negate disable
    set default-portal "SampleSSL-VPNPortal_Tunnel"
    set dtls-tunnel enable
    set check-referer disable
    set http-request-header-timeout 20
    set http-request-body-timeout 30
    set auth-session-check-source-ip enable
    set tunnel-connect-without-reauth disable
    set hsts-include-subdomains disable
    set transform-backward-slashes disable
    set encode-2f-sequence disable
    set encrypt-and-store-password disable
    set client-sigalgs all
    set dual-stack-mode disable
    set tunnel-addr-assigned-method first-available
    set saml-redirect-port 8020
    set dtls-max-proto-ver dtls1-2
    set dtls-min-proto-ver dtls1-0
end

Creating SSL VPN users and groups

Create users and user groups to use when connecting to SSL-VPN.

Creating a user

Click User & Authentication > User Definition > Create New.

Select Local User and click Next.

Enter the name and password of the user you want to create and click Next.

Set up Two-factor Authentication as needed and click Next.

Since the user group will be created later, it is not set here. Click Submit.

Creating a user group

Click User & Authentication > User Groups > Create New.

The following setting screen is displayed. Enter a name for the group. The Type of the group is Firewall. Add the user you just created to Members.

Policy settings

Sets policies that allow communication from SSL-VPN clients to the internal network.

Click Policy & Objects > Firewall Policy > Create New.

The points to note regarding policy settings are as follows.

  • Specify SSL-VPN tunnel interface (ssl.root) for Incoming Interface.
  • Source contains an address object and a pre-created user group.
  • You cannot set Destination to all if the SSL-VPN portal split tunnel is enabled.

Installing FortiClient on the client

Go to the following web page and download the FortiClient installer.

Product Downloads | Fortinet Product Downloads | Support
Download FortiClient VPN, FortiConverter, FortiExplorer, FortiPlanner, and FortiRecorder software for any operating system: Windows, macOS, Android, iOS & more.
www.fortinet.com

Download FortiClient installer

Installing FortiClient

Run the downloaded installer.

FortiClient settings

Launch FortiClient.

Click VPN Settings.

Set each item on the screen below.

  • VPN: SSL-VPN
  • Connection name: Any name
  • Remote GW: IP address of FortiGate’s interface listening for SSL-VPN
    • Edit port: FortiGate port number listening for SSL-VPN

Enter your username and password to connect.

You will then see a security warning about the certificate. Select Continue.

If the connection is successful, the following screen will be displayed.

SSL-VPN confirmation command

View connection list

  • get vpn status ssl list
  • diagnose vpn ssl list
FortiGate-60E # get vpn status ssl list
[843:root]sconn=0x54ae9100, from(10.1.10.3) task=tunnel2_loop, fd=12(1:1),32(1:1),-1(0:0),-1(0:0),-1(0:0), pending=0, asic_pending=0.

FortiGate-60E # diagnose vpn ssl list
[843:root]sconn=0x54ae9100, from(10.1.10.3) task=tunnel2_loop, fd=12(1:1),32(1:1),-1(0:0),-1(0:0),-1(0:0), pending=0, asic_pending=0.

Display session information

  • get vpn ssl monitor
FortiGate-60E # get vpn ssl monitor
SSL-VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 0       sslvpnuser      SSL-VPN-Group  1(1)             291    28184    10.1.10.3      0/0     0/0     0

SSL-VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 0       sslvpnuser      SSL-VPN-Group  10.1.10.3        616     80900/0        10.1.250.10

Displaying statistics

  • diagnose vpn ssl statistics
FortiGate-60E # diagnose vpn ssl statistics
SSLVPN statistics (root):
------------------
Memory unit:               1
System total memory:       1957068800
System free memory:        1340039168
SSLVPN memory margin:      195706880
SSLVPN state:              normal

Max number of users:       1
Max number of tunnels:     1
Max number of connections: 2

Current number of users:       1
Current number of tunnels:     1
Current number of connections: 1

View settings

  • get vpn ssl settings
FortiGate-60E # diagnose vpn ssl statistics
SSLVPN statistics (root):
------------------
Memory unit:               1
System total memory:       1957068800
System free memory:        1340039168
SSLVPN memory margin:      195706880
SSLVPN state:              normal

Max number of users:       1
Max number of tunnels:     1
Max number of connections: 2

Current number of users:       1
Current number of tunnels:     1
Current number of connections: 1

FortiGate-60E # get vpn ssl settings
status              : enable
reqclientcert       : disable
ssl-max-proto-ver   : tls1-3
ssl-min-proto-ver   : tls1-2
banned-cipher       :
ciphersuite         : TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
ssl-insert-empty-fragment: enable
https-redirect      : disable
x-content-type-options: enable
ssl-client-renegotiation: disable
force-two-factor-auth: disable
servercert          : Fortinet_Factory
algorithm           : high
idle-timeout        : 300
auth-timeout        : 28800
login-attempt-limit : 2
login-block-time    : 60
login-timeout       : 30
dtls-hello-timeout  : 10
tunnel-ip-pools     : "SSLVPN_ClientAddresses"
tunnel-ipv6-pools   :
dns-suffix          :
dns-server1         : 0.0.0.0
dns-server2         : 0.0.0.0
wins-server1        : 0.0.0.0
wins-server2        : 0.0.0.0
ipv6-dns-server1    : ::
ipv6-dns-server2    : ::
ipv6-wins-server1   : ::
ipv6-wins-server2   : ::
url-obscuration     : disable
http-compression    : disable
http-only-cookie    : enable
port                : 12345
port-precedence     : enable
auto-tunnel-static-route: enable
header-x-forwarded-for: add
source-interface    : "wan1"
source-address      : "all"
source-address-negate: disable
source-address6     : "all"
source-address6-negate: disable
default-portal      : SampleSSL-VPNPortal_Tunnel
authentication-rule:
dtls-tunnel         : enable
check-referer       : disable
http-request-header-timeout: 20
http-request-body-timeout: 30
auth-session-check-source-ip: enable
tunnel-connect-without-reauth: disable
hsts-include-subdomains: disable
transform-backward-slashes: disable
encode-2f-sequence  : disable
encrypt-and-store-password: disable
client-sigalgs      : all
dual-stack-mode     : disable
tunnel-addr-assigned-method: first-available
saml-redirect-port  : 8020
dtls-max-proto-ver  : dtls1-2
dtls-min-proto-ver  : dtls1-0

List of other commands

FortiGate-60E # get vpn status ssl
hw-acceleration-status    SSL hardware acceleration status.
list                      List current connections.

FortiGate-60E # get vpn ssl
client      client
monitor     SSL-VPN session.
settings    Configure SSL-VPN.
web         web

FortiGate-60E # diagnose vpn ssl
list                      List current connections.
mux                       Show mux information.
mux-stat                  Show mux statistics.
statistics                SSL-VPN statistics
hw-acceleration-status    SSL hardware acceleration status.
tunnel-test               Enable/disable SSL-VPN old tunnel mode IP allocation method.
web-mode-test             Enable/disable random session ID in proxy URL for testing.
saml-metadata             Display SSL-VPN SAML SP metadata for given SAML name.
info                      SSL-VPN information
debug-filter              SSL-VPN debug message filter.
client                    SSL-VPN Client diagnostics.

References

SSL VPN | Administration Guide
docs.fortinet.com
config vpn ssl settings | CLI Reference
docs.fortinet.com
FortiGate Mastery Web Book
Getting Started with FortiGate How to access the GUI of factory default FortiGate Basic knowledge about configuration co...
network-knowledge.work
2021.11.01
スポンサーリンク

Comments

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

タイトルとURLをコピーしました