Work environment
- FortiGate 60E
- version 7.0.2
Establish SSL VPN from external client to FortiGate
Establish an SSL VPN from a client outside the base network to FortiGate inside the base network so that external clients can access the inside of the base network.
You need to install the VPN client software called FortiClient
on the external client. FortiClient can be downloaded from the Fortinet download page.
SSL VPN setting procedure
- Creating an Address Object for SSL-VPN Client
- Creating an SSL-VPN Portal
- SSL VPN basic settings
- Creating SSL-VPN users and groups
- Policy settings
Creating an Address Object for SSL-VPN Client
Create an address object as an address pool for issuing IP addresses to SSL-VPN clients.
Here, as an example, create an address object as shown in the image below.
Creating an SSL-VPN Portal
The SSL-VPN portal includes SSL-VPN mode (Tunnel / Web) settings and various option settings.
Click VPN > SSL-VPN Portals > Create New to create a new SSL-VPN Portal.
As an example, create an SSL-VPN Portal in Tunnel mode.
- Enter any portal name in the
Name
field. - Enable
Tunnel Mode
. - Specify the address object created in advance in the
Tunnel Mode> Source IP Pools
field. - Disable
Web Mode
.
CLI config
If you want to configure it in the CLI, the SSL-VPN Portals config is config vpn ssl web portal
.
FortiGate-60E (SampleSSL-VPNPor~nel) # show
config vpn ssl web portal
edit "SampleSSL-VPNPortal_Tunnel"
set tunnel-mode enable
set ip-pools "SSLVPN_ClientAddresses"
next
end
FortiGate-60E (SampleSSL-VPNPor~nel) # show full-configuration
config vpn ssl web portal
edit "SampleSSL-VPNPortal_Tunnel"
set tunnel-mode enable
set ipv6-tunnel-mode disable
set web-mode disable
set allow-user-access web ftp smb sftp telnet ssh vnc rdp ping
set limit-user-logins disable
set forticlient-download enable
set ip-mode range
set auto-connect disable
set keep-alive disable
set save-password disable
set ip-pools "SSLVPN_ClientAddresses"
set split-tunneling enable
set split-tunneling-routing-negate disable
set dns-server1 0.0.0.0
set dns-server2 0.0.0.0
set dns-suffix ''
set wins-server1 0.0.0.0
set wins-server2 0.0.0.0
set host-check none
set mac-addr-check disable
set os-check disable
set forticlient-download-method direct
set customize-forticlient-download-url disable
next
end
SSL VPN basic settings
Click VPN > SSL-VPN Settings to configure SSL-VPN settings.
Connection Settings
- Listen on Interface(s):
- Specify the interface that accepts communication from SSL-VPN clients.
- Listen on Port:
- Specify the port number to listen for SSL-VPN connections. (VPN clients must connect to this port.)
- Default: 443
Tunnel Mode Client Settings
- Address Range: Specify Specify custom IP ranges.
- IP Ranges: Specify the same address object as the one specified in the Tunnel Mode> Source IP Pools field of the SSL-VPN portal.
Authentication/Portal Mapping
Set to associate the SSL-VPN Portal created in advance with All Other Users/Groups.
Apply
After setting all items, click Apply at the bottom of the screen.
CLI config
If you want to configure it in the CLI, the SSL-VPN settings config is config vpn ssl settings
.
The default config is as follows.
FortiGate-60E # show vpn ssl settings
config vpn ssl settings
set servercert "Fortinet_Factory"
set port 443
end
The config after setting according to the above setting example is as follows.
FortiGate-60E # show vpn ssl settings
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_ClientAddresses"
set port 12345
set source-interface "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "SampleSSL-VPNPortal_Tunnel"
end
FortiGate-60E # show full-configuration vpn ssl settings
config vpn ssl settings
set status enable
set reqclientcert disable
set ssl-max-proto-ver tls1-3
set ssl-min-proto-ver tls1-2
unset banned-cipher
set ciphersuite TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
set ssl-insert-empty-fragment enable
set https-redirect disable
set x-content-type-options enable
set ssl-client-renegotiation disable
set force-two-factor-auth disable
set servercert "Fortinet_Factory"
set algorithm high
set idle-timeout 300
set auth-timeout 28800
set login-attempt-limit 2
set login-block-time 60
set login-timeout 30
set dtls-hello-timeout 10
set tunnel-ip-pools "SSLVPN_ClientAddresses"
set dns-suffix ''
set dns-server1 0.0.0.0
set dns-server2 0.0.0.0
set wins-server1 0.0.0.0
set wins-server2 0.0.0.0
set ipv6-dns-server1 ::
set ipv6-dns-server2 ::
set ipv6-wins-server1 ::
set ipv6-wins-server2 ::
set url-obscuration disable
set http-compression disable
set http-only-cookie enable
set port 12345
set port-precedence enable
set auto-tunnel-static-route enable
set header-x-forwarded-for add
set source-interface "wan1"
set source-address "all"
set source-address-negate disable
set source-address6 "all"
set source-address6-negate disable
set default-portal "SampleSSL-VPNPortal_Tunnel"
set dtls-tunnel enable
set check-referer disable
set http-request-header-timeout 20
set http-request-body-timeout 30
set auth-session-check-source-ip enable
set tunnel-connect-without-reauth disable
set hsts-include-subdomains disable
set transform-backward-slashes disable
set encode-2f-sequence disable
set encrypt-and-store-password disable
set client-sigalgs all
set dual-stack-mode disable
set tunnel-addr-assigned-method first-available
set saml-redirect-port 8020
set dtls-max-proto-ver dtls1-2
set dtls-min-proto-ver dtls1-0
end
Creating SSL VPN users and groups
Create users and user groups to use when connecting to SSL-VPN.
Creating a user
Click User & Authentication > User Definition > Create New.
Select Local User and click Next.
Enter the name and password of the user you want to create and click Next.
Set up Two-factor Authentication as needed and click Next.
Since the user group will be created later, it is not set here. Click Submit.
Creating a user group
Click User & Authentication > User Groups > Create New.
The following setting screen is displayed. Enter a name for the group. The Type of the group is Firewall. Add the user you just created to Members.
Policy settings
Sets policies that allow communication from SSL-VPN clients to the internal network.
Click Policy & Objects > Firewall Policy > Create New.
The points to note regarding policy settings are as follows.
- Specify
SSL-VPN tunnel interface (ssl.root)
for Incoming Interface. - Source contains an address object and
a pre-created user group
. - You cannot set Destination to all if the SSL-VPN portal split tunnel is enabled.
Installing FortiClient on the client
Go to the following web page and download the FortiClient installer.

Download FortiClient installer
Installing FortiClient
Run the downloaded installer.
FortiClient settings
Launch FortiClient.
Click VPN Settings.
Set each item on the screen below.
- VPN: SSL-VPN
- Connection name: Any name
- Remote GW: IP address of FortiGate’s interface listening for SSL-VPN
- Edit port: FortiGate port number listening for SSL-VPN
Enter your username and password to connect.
You will then see a security warning about the certificate. Select Continue.
If the connection is successful, the following screen will be displayed.
SSL-VPN confirmation command
View connection list
get vpn status ssl list
diagnose vpn ssl list
FortiGate-60E # get vpn status ssl list
[843:root]sconn=0x54ae9100, from(10.1.10.3) task=tunnel2_loop, fd=12(1:1),32(1:1),-1(0:0),-1(0:0),-1(0:0), pending=0, asic_pending=0.
FortiGate-60E # diagnose vpn ssl list
[843:root]sconn=0x54ae9100, from(10.1.10.3) task=tunnel2_loop, fd=12(1:1),32(1:1),-1(0:0),-1(0:0),-1(0:0), pending=0, asic_pending=0.
Display session information
get vpn ssl monitor
FortiGate-60E # get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0 sslvpnuser SSL-VPN-Group 1(1) 291 28184 10.1.10.3 0/0 0/0 0
SSL-VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 sslvpnuser SSL-VPN-Group 10.1.10.3 616 80900/0 10.1.250.10
Displaying statistics
diagnose vpn ssl statistics
FortiGate-60E # diagnose vpn ssl statistics
SSLVPN statistics (root):
------------------
Memory unit: 1
System total memory: 1957068800
System free memory: 1340039168
SSLVPN memory margin: 195706880
SSLVPN state: normal
Max number of users: 1
Max number of tunnels: 1
Max number of connections: 2
Current number of users: 1
Current number of tunnels: 1
Current number of connections: 1
View settings
get vpn ssl settings
FortiGate-60E # diagnose vpn ssl statistics
SSLVPN statistics (root):
------------------
Memory unit: 1
System total memory: 1957068800
System free memory: 1340039168
SSLVPN memory margin: 195706880
SSLVPN state: normal
Max number of users: 1
Max number of tunnels: 1
Max number of connections: 2
Current number of users: 1
Current number of tunnels: 1
Current number of connections: 1
FortiGate-60E # get vpn ssl settings
status : enable
reqclientcert : disable
ssl-max-proto-ver : tls1-3
ssl-min-proto-ver : tls1-2
banned-cipher :
ciphersuite : TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
ssl-insert-empty-fragment: enable
https-redirect : disable
x-content-type-options: enable
ssl-client-renegotiation: disable
force-two-factor-auth: disable
servercert : Fortinet_Factory
algorithm : high
idle-timeout : 300
auth-timeout : 28800
login-attempt-limit : 2
login-block-time : 60
login-timeout : 30
dtls-hello-timeout : 10
tunnel-ip-pools : "SSLVPN_ClientAddresses"
tunnel-ipv6-pools :
dns-suffix :
dns-server1 : 0.0.0.0
dns-server2 : 0.0.0.0
wins-server1 : 0.0.0.0
wins-server2 : 0.0.0.0
ipv6-dns-server1 : ::
ipv6-dns-server2 : ::
ipv6-wins-server1 : ::
ipv6-wins-server2 : ::
url-obscuration : disable
http-compression : disable
http-only-cookie : enable
port : 12345
port-precedence : enable
auto-tunnel-static-route: enable
header-x-forwarded-for: add
source-interface : "wan1"
source-address : "all"
source-address-negate: disable
source-address6 : "all"
source-address6-negate: disable
default-portal : SampleSSL-VPNPortal_Tunnel
authentication-rule:
dtls-tunnel : enable
check-referer : disable
http-request-header-timeout: 20
http-request-body-timeout: 30
auth-session-check-source-ip: enable
tunnel-connect-without-reauth: disable
hsts-include-subdomains: disable
transform-backward-slashes: disable
encode-2f-sequence : disable
encrypt-and-store-password: disable
client-sigalgs : all
dual-stack-mode : disable
tunnel-addr-assigned-method: first-available
saml-redirect-port : 8020
dtls-max-proto-ver : dtls1-2
dtls-min-proto-ver : dtls1-0
List of other commands
FortiGate-60E # get vpn status ssl
hw-acceleration-status SSL hardware acceleration status.
list List current connections.
FortiGate-60E # get vpn ssl
client client
monitor SSL-VPN session.
settings Configure SSL-VPN.
web web
FortiGate-60E # diagnose vpn ssl
list List current connections.
mux Show mux information.
mux-stat Show mux statistics.
statistics SSL-VPN statistics
hw-acceleration-status SSL hardware acceleration status.
tunnel-test Enable/disable SSL-VPN old tunnel mode IP allocation method.
web-mode-test Enable/disable random session ID in proxy URL for testing.
saml-metadata Display SSL-VPN SAML SP metadata for given SAML name.
info SSL-VPN information
debug-filter SSL-VPN debug message filter.
client SSL-VPN Client diagnostics.
Comments