FortiGate I

SSL VPN

FortiGate 5.2.1 Last Modified: December 5, 2023 1

Objectives

• Understand and configure different operating modes for SSL

VPN
• Configure SSL VPN options, such as bookmarks and realms
• Configure additional security for SSL VPN access
• Monitor SSL VPN connected users
• Configure firewall policies and authentication for SSL VPN

2
Virtual Private Networks (VPN)

• Allows users to remotely access network resources as if they

were physically connected to the local network
• Used when there is the need to transmit private data across a
public network
• Provides an encrypted point-to-point connection, so it cannot
be intercepted by unauthorized users
• Employs different security methods to ensure that only
authorized users can access the private network

3
 FortiGate VPN

SSL VPN IPsec VPN

• Typically used to secure web • Well suited for network-based

transactions legacy applications
• HTTPS tunnel created to • Secure tunnel created
securely transmit application
VPN between two host devices
data • IPsec VPN can be configured
• Client signs on through between FortiGate unit and
secure web page most third-party IPsec VPN
(SSL VPN portal) on the devices or clients
FortiGate device

4
SSL VPN: Web-only Mode

1. Connection of a remote user to the

SSL VPN portal (HTTPS Web site)
2. User authentication
3. SSL VPN portal presented
4. Access resources through
User traffic has the
the SSL VPN portal via internal interface IP
bookmarks or the connection address as source
tool widget

5
SSL VPN: Tunnel Mode

1. Connection of a remote user to the

SSL VPN portal (HTTPS Web Site)
2. User Authentication
3. SSL VPN portal presented
4. Tunnel created
User traffic source IP
5. Access resources (IP traffic address is assigned by
encapsulated over HTTPS) the FortiGate unit

6
Tunnel Mode Split Tunneling

• Split Tunneling disabled:

o All IP traffic routed over the SSL VPN tunnel (including Internet traffic)
o FortiGate becomes the default gateway for the host
• Split Tunneling enabled:
o Only traffic destined to the private network routed over the SSL VPN tunnel

Internet Internal
Tunnel mode network

Split Tunneling Split Tunneling

enabled disabled

7
Ways of Connecting SSL VPN Tunnel Mode

• Using a browser:
o The SSL VPN web portal displays the status of the SSL VPN ActiveX
control
o The SSL VPN portal page must remain open for the tunnel to function

• Using the standalone FortiClient SSL VPN client:

o The client must remain running for the tunnel to function
o A new virtual network adapter called fortissl is created in the client PC
• The FortiGate assigns the adapter a virtual IP address from a pool of reserved
addresses

8
SSL VPN: Port Forward

• Port Forward is an extension of web-only mode that simulates

tunnel mode
o Viable option when there is no administrative access to install the virtual
tunnel adapter
• Port Forward uses a Java applet to extend the amount of
applications supported by Web-only mode
o The applet listens to local ports on the user's computer. It encrypts and
forwards to the FortiGate device all traffic it receives (similar to tunnel
mode)
o Specific bookmarks for the user are created that act as tunnels
• User must configure applications on the computer to point to
the local proxy instead of the normal application server

9
 Comparing SSL VPN access modes

Web-only Tunnel

• No client software Port Forward • Uses FortiGate-specific

client downloaded to
required (web • Java applet works as a computer (ActiveX or
browser only) local proxy to intercept Java applet)
• Reverse proxy specific TCP port traffic • Requires
and encrypt it using SSL Administrator/root
rewriting of HTTP, privilege to install
• Applet is installed
HTTPS, FTP, network tunnel adaptor
without admin/root
SAMBA (CIFS) privileges • Accessed via web portal
• Java applets for • Configured through or standalone client
RDP, VNC, bookmarks on Web
TELNET, SSH Portal
• Client Applications must
point to the Java applet

10
User Bookmarks

• User ability to create their own bookmarks are

enabled/disabled by the administrator on a per-Portal basis
• Administrators can view and delete user bookmarks from the
GUI, but from the CLI they can also create bookmarks for users

11
User Bookmarks: Configuration

config vpn ssl web user-bookmark

edit [User Name]
config bookmarks
edit [Bookmark title]
set apptype [citrix|ftp|portforward|rdp|rdpnativc|smb|ssh|telnet|vnc|web]
set description [enter a description]
set sso [dsiable|auto]
…
…
end

• ‘apptype’ has have different sub settings

o For example, “web” has ‘url’, “ftp” has ‘folder’, etc.
• Port forwarding bookmarks are only for three specific types:
o citrix
o portforward
o rdpnative

12
Portal Bookmarks

• Administrators can add bookmarks to portals

• Available to all users who use the portal

13
Realms

• Default login  users point their browsers directly to the

FortiGate
• Login with realms  users log in via a custom URL, which
takes them to a custom portal.

14
Securing SSL VPN access

• Client integrity checking

• Restricting host connection addresses
• Requiring specific certificates
• Two-factor authentication
• FortiClient download

15
Securing Access: Client Integrity Checking

• SSL VPN gateway checks client system

o Only possible with clients running Microsoft Windows
• Detects client security applications recognized by the Windows
Security Center (antivirus and firewall)
• Checks status of applications through Globally Unique
Identifiers (GUID) (Custom Host Checks)
• Determines the state of the applications (active/inactive, current
version number, and signature updates)

16
Client Integrity Checking: Configuration

• Relies on external vendor software to ensure the integrity of the

client
• Checks if required software is installed on the connecting PC,
otherwise the SSL VPN connection attempt is rejected
• CLI-only configuration:
config vpn ssl web portal
edit <portal_name>
set host-check {none|av|fw|av-fw|custom}
set host-check-interval <seconds>
end
config vpn ssl web host-check-software
show

17
Securing Access: Restricting Host IPs

• Default allows all external IPs to connect

• Not all external hosts need to be allowed to connect
• Specific hosts can be specified

• Entire list can be negated in the CLI

• All IPs are allowed EXCEPT the ones listed

config vpn ssl setting

set source-address-negate [enable|disable]
set source-address6-negate [enable|disable]
end

18
SSL VPN Monitor

A ‘Subsession’ row below a user

means that is tunnel mode SSL VPN IP address
for the user ‘fortinet’

Web-only user

19
SSL VPN Policy De-Authentication

• Firewall policy authentication session is associated with SSL

VPN tunnel session

• Forces expiration of firewall policy authentication session when

associated SSL VPN tunnel session has ended
o Prevents reuse of authenticated SSL VPN firewall policies (not yet expired)
by a different user after the initial user terminates the SSL VPN tunnel
session

• SSL VPN authentication is not subject to the Firewall

authentication timeout setting
o Separate idle setting for SSL VPN

20
Configuration Steps

1. Set up user accounts and groups

2. Configure the Portal(s)
3. Configure the SSL VPN general settings
4. Create Firewall Policy/Policies for login
5. (Optional) Create Firewall Policy/Policies for traffic to internal
network

21
Step 1: User Accounts and Groups

• SSL VPN supports the following authentication methods:

o Local Password Authentication
o Remote Password Authentication (or Server-based authentication):
• LDAP
• RADIUS
• TACACS+
• POP3
• Additionally, Two-Factor Authentication is supported

User name and password (one factor)

+
Token code (two factor)

22
 Step 2: Configure the Portal(s)

Tunnel mode

• Portals provide users

access to required Bookmarks

resources
• Bookmarks, Tunnel
mode, etc.

23
SSL VPN Portal Example

24
Step 3: Connection settings

Interface(s) that provides

an SSL VPN login portal

Web portal port number

SSL VPN idle logout

Certificate presented to
clients. Use a certificate
issued by a Certificate
Authority (CA) to avoid
web browser warnings

25
SSL VPN login vs. Administrator login

• By default, administrator access and SSL VPN both use the

same port for HTTPS
o Valid configuration
• Administrator access may not be available through all interfaces
• SSL VPN login may not be available through all interfaces

• If both features use the same port and are enabled on the
same interface, only SSL VPN login appears

26
Step 3: Tunnel Mode Client Settings

Range of IPs
assigned
to tunnels

Settings to apply to DNS

traffic across the tunnel

27
Step 3: Authentication Portal Mapping

• Default rule for “All Other Users/Groups” is required

o Only the portal for the default rule can be changed

28
Step 4: Firewall Policies to/from the SSL VPN interface

• Tunnel interface is called ssl.<vdom>

o ‘root’ is the default base VDOM
o Outgoing interface should be the listening interface(s)

29
 Example: Firewall Policy

• ssl.root > wan1 policy enables portal and user authentication

• Access to resources beyond wan1 is also enabled
edit 5
set srcintf "ssl.root"
set dstintf “wan1"
wan1 internal
set srcaddr "all"
set dstaddr “SSLVPN_TUNNEL_ADDR1"
set action accept
set schedule "always"
set service "ALL"
set groups "Accountants" "Students" "Teachers"
set nat enable
next

30
 Step 5: Policies for traffic to internal resources

• All traffic generated by the user exits the ssl.<vdom> interface

• Applies to web and tunnel mode

wan1 internal Student

Records

DMZ

edit 11 edit 12
set srcintf "ssl.root" set srcintf "ssl.root"
set dstintf “dmz" set dstintf “internal"
set srcaddr "SSLVPN_TUNNEL_ADDR1 " Exchange set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr “Mail_Server" set dstaddr “Records_Server"
set action accept set action accept
set schedule "always" set schedule "always"
set service "ALL" set service "ALL"
set groups "Accountants" set groups "Accountants" “Teachers”
set nat enable set nat enable
next next

31
Review

 VPN
 SSL VPN vs. IPsec VPN
 Web-only mode, tunnel mode (including split-tunneling),
and port forwarding
 Methods of connecting to SSL VPN tunnels
 Portals, bookmarks, and realms
 Securing SSL VPN access
 Monitoring SSL VPN users
 Configuring SSL VPN

32