FortiGate SSL VPN v5.4

FortiGate SSL VPN v5.4

This will review setting up remote users to access your network using a SSL VPN connection, either by tunnel mode (FortiClient) or with a web browser.

For this example we’re using tunnel mode instead of split tunnel.  This means all traffic (including Internet traffic) will go through the firewall, allowing the client to be protected by the firewalls security features.

This example will authenticate with local user accounts.

Step 1:  Create a local user

  1. On your FortiGate go to User & Device –> User Definition
  2. Click Create New
  3. Select Local User and click Next
  4. Enter a unique username and password and click next
  5. Enter an email address (optional) and click Next
  6. Enable user Account and click Create

Step 2: Create a user group for SSL VPN users

  1. On your FortiGate go to User & Device –>User Groups
  2. Click Create New
  3. Name the group something meaningful, like SSL-VPN-Local-Users
  4. Add the user(s) created above and click OK

Step 3:  Create a SSL VPN Portal for your remote users

  1. On your FortiGate go to VPN –>SSL-VPN Portals
  2. Edit the full-access portal.  The full-access portal allows the use of tunnel mode and web mode.
  3. Make sure Enabled Split Tunneling is not selected, otherwise Internet traffic won’t go through the firewall.
  4. Set Source IP Pools to use the default IP range SSLVPN_TUNNEL-ADDR1 (or create your own address object that doesn’t conflict with another one and use that).
  5. (Optional) Under Predefined Bookmarks select create new to add a new bookmark.  Bookmarks are used as links to internal resources.  They can be used for the following types of resources:
    • Citrix
    • FTP
    • HTTP/HTTPS
    • Port Forward
    • RDP
    • SMB/CIFS
    • SSH
    • Telnet
    • VNC
  6. Click OK to save

 

Step 4:  Configure the SSL VPN tunnel mode

  1. On your FortiGate go to VPN –>SSL-VPN Settings
  2. Set the Listen on Interfaces to listen on your WAN interface(s)
  3. Set the Listen on Port to something other then 443 to avoid port conflicts.  10443 is an advised port to reduce potential conflicts
  4. Set Restrict Access to Allow Access from any host
  5. In this example the Fortinet_Factory certificate is shown as the server certificate.  It’s highly recommended
  6. In New Authentication/Portal Mapping, add the SSL-VPN-Local-Users group to the full-access portal and click OK

Step 5:  Add security policies for access to the LAN

  1. On your FortiGate go to Policy & Objects –> IPv4
  2. Click Create new
  3. Give it a descriptive name like SSLVPN-Internal
  4. Set the Incoming interface to SSL-VPN tunnel interface
  5. Set the Outgoing Interface to lan
  6. Set the source to All (for addresses) AND SSL-VPN-Local-Users (for users), you need both
  7. Set the destination address for the address object of your local lan
  8. Set the service to All
  9. Enable NAT
  10. (Optional) Enable any security services you want enabled for this connection
  11. Click OK

Step 6:  Add another security policy to allow access to the Internet

  1. On your FortiGate go to Policy & Objects –> IPv4
  2. Click Create new
  3. Give it a descriptive name like SSLVPN-Internet
  4. Set the Incoming interface to SSL-VPN tunnel interface
  5. Set the Outgoing Interface to lan
  6. Set the source to All (for addresses) AND SSL-VPN-Local-Users (for users), you need both
  7. Set the destination address for the address object of your Internet connections
  8. Set the service to All
  9. Enable NAT
  10. (Optional) Enable any security services you want enabled for this connection
  11. Click OK

Step 7:  Setup the VPN client

  1. If you haven’t already installed the FortiClient (the VPN client) download it from www.forticlient.com and install it
  2. Open the FortiClient program and go to the Remote Access tab
  3. Click Add a new connection
  4. Set the VPN Type to SSL VPN
  5. Give it a descriptive Connection Name
  6. Enter your devices public IP address in Remote Gateway
  7. Customize the port to what you set the portal too above
  8. Click Add

Step 8:  Test!

  • To connect with a web browser, point your browser to your device’s public IP and the port we set above. For example, https://1.1.1.1:10443/
    • Enter your credentials and you should get access to the portal, giving you any shortcuts you created
  • To connect with the FortiClient, start the FortiClient and go to the Remote Access tab.  Enter you credentials and click Connect

Wrap up

It’s highly advised to not use the internal Fortinet certificate for production SSL VPN usage.  It’s not secure and it’s not recognized by any browsers so your users will get certificate errors and you’ll get questions.  Check out this post for adding a SSL Certificate to your VPN.

Also check out this post for adding FortiGate AD Authentication for SSL VPN v5.4

Leave a Reply

Your email address will not be published. Required fields are marked *