Enable SSL VPN on FortiGate and Connect It With FortiClient (Free Lab) – 51 Security

Enable SSL VPN on FortiGate and Connect It With FortiClient (Free Lab) – 51 Security

Posted on By Puoka No Comments on Enable SSL VPN on FortiGate and Connect It With FortiClient (Free Lab) – 51 Security


Now, you should be able to SSL-VPN Section under VPN menu.

1 VPN -> SSL-VPN Settings

Most settings are default. But you will need to add interface on the listen list. Ideally, change Listen on Port to a different port from 443. In this example, I am using 4443. 

note: Default tunnel user range is only 10 ip addresses. If you have more than 10, you might want to increase it by customizing a larger range there.

2 Autentication/Portal mapping

Change All Other Users/Groups to have tunnel-access to Portal.

You can have an admin group / users to have full-access to Portal. 

3 SSL VPN Client Address Range

By default, it is automatically assigned by FortiGate.

In the above screenshot, it uses automatically assign range: 10.212.134.200 -10.212.134.210

The range can be customized for larger numbers based on your usage. 

Use Fortinet_Factory Server Certificate

 To make lab as simple as we can, we are gonna use Fortinet_Factory cert.

It is possible to directly create your own certificate using Let’s Encrypt. 

You might get this cert warning message when you access the portal by using default cert since it wont be able verified:

Policies and Users

 

1 SSL VPN > LAN

This firewall rule is to allow SSL VPN network to access LAN (Internal) networks.

You will need to choose incoming interface, outgoing interface, source (including users), destination, and services. Others, you can keep it as default. 

You can use NAT with outgoing interface address, which is your FortiGate LAN interface IP, or you can completely disable NAT. 

Logging is also can be enabled for all sessions. 

Here is how the SSL VPN Firewall Policy rule looks like:

2 Remote Users and Group

Create a Remote Users group. Add a couple of remote users into this group. 

3 Check Forwarded Log since we enabled all sessions logging

FortiClient Configuration and Connect to Remote

 

1 Send SSL-VPN Configuration

2 Download FortiClient

https://www.fortinet.com/support/product-downloads

3 Install FortiClient

Double click the downloaded installation file “FortiClientVPNOnlineInstaller.exe” and follow installation wizard to complete installation.

4 Configure FortiClient to connect to remote FortiGate SSLVPN Gateway 

Make sure put right public ip address and SSLVPN Port. 

Remote Access VPN (IPSec)

 

This is remote IPSec VPN configuraiton.

Enable SSL VPN Web Portal

 

SSL VPN web mode gets the error as below when configured with SAML authentication.

 

Picture1.png

 

  1. Make sure web-mode is enabled in the SSL VPN portal:

 

config vpn ssl web portal

    edit “full-access”

        set web-mode enable

 

Warning: Please note that the legacy SSL VPN web mode feature is disabled by the global sslvpn-web-mode setting.

 

Picture2.png

 

  1. As the warning displayed, web mode is disabled globally so can not enable it in the full-access portal directly.

     

    Enable the web-mode globally first:

    config sys global

        set sslvpn-web-mode enable

    end

     

Now the web mode of SSL VPN should work as expected after enabling web-mode for specific portals. To enable the web mode for specific portals run the command as shown in step 1. 

 

If the issue persists, contact the TAC team.

Note:https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-web-mode-showing-403-Forbidden-error/ta-p/297377

FortiGate # show vpn ssl web portal 
config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set ipv6-tunnel-mode enable
        set web-mode enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    next
    edit "web-access"
        set web-mode enable
    next
    edit "tunnel-access"
        set tunnel-mode enable
        set ipv6-tunnel-mode enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    next
end

FortiGate #

Quick test VPN tunnel by pinging to remote Ubuntu vm 10.0.3.4:

C:\Users\WDAGUtilityAccount>ping 10.0.3.4

Pinging 10.0.3.4 with 32 bytes of data:
Reply from 10.0.3.4: bytes=32 time=39ms TTL=63
Reply from 10.0.3.4: bytes=32 time=47ms TTL=63
Reply from 10.0.3.4: bytes=32 time=38ms TTL=63
Reply from 10.0.3.4: bytes=32 time=38ms TTL=63

Ping statistics for 10.0.3.4:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 38ms, Maximum = 47ms, Average = 40ms

C:\Users\WDAGUtilityAccount>tracert 10.0.3.4

Tracing route to 10.0.3.4 over a maximum of 30 hops

  1    33 ms    36 ms    37 ms  10.212.134.200
  2    34 ms    35 ms    34 ms  10.0.3.4

Trace complete.

SSL VPN FortiClient Connect to Azure VPN Gateway’s Remote site

There is a special use case, which FortiGate firewall is providing SSL VPN connection, but Azure VPN Gateway provides Site to Site connection to remote site. How can we get our FortiClient to connect to remote site through Azure VPN tunnel?

1. SSL VPN Portal

Make sure add your remote site segment into Routing Address Override settings in your Tunnel-Access profile or other profiles

Note: The routing address override settings will be pushed to Forticlient machine’s routing table.

You can check them using “route print” command from CMD window once you connected your Forticlient to Fortigate. 

2. Add one route into your FortiGate routing tables. 

The gateway will be the Azure LAN network’s default gateway .1 ip address.

3. Firewall Rule in the FortiGate policy enabled NAT on LAN interface.

That is important in some cases to make your traffic passing through firewall. 

Password expiration policy for SSL VPN local user

Note: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Password-expiration-policy-for-SSL-VPN-local-user/ta-p/192723

To configure SSL VPN users to change their password in the local user database before it expires

The password policy is used to configure the password renewal frequency (every 2 days for instance) and the warning that normally occurs the day before the expiration date. Password policy can be applied to any local user password.

The password policy cannot be applied to a user group or a local remote user such as LDAP/RADIUS/TACACS+.

 

In FortiOS 7.0, users are warned as per warn-days set and they have to renew their password before it get expire, which is based on the expire-days mentioned in the password policy. The user cannot renew the password and need to contact the FortiGate administrator for assistance. 


In FortiOS 6.2, users are warned one day before the expiry date of the password and they have one day to renew it. When the password is expired, the user cannot renew the password and need to contact the FortiGate administrator for assistance.

In FortiOS 6.0/5.6, users are warned one day before the expiry date of the password. Users can still renew the password even after the password has expired.

Configure and assign the password policy using the CLI

The following commands are used to configure a password policy that includes an expiration date and a warning time. 

 

#config user password-policy
    edit “pwpolicy1”          <- password policy name.
        set expire-days 5     <- password expiry.
        set warn-days 3       <- warning notification for password going to be expire soon.
        set expired-password-renewal disable  <- if enable this option is, after the password expires, still end user can renew the password, with no need to depend upon FortiGate Administrator. 
    next

end

 

Assign the password policy to the newly created user.

 

#config user local

    edit “sslvpnuser1”     <- local username.
        set type password
        set passwd-policy “pwpolicy1”    <- applying password policy.
        set passwd-time 2021-11-26 22:46:15    <- the default start time for the password, this is the time when the user was created.
        set passwd  xyz   <- password.
    next
end

 

Once the user is reached warn-days, the user will get the below prompt, while connecting to SSL VPN by entering old username and password. It will redirect to enter a new password for the same.

KB-forticlient password change.PNG

 

Once a user changes his password,  ‘passwd-time‘ will get changed again. 

 

# config user local

    edit “sslvpnuser1”

     set type password
     set passwd-policy “pwpolicy1”
     set passwd-time 2021-11-30 23:34:30  <- passwd-time has been changed.
     set passwd ENC +sddai212=

    next

end

 

Note that, currently, the Password renewal for local users when using the Dial IPSec VPN is not supported.

As to the password complexity policy to apply to SSL VPN Users, here are some documents we can reference to:

Computer Networking

More Related Articles

FortiOS Basic Configuration Tips and Tricks (Commands) 2 – 51 Security FortiOS Basic Configuration Tips and Tricks (Commands) 2 – 51 Security Computer Networking
Using Microsoft Native Tools To Deploy Legit & Genuine Office 365/2021 For Free – 51 Security Using Microsoft Native Tools To Deploy Legit & Genuine Office 365/2021 For Free – 51 Security Computer Networking
A Comprehensive Review of the New CCNA Exam 200-301 Version 1.1 A Comprehensive Review of the New CCNA Exam 200-301 Version 1.1 Computer Networking
Configure CyberArk PSM-SSH With the Support of HTML5 and AutoLogonSequenceWithLogonAccount – 51 Security Configure CyberArk PSM-SSH With the Support of HTML5 and AutoLogonSequenceWithLogonAccount – 51 Security Computer Networking
AWS Cloud Practitioner Practice Exams – Just .99 AWS Cloud Practitioner Practice Exams – Just $9.99 Computer Networking
[5 Mins Docker] Build Your Own Network Latency Monitoring Sites Using Smokeping – 51 Security [5 Mins Docker] Build Your Own Network Latency Monitoring Sites Using Smokeping – 51 Security Computer Networking

Leave a Reply

Your email address will not be published. Required fields are marked *