
Fortinet SSLVPN offers a range of features and modes to cater to different user needs.
The FortiGate SSLVPN supports multiple authentication modes, including username/password, RADIUS, and TACACS+.
One of the most notable features is the ability to use the AnyConnect SSLVPN client, which provides a secure connection to the network.
This client supports multiple operating systems, including Windows, macOS, and Linux.
FortiGate SSLVPN also includes a built-in RDP server, allowing users to access remote desktops securely.
This feature is particularly useful for remote workers who need to access applications and data on the company network.
The SSLVPN also supports multiple VPN protocols, including SSL/TLS and IPsec.
Suggestion: Fortinet Fortigate 800d Ngfw End of Life
SSL VPN Configuration
To configure an SSL VPN on a FortiGate, you need to enable the SSL VPN feature visibility. This can be done by running the command `config system settings` and setting `gui-sslvpn` to `enable`.
The first step in configuring the SSL VPN server is to create a new user and user group. This involves configuring the interface and firewall address, as well as setting up the user and user group.
For another approach, see: Fortigate Ssl Vpn Configuration
Here are the steps to configure the SSL VPN client:
1. Download FortiClient from the official website.
2. Open the FortiClient Console and go to Remote Access.
3. Add a new connection and select Customize Port, setting it to 10443.
4. Save your settings and use the credentials you've set up to connect to the SSL VPN tunnel.
To configure the SSL VPN server, you need to create a new PKI user and set the CA to the CA certificate used to verify the client certificate. You also need to create a new SSL VPN portal and configure the SSL VPN settings, including the authentication rule for user mapping.
Here are the steps to create a new SSL VPN portal:
1. Go to VPN > SSL-VPN Portals and click Create New.
2. Set the Name to testportal2 and enable Split Tunneling.
3. Set Source IP Pools to SSLVPN_TUNNEL_ADDR1.
To configure the SSL VPN client, you need to create a new virtual interface and configure the SSL VPN client settings, including the username, pre-shared key, and client certificate.
Here are the steps to create a new virtual interface:
1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Configure the policy to allow incoming traffic from the SSL VPN server.
To configure the SSL VPN client, you need to create a new PKI user and set the CA to the CA that signed the certificate used by the SSL VPN server.
Here are the steps to create a new PKI user:
1. Go to User & Authentication > PKI and click Create New.
2. Set the Name to fgt_gui_automation and set the CA to the CA certificate used to verify the client certificate.
To configure the SSL VPN settings, you need to create a new authentication rule and set the user peer to the PKI user.
Here are the steps to create a new authentication rule:
1. Go to VPN > SSL-VPN Settings and enable SSL-VPN.
2. Set Listen on Interface(s) to port2 and set Listen on Port to 1443.
Here is a summary of the steps to configure the SSL VPN server:
- Create a new user and user group
- Create a new PKI user and set the CA to the CA certificate used to verify the client certificate
- Create a new SSL VPN portal and configure the SSL VPN settings, including the authentication rule for user mapping
- Create a new firewall policy to allow incoming traffic from the SSL VPN server
Here is a summary of the steps to configure the SSL VPN client:
- Download FortiClient and open the FortiClient Console
- Add a new connection and select Customize Port, setting it to 10443
- Save your settings and use the credentials you've set up to connect to the SSL VPN tunnel
- Create a new virtual interface and configure the SSL VPN client settings, including the username, pre-shared key, and client certificate
- Create a new PKI user and set the CA to the CA that signed the certificate used by the SSL VPN server
- Create a new authentication rule and set the user peer to the PKI user
SSL VPN Security
SSL VPNs have long been a popular method for secure remote access, especially due to their ease of deployment and compatibility with restrictive networks.
However, Fortinet's SSL VPN has faced numerous security challenges in recent years, including high-profile vulnerabilities that have been actively exploited in the wild.
These vulnerabilities have led to a growing number of breaches, including authentication bypass flaws, heap buffer overflows, and weaknesses in session management.
Fortinet's decision to remove support for SSL VPN tunnel mode is a direct response to this risk landscape, aiming to reduce the attack surface and encourage customers to transition to a more secure alternative.
The accumulation of security incidents has clearly eroded trust in SSL VPN as a robust remote access method, making this move a necessary step in prioritizing customer security.
Readers also liked: Fortinet Security Fabric
SSL VPN Modes
SSL VPN modes provide flexibility in how remote users access the network. There are two main modes: tunnel mode and web mode.
Tunnel mode encrypts all traffic from the remote client computer and sends it to the FortiGate through an SSL VPN tunnel over the HTTPS link between the user and the FortiGate. It provides an easy-to-use encrypted tunnel that will traverse almost any infrastructure.
In tunnel mode, all client traffic is encrypted, allowing users and networks to exchange a wide range of traffic, regardless of the application or protocols. This mode is suitable for users who require a wide range of applications and protocols to be accessed by the remote client.
Web mode, on the other hand, provides clientless network access using a web browser with built-in SSL encryption. Users authenticate to FortiGate's SSL VPN Web Portal, which provides access to network services and resources.
Here are the key differences between tunnel mode and web mode:
Ultimately, the choice between tunnel mode and web mode depends on the specific needs of your organization and users.
Tunnel Mode
Tunnel mode is a great option for those who need to access a wide range of applications and protocols from a remote location. It's easy to use and provides an encrypted tunnel that can traverse almost any infrastructure.
In tunnel mode, the FortiGate establishes a tunnel with the client and assigns an IP address to the client from a reserved range of addresses. This is similar to an IPsec VPN tunnel, where all client traffic is encrypted.
One of the key benefits of tunnel mode is that it allows users to access a wide range of traffic, regardless of the application or protocols. This makes it a great option for those who need to RDP to their server or access other remote resources.
Here are some scenarios where tunnel mode is particularly useful:
- A user needs to access multiple applications and protocols from a remote location.
- No proxying is done by the FortiGate.
- Straightforward configuration and administration is required.
- A transparent experience for the end user is needed.
It's worth noting that full tunneling forces all traffic to pass through the FortiGate, while split tunneling only routes traffic to the designated network through the FortiGate. When setting up firewall policies, be sure to avoid setting "all" as the destination address when using split tunneling, as this can cause misconfigurations and complicate troubleshooting efforts.
Web Mode
Web mode is a clientless solution that provides access to network services and resources through a web portal. Users authenticate to the FortiGate's SSL VPN Web Portal, which provides access to services like HTTP/HTTPS, Telnet, FTP, SMB/CIFS, VNC, RDP, and SSH.
All communication between the FortiGate and the user remains over HTTPS, regardless of the service being accessed. The clipboard can be disabled for SSL VPN web mode RDP/VNC connections.
A clientless solution in which all remote services are accessed through a web portal, tight control over the contents of the web portal, and limited services provided to remote users are the key characteristics of web mode.
To enable SSL VPN web mode, you need to go to System > Feature Visibility, enable SSL-VPN, and click Apply. If this setting is disabled, even though SSL VPN tunnel mode can be correctly configured, an error message will appear when trying to access SSL VPN web mode.
Intriguing read: Fortinet Web Filtering
A user must have valid username and password credentials to log in to an SSL VPN web portal, in addition to other multi-factor authentication components that may be configured.
The following services are provided through the web portal:
- HTTP/HTTPS
- Telnet
- FTP
- SMB/CIFS
- VNC
- RDP
- SSH
The session information is displayed in the right corner of the top banner, including the elapsed time since logging in and the volume of inbound and outbound HTTP and HTTPS traffic. The Launch FortiClient button appears if FortiClient is installed, but it does not automatically create a VPN connection based on the web mode connection information.
Broaden your view: Fortinet Vpn Connection Is down
SSL VPN Client
To configure the SSL VPN client, you'll need to create a new PKI user and certificate. Set the name to "fgt_gui_automation" and select the CA certificate that's already installed on the FortiGate.
The CN of the certificate on the SSL VPN server should be set to "*.fos.automation.com". This is done by specifying the CN in the CLI using the command `config user peer edit "fgt_gui_automation" set cn "*.fos.automation.com" next end`.
You'll also need to create a new virtual interface for the SSL VPN client. In the VPN > SSL-VPN Clients section, click Create New and expand the Interface dropdown to create a new virtual interface.
Here are the key settings for the SSL VPN client:
Make sure to enable the client certificate and peer settings, and save the changes. The SSL VPN client is now configured and ready to use.
Verification
After establishing a tunnel, you can verify that it's working correctly by checking the route to specific IP addresses on your Fortinet SSL VPN device.
The route to 13.107.21.200 and 204.79.197.200 on FGT-A connects through the SSL VPN virtual interface sslclient_port1.
This means that once you've established a tunnel, you can expect to see traffic routed through the sslclient_port1 interface to these specific IP addresses.
SSL VPN Troubleshooting
Troubleshooting SSL VPN issues can be a challenge, but there are some common problems to look out for. One of the most common issues is a failed SSL VPN connection due to a mismatch between the SSL VPN server's certificate and the client's certificate.
Make sure to check the SSL VPN server's certificate and the client's certificate to ensure they match. This can be done by checking the certificate details in the SSL VPN server's configuration.
A common error message that may appear when trying to establish an SSL VPN connection is "SSL VPN connection failed due to certificate mismatch". This error message indicates that there is a problem with the certificate.
Check the SSL VPN server's configuration to ensure that the SSL VPN server's certificate is properly installed and configured. This includes checking the certificate's expiration date and ensuring it is not expired.
Another common issue is a slow SSL VPN connection. This can be caused by a high number of concurrent SSL VPN connections.
Increasing the SSL VPN server's capacity can help resolve this issue. This can be done by adding more SSL VPN servers or by optimizing the SSL VPN server's configuration.
SSL VPN Example
To configure a FortiGate as an SSL VPN client, you need to define a user named client2 in User & Authentication > User Definition.
The SSL VPN client uses a custom server certificate defined on the SSL VPN server, and the user authenticates using a PSK and a PKI client certificate.
You must have the proper CA certificate installed on the FortiGates to verify the certificate chain to the root CA that signed the certificate.
To set up the SSL VPN client, you need to create a local user, define an address object for the destination, and configure the SSL VPN client on the FortiGate.
Here are the steps to follow:
- Create a local user named client2 in User & Authentication > User Definition.
- Define an address object for the destination, such as bing.com, in Policy & Objects > Addresses.
- Configure the SSL VPN client on the FortiGate, specifying the server, port, username, pre-shared key, and client certificate.
Here's a summary of the required configuration:
Featured Images: pexels.com


