Fortigate SSL VPN With LDAP User Authentication

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 52

SSL VPN full tunnel for remote user

This is a sample configuration of remote users accessing the corporate network and internet
through an SSL VPN by tunnel mode using FortiClient.

Sample topology

Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can
also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN
interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. The port1 interface connects to the internal
network.

1. Go to Network > Interfaces and edit the wan1 interface.

2. Set IP/Network Mask to 172.20.120.123/255.255.255.0.

3. Edit port1 interface and set IP/Network Mask to 192.168.1.99/255.255.255.0.

4. Click OK.

2. Configure user and user group.


1. Go to User & Device > User Definition to create a local user sslvpnuser1.

2. Go to User & Device > User Groups to create a group sslvpngroup with the member
sslvpnuser1.

3. Configure SSL VPN web portal.

1. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-full-tunnel-
portal.

2. Disable Split Tunneling.

4. Configure SSL VPN settings.

1. Go to VPN > SSL-VPN Settings.

2. For Listen on Interface(s), select wan1.

3. Set Listen on Port to 10443.

4. Choose a certificate for Server Certificate. The default is Fortinet_Factory.

5. In Authentication/Portal Mapping All Other Users/Groups, set the Portal to tunnel-


access.

6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-
full-tunnel-portal.

5. Configure SSL VPN firewall policy.

1. Go to Policy & Objects > IPv4 Policy.

2. Fill in the firewall policy name. In this example, sslvpn full tunnel access.

3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).

4. Choose an Outgoing Interface. In this example, port1.

5. Set the Source to all and group to sslvpngroup.

6. In this example, the Destination is all.

7. Set Schedule to always, Service to ALL, and Action to Accept.

8. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.


2. config system interface
3. edit "wan1"
4. set vdom "root"
5. set ip 172.20.120.123 255.255.255.0
6. next
end

2. Configure the internal interface and protected subnet, then connect the port1 interface to the
internal network.
3. config system interface
4. edit "port1"
5. set vdom "root"
6. set ip 192.168.1.99 255.255.255.0
7. next
end

3. Configure user and user group.


4. config user local
5. edit "sslvpnuser1"
6. set type password
7. set passwd your-password
8. next
9. end
10. config user group
11. edit "sslvpngroup"
12. set member "vpnuser1"
13. next
end

4. Configure SSL VPN web portal and predefine RDP bookmark for windows server.
5. config vpn ssl web portal
6. edit "my-full-tunnel-portal"
7. set tunnel-mode enable
8. set split-tunneling disable
9. set ip-pools "SSLVPN_TUNNEL_ADDR1"
10. next
end

5. Configure SSL VPN settings.


6. config vpn ssl settings
7. set servercert "Fortinet_Factory"
8. set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
9. set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
10. set source-interface "wan1"
11. set source-address "all"
12. set source-address6 "all"
13. set default-portal "full-access"
14. config authentication-rule
15. edit 1
16. set groups "sslvpngroup"
17. set portal "my-full-tunnel-portal"
18. next
end

6. Configure one SSL VPN firewall policy to allow remote user to access the internal network.
Traffic is dropped from internal to remote client.
7. config firewall policy
8. edit 1
9. set name "sslvpn web mode access"
10. set srcintf "ssl.root"
11. set dstintf "port1"
12. set srcaddr "all"
13. set dstaddr "all"
14. set groups “sslvpngroup”
15. set action accept
16. set schedule "always"
17. set service "ALL"
18. next
end

To see the results:

1. Download FortiClient from www.forticlient.com.

2. Open the FortiClient Console and go to Remote Access.

3. Add a new connection.

o Set VPN Type to SSL VPN.

o Set Remote Gateway to the IP of the listening FortiGate interface, in this example,
172.20.120.123.

4. Select Customize Port and set it to 10443.

5. Save your settings.

6. Use the credentials you've set up to connect to the SSL VPN tunnel.

7. After connection, all traffic except the local subnet will go through the tunnel FGT.

8. Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users.

9. In FGT, go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL
entry.

Fortigate SSL VPN with LDAP User Authentication

The documentation was pretty inaccurate/unclear on a lot of this, so there was a bit of trial
and error. This assumes you're already familiar with setting up SSL VPN and already have it
working with local user accounts. Here's how you do it:

Pre-requisites
 You need your SSL VPN portal and settings configured already
 You should also have already created your SSL VPN policy (allowing from the SSL
VPN interface to your LAN)
 The above requires you to add a user or group already, you can re-use that group for
the items below if desired
Set up LDAP Server
I'm using Active Directory, but you can use any LDAP based directory service. The example
below assumes your AD domain is domain.local.

1. Navigate to User & Device > LDAP Server


2. Add a new server and enter the settings:
o Name: this is the friendly name, i usually just put the hostname in
o Server IP: obvious
o Server Port: leave this default unless you know what you're doing
o Common Name Identifier: This defaults to CN, which means Common Name.
This is dumb. Your users are not going to log in as "Bob Smith", they're going
to log in as bsmith or [email protected]. Set this to userprincipalname if
you want them to use their UPN ([email protected]) or maybe
samaccountname if you want them to just use their username.
o Distinguished Name: You can't use the Browse button until you fill out the rest
of this page, but this can just be DC=domain,DC=local. Note: if you choose to
scope this further than the domain as listed, your group (in the next
section) must be in scope.
o Bind Type: Regular
o Username/Password: You can start off with a domain admin for testing, but
ultimately you should create an unprivileged service account to use here
o Secure Connection/Protocol: I used secure and selected LDAPS. If you don't
have LDAPS then don't use it.
o At this point you should be able to Test Connectivity and get a success.

Set up your group


1. In Active Directory, create a group and add users to it. I called mine SSL VPN Users
2. In the Fortigate, navigate to User & Device > User Groups
3. Click on Create New
4. Name the group the same as you created in AD (this isn't important, just a friendly
name)
5. Select Firewall as the type
6. Under the Remote Groups section, click Add, select your LDAP server, and then
search/select your group.
7. Important: You have to right click on it and select Add Selected. After that, hit OK,
not before.
8. Hit OK again to save the group
9. Configure your SSL VPN firewall policy to use this group for authentication

Testing
At this point you should be done, because you already set up your SSL VPN, right? You
should be able to log in as the user now, you can go to Log & Report > VPN Events to see
what the error is if you're not able to log in. You can also use the command diag test
authserver ldap "YOUR LDAP SERVER NAME" [email protected]
yourpassword to do a direct test.
SSL VPN with LDAP-integrated certificate authentication

This is a sample configuration of SSL VPN that requires users to authenticate using a
certificate with LDAP UserPrincipalName checking.

This sample uses Windows 2012R2 Active Directory acting as both the user certificate issuer,
the certificate authority, and the LDAP server.

Sample topology

Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can
also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN
interface.

In this sample, the User Principal Name is included in the subject name of the issued
certificate. This is the user field we use to search LDAP in the connection attempt.

To use the user certificate, you must first install it on the user’s PC. When the user tries to
authenticate, the user certificate is checked against the CA certificate to verify that they
match.

Every user should have a unique user certificate. This allows you to distinguish each user and
revoke a specific user’s certificate, such as if a user no longer has VPN access.
To install the server certificate:

The server certificate is used for authentication and for encrypting SSL VPN traffic.

1. Go to System > Feature Visibility and ensure Certificates is enabled.

2. Go to System > Certificates and select Import > Local Certificate.

o Set Type to Certificate.

o Choose the Certificate file and the Key file for your certificate, and enter the
Password.

o If desired, you can change the Certificate Name.

The server certificate now appears in the list of Certificates.

To install the CA certificate:

The CA certificate is the certificate that signed both the server certificate and the user
certificate. In this example, it is used to authenticate SSL VPN users.

1. Go to System > Certificates and select Import > CA Certificate.

2. Select Local PC and then select the certificate file.

The CA certificate now appears in the list of External CA Certificates. In this


example, it is called CA_Cert_1.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. The port1 interface connects to the internal
network.

1. Go to Network > Interfaces and edit the wan1 interface.

2. Set IP/Network Mask to 172.20.120.123/255.255.255.0.

3. Edit port1 interface and set IP/Network Mask to 192.168.1.99/255.255.255.0.

4. Click OK.

5. Go to Firewall & Objects > Address and create an address for internet subnet
192.168.1.0.

2. Configure the LDAP server.

1. Go to User & Device > LDAP Servers > Create New.

 Specify Name and Server IP/Name.


 Set Distinguished Name to dc=fortinet-fsso,dc=com.

 Set Bind Type to Regular.

 Set Username to cn=admin,ou=testing,dc=fortinet-fsso,dc=com.

 Set Password.

3. Configure PKI users and a user group.

To use certificate authentication, use the CLI to create PKI users.

config user peer


edit user1
set ca CA_Cert_1
set ldap-server "ldap-AD"
set ldap-mode principal-name
end

When you have create a PKI user, a new menu is added to the GUI.

1. Go to User & Device > PKI to see the new user.

2. Go to User & Device > User > User Groups and create a group sslvpn-group.

3. Add the PKI peer object you created as a local member of the group.

4. Add a remote group on the LDAP server and select the group of interest.

You need these users to be members using the LDAP browser window.

4. Configure SSL VPN web portal.

1. Go to VPN > SSL-VPN Portals to edit the full-access portal.

This portal supports both web and tunnel mode.

2. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the
FortiGate.

5. Configure SSL VPN settings.

1. Go to VPN > SSL-VPN Settings.

2. Select the Listen on Interface(s), in this example, wan1.

3. Set Listen on Port to 10443.

4. Set Server Certificate to the authentication certificate.

5. Enable Require Client Certificate.


6. Under Authentication/Portal Mapping, set default Portal web-access for All Other
Users/Groups.

7. Create new Authentication/Portal Mapping for group sslvpn-group mapping portal


full-access.

6. Configure SSL VPN firewall policy.

1. Go to Policy & Objects > IPv4 Policy.

2. Fill in the firewall policy name. In this example, sslvpn certificate auth.

3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).

4. Set the Source Address to all and Source User to sslvpn-group.

5. Set the Outgoing Interface to the local network interface so that the remote user can
access the internal network. In this example, port1.

6. Set Destination Address to the internal protected subnet 192.168.1.0.

7. Set Schedule to always, Service to ALL, and Action to Accept.

8. Enable NAT.

9. Configure any remaining firewall and security options as desired.

10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.


2. config system interface
3. edit "wan1"
4. set vdom "root"
5. set ip 172.20.120.123 255.255.255.0
6. next
end

2. Configure internal interface and protected subnet, then connect the port1 interface to the
internal network.
3. config system interface
4. edit "port1"
5. set vdom "root"
6. set ip 192.168.1.99 255.255.255.0
7. next
8. end
9. config firewall address
10. edit "192.168.1.0"
11. set subnet 192.168.1.0 255.255.255.0
12. next
end

3. Configure the LDAP server.


4. config user ldap
5. edit "ldap-AD"
6. set server "172.18.60.206"
7. set cnid "cn"
8. set dn "dc=fortinet-fsso,dc=com"
9. set type regular
10. set username "cn=admin,ou=testing,dc=fortinet-fsso,dc=com"
11. set password ldap-server-password
12. next
end

4. Configure PKI users and a user group.


5. config user peer
6. edit user1
7. set ca CA_Cert_1
8. set ldap-server "ldap-AD"
9. set ldap-mode principal-name
10. end
11.
12. config user group
13. edit "sslvpn-group"
14. set member "ldap-AD" "test3"
15. config match
16. edit 1
17. set server-name "ldap-AD"
18. set group-name "CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM"
19. next
20. end
21. next
end

5. Configure SSL VPN web portal.


6. config vpn ssl web portal
7. edit "full-access"
8. set tunnel-mode enable
9. set web-mode enable
10. set ip-pools "SSLVPN_TUNNEL_ADDR1"
11. set split-tunneling disable
12. next
end

6. Configure SSL VPN settings.


7. config vpn ssl settings
8. set servercert "server_certificate"
9. set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
10. set source-interface "wan1"
11. set source-address "all"
12. set default-portal "web-access"
13. set reqclientcert enable
14. config authentication-rule
15. edit 1
16. set groups "sslvpn-group"
17. set portal "full-access"
18. next
end

7. Configure one SSL VPN firewall policy to allow remote user to access the internal network.
8. config firewall policy
9. edit 1
10. set name "sslvpn web mode access"
11. set srcintf "ssl.root"
12. set dstintf "port1"
13. set srcaddr "all"
14. set dstaddr "192.168.1.0"
15. set groups “sslvpn-group”
16. set action accept
17. set schedule "always"
18. set service "ALL"
19. set nat enable
20. next
end

To see the results of tunnel connection:

1. Download FortiClient from www.forticlient.com.

2. Open the FortiClient Console and go to Remote Access > Configure VPN.

3. Add a new connection.

o Set the connection name.

o Set Remote Gateway to the IP of the listening FortiGate interface, in this example,
172.20.120.123.

4. Select Customize Port and set it to 10443.

5. Enable Client Certificate and select the authentication certificate.

6. Save your settings.

Connecting to the VPN only requires the user's certificate. It does not require
username or password.

To see the results of web portal:

1. In a web browser, log into the portal http://172.20.120.123:10443.

A message requests a certificate for authentication.

2. Select the user certificate.

You can connect to the SSL VPN web portal.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users.

2. Go to Log & Report > VPN Events to view the details of the SSL VPN connection event log.

3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
To check the SSL VPN connection using the CLI:

Below is a sample output of diagnose debug application fnbamd -1 while the user connects. This is a
shortened output sample of a few locations to show the important parts. This sample shows
lookups to find the group memberships (three groups total) of the user and that the correct
group being found results in a match.

[1148] fnbamd_ldap_recv-Response len: 16, svr: 172.18.60.206


[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-result
[864] fnbamd_ldap_parse_response-ret=0
[1386] __fnbamd_ldap_primary_grp_next-Auth accepted
[910] __ldap_rxtx-Change state to 'Done'
[843] __ldap_rxtx-state 23(Done)
[925] fnbamd_ldap_send-sending 7 bytes to 172.18.60.206
[937] fnbamd_ldap_send-Request is sent. ID 5
[753] __ldap_stop-svr 'ldap-AD'
[53] ldap_dn_list_del_all-Del CN=test3,OU=Testing,DC=Fortinet-FSSO,DC=COM
[399] ldap_copy_grp_list-copied CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM
[399] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=Fortinet-FSSO,DC=COM
[2088] fnbamd_auth_cert_check-Matching group 'sslvpn-group'
[2007] __match_ldap_group-Matching server 'ldap-AD' - 'ldap-AD'
[2015] __match_ldap_group-Matching group 'CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM' -
'CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM'
[2091] fnbamd_auth_cert_check-Group 'sslvpn-group' matched
[2120] fnbamd_auth_cert_result-Result for ldap svr[0] 'ldap-AD' is SUCCESS
[2126] fnbamd_auth_cert_result-matched user 'test3', matched group 'sslvpn-group'

You can also use diagnose firewall auth list to validate that a firewall user entry exists for the SSL
VPN user and is part of the right groups.

Authenticating SSL VPN users using LDAP

This example illustrates how to configure a FortiGate to use LDAP authentication to


authenticate remote SSL VPN users. With a properly configured LDAP server, user and
authentication data can be maintained independently of the FortiGate, accessed only when a
remote user attempts to connect through the SSL VPN tunnel.

1. Downloading and installing FSSO agent in the LDAP server


2. Registering the LDAP server on the FortiGate
3. Configuring Single Sign-On on the FortiGate
4. Importing LDAP users
5. Creating the SSL VPN user group
6. Creating the SSL address range
7. Configuring the SSL VPN tunnel
8. Creating security policies
9. Results
1. Downloading and installing FSSO agent in the LDAP server

The current Forti OS version which we are using in our firewall is 5.2.5 build 701 (shown
below)

Download and install FSSO client on your Domain Controller, find a download link here:

https://support.fortinet.com/Download/FirmwareImages.aspx

Accept the license and follow the Wizard. Enter the Windows AD administrator password.

Click Next, select the Advanced Access method

In the Collector Agent IP address field, enter the IP address of the Windows AD server.

Select the domain you wish to monitor.

Next, select the users you do not wish to monitor.


Under Working Mode, select DC Agent mode.

Reboot the Domain Controller.

Upon reboot, the collector agent will start up.

You can choose to Require authenticated connection from FortiGate and set a Password.

2. Registering the LDAP server on the FortiGate

Go to User & Device > Authentication > LDAP Servers to configure the LDAP server.

3.  Configuring Single Sign-On on the FortiGate

Go to User & Device > Authentication > Single Sign-On and create a new SSO server.

Under Groups tab, select the user groups to be monitored. In this example, “FortiOS Writers”


group is used.

4.  Importing LDAP users

Go to User & Device > User > User Definition, and create a new user, selecting Remote
LDAP User.

Choose your LDAP Server from the dropdown list.

You will be presented with a list of user accounts, filtered by the LDAP Filter to include only
common user classes.

5.  Creating the SSL VPN user group


Go to User & Device > User > User Groups to create a new FSSO user group.

6.  Creating the SSL address range

Go to Policy & Objects > Objects > Addresses, and create a new address.

Set the Type to IP Range, and in the Subnet/IP Range field, enter the range of addresses
you want to assign to SSL VPN clients. Select Any as the Interface.

Then create another Address for each Subnet or IP Range within your internal network to
which remote users will connect.

7.  Configuring the SSL VPN tunnel

Go to VPN > SSL > Portals and create the full-access portal or edit the full-access portal

Source IP pools > select from the drop down menu > SSL address range created above
(point#6)

Go to VPN > SSL > Settings.

Under Connection Settings set Listen on Port to 443.

Under Authentication/Portal Mapping, select Create New.

Assign the LDAP group user group to the full-access portal

8.  Creating security policies

Go to Policy & Objects > Policy >  IPv4 and create an ssl.root – wan1 policy.

9.  Results

Click on  VPN client > Select SSl-VPN > click on New VPN > Give Connection Name


Type the IP Address of Remote Gateway ( WAN IP Address)

Click customize the port( default port# 443)

Click on Do not Warn Invalid Server Certificate

Click > Apply and close

Open the Forticlient >

Type your LDAP credentials and click on Connect.

SSL VPN to IPsec VPN

In this recipe, you will configure a site-to-site IPsec VPN that allows access to the remote
endpoint via SSL VPN. This involves a pre-existing user group, a tunnel-mode SSL VPN
with split-tunneling, and a route-based IPsec VPN between two FortiGates.

In the example, all sessions need to start from the SSL VPN interface. If you want sessions to
start from the FGT_2 subnet, you will need more policies. Furthermore, if the remote subnet
is beyond FGT_2 (if you have to cross multiple hops), you will need to include the SSL VPN
subnet in those routers as well.

1. Configuring the site-to-site IPsec VPN on


FGT_1
Go to VPN > IPSec Wizard.

Name the VPN connection and select Site to Site.

Set IP Address to the Internet-facing interface.

Set the Authentication Method to Pre-shared Key and enter the pre-shared key.

Set Local Interface to the internal interface and set Local Subnets to include the internal
and SSL VPN subnets for FGT_1.*
Set Remote Subnets to include the internal subnet for FGT_2.

A summary page shows the configuration created by the wizard, including firewall address
groups (for both local subnets as well as the remote subnet), static routes, and security
policies.

2. Configuring SSL VPN settings


Go to VPN > SSL-VPN Settings and set Listen
on Interface(s) to wan1.

To avoid port conflicts, set Listen on Port to 10443.

Set Restrict Access to Allow access from any host.*

Under Tunnel Mode Client Settings, enable Specify custom IP ranges and include the SSL
VPN subnet range created by the IPsec VPN wizard.*
Under Authentication/Portal Mapping, add the VPN user group to the tunnel-access portal.
Set All Other Users/Groups to the web-access portal.

3. Configuring the SSL VPN portal


Go to VPN > SSL-VPN Portals and edit the tunnel-access portal.

Turn on Enable Split Tunneling so that only traffic intended for the local or remote
networks will flow through FGT_1 and be subject to the corporate security profiles.
Next to Routing Address, add the local and remote IPsec VPN subnets created by the IPsec
VPN wizard.

Next to Source IP Pools, add the SSL VPN subnet range created by the IPsec VPN wizard.*

4. Adding policies on FGT_1


Go to Policy & Objects > IPv4 Policy and create a new policy that allows SSL VPN users
access to the internal network.

Set Incoming Interface to ssl.root and set Outgoing Interface to internal.

Set Source to the SSL VPN subnet created by the IPsec VPN wizard and add the VPN user
group.

Set Destination to the local IPsec VPN subnet (which represents the internal subnet).

Set the Schedule and set Service to ALL.

Disable NAT.
Create another policy that allows SSL VPN users access to the IPsec VPN tunnel.

Set Incoming Interface to ssl.root and set Outgoing Interface to the IPsec tunnel interface
(in this case, Site1).

Set Source to the SSL VPN subnet created by the IPsec VPN wizard and add the VPN user
group.

Set Destination to the remote IPsec VPN subnet.

Set the Schedule and set Service to ALL.

Disable NAT.*
5. Configuring the site-to-site IPsec VPN on FGT_2
Go to VPN > IPSec Wizard.

Name the VPN connection and select Site to Site


Set IP Address to the Internet-facing interface.

Set the Authentication Method to Pre-shared Key and enter the pre-shared key that matches
the FGT_1 configuration.

Set Local Interface to the internal interface and set Local Subnets to include the internal
network subnet for FGT_2.

Set Remote Subnets to include the internal and SSL VPN subnets for FGT_1.*

A summary page shows the configuration created by the wizard, including firewall address
groups (for the local subnet as well as both remote subnets), static routes, and security
policies.
6. Results
Go to Monitor > IPsec Monitor, highlight the tunnel, and select Bring Up.

Verify that the tunnel Status changes to Up.

Configure the SSL VPN connection on the user’s FortiClient and connect to the tunnel.
Using Command Prompt/Terminal on the user’s computer, send a PING through the tunnel
to the remote endpoint and confirm access.

Go to Monitor > Routing Monitor and verify the routes for the IPsec and SSL VPNs were
added.
Go to Monitor > SSL-VPN Monitor and verify the user connectivity.

Go to Log & Report > VPN Events and view the IPsec and SSL tunnel statistics.

Go to FortiView > VPN and view VPN connection activity.

Right-click an entry and select Drill Down to Details for more information about a
connection.*
7. Debug
In order to diagnose potential issues, run the following debug commands on FGT_1 using the
CLI Console:
diag debug reset
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug flow filter addr 192.168.177.99
diag debug flow filter proto 1
diag debug flow trace start 2
diag debug enable

Send a PING through the SSL VPN tunnel to 192.168.177.99 and analyze the output of the
debug. Disable the debug output with the following command:

diag debug disable

If the traffic is entering the correct VPN tunnel on FGT_1, then run the same commands on
FGT_2 to check whether the traffic is reaching the correct tunnel. If it is reaching the correct
tunnel, confirm that the SSL VPN tunnel range is configured in the remote side quick mode
selectors.
You can also run a sniffer command on FGT_1 as follows:

diag sniff packet any "host 192.168.177.99 and icmp" 4


If you suspect an IPsec VPN issue, run the following commands on either FortiGate:

diag debug reset


diag vpn ike gateway clear
diag debug application ike -1
diag debug enable

When you are satisfied with the debug output, disable the debug as follows:

diag debug disable


SSL VPN with FortiToken mobile push authentication

This is a sample configuration of SSL VPN that uses FortiToken mobile push two-factor
authentication. If you enable push notifications, users can accept or deny the authentication
request.

Sample topology

Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can
also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN
interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. The port1 interface connects to the internal
network.

1. Go to Network > Interfaces and edit the wan1 interface.

2. Set IP/Network Mask to 172.20.120.123/255.255.255.0.

3. Edit port1 interface and set IP/Network Mask to 192.168.1.99/255.255.255.0.

4. Click OK.

5. Go to Firewall & Objects > Address and create an address for internet subnet
192.168.1.0.

2. Register FortiGate for FortiCare Support.

To add or download a mobile token on FortiGate, FortiGate must be registered for


FortiCare Support. If your FortiGate is registered, skip this step.
1. Go to Dashboard > Licenses.

2. Hover the pointer on FortiCare Support to check if FortiCare registered. If not, click
it and select Register.

3. Add FortiToken mobile to FortiGate.

If your FortiGate has FortiToken installed, skip this step.

1. Go to User & Device > FortiTokens and click Create New.

2. Select Mobile Token and type in Activation Code.

3. Every FortiGate has two free mobile tokens. Go to User & Device > FortiTokens and
click Import Free Trial Tokens.

4. Enable FortiToken mobile push.

To use FTM-push authentication, use CLI to enable FTM-Push on the FortiGate.

1. Ensure server-ip is reachable from the Internet and enter the following CLI commands:
2. config system ftm-push
3. set server-ip 172.20.120.123
4. set status enable
end

2. Go to Network > Interfaces.

3. Edit the wan1 interface.

4. Under Administrative Access > IPv4, select FTM.

5. Click OK.

5. Configure user and user group.

1. Go to User & Device > User Definition to create a local user sslvpnuser1.

2. Enter the user's Email Address.

3. Enable Two-factor Authentication and select one mobile Token from the list,

4. Enable Send Activation Code and select Email.

5. Click Next and click Submit.

6. Go to User & Device > User Groups to create a group sslvpngroup with the member
sslvpnuser1.

6. Activate the mobile token.


1. When the user sslvpnuser1 is created, an email is sent to the user's email address.
Follow the instructions to install your FortiToken mobile application on your device
and activate your token.

7. Configure SSL VPN web portal.

1. Go to VPN > SSL-VPN Portals to edit the full-access portal.

This portal supports both web and tunnel mode.

2. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the
FortiGate.

8. Configure SSL VPN settings.

1. Go to VPN > SSL-VPN Settings.

2. Select the Listen on Interface(s), in this example, wan1.

3. Set Listen on Port to 10443.

4. Set Server Certificate to the authentication certificate.

5. Under Authentication/Portal Mapping, set default Portal web-access for All Other
Users/Groups.

6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal


full-access.

9. Configure SSL VPN firewall policy.

1. Go to Policy & Objects > IPv4 Policy.

2. Fill in the firewall policy name. In this example, sslvpn certificate auth.

3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).

4. Set the Source Address to all and Source User to sslvpngroup.

5. Set the Outgoing Interface to the local network interface so that the remote user can
access the internal network. In this example, port1.

6. Set Destination Address to the internal protected subnet 192.168.1.0.

7. Set Schedule to always, Service to ALL, and Action to Accept.

8. Enable NAT.

9. Configure any remaining firewall and security options as desired.

10. Click OK.


To see the results of web portal:

1. From a remote device, use a web browser to log into the SSL VPN web portal
http://172.20.120.123:10443.

2. Log in using the sslvpnuser1 credentials.

The FortiGate pushes a login request notification through the FortiToken mobile
application.

3. Check your mobile device and select Approve.

When the authentication is approved, sslvpnuser1 is logged into the SSL VPN portal.

4. On the FortiGate, go to Monitor > SSL-VPN Monitor to confirm the user connection.

To see the results of tunnel connection:

1. Download FortiClient from www.forticlient.com.

2. Open the FortiClient Console and go to Remote Access > Configure VPN.

3. Add a new connection.

o Set the connection name.

o Set Remote Gateway to the IP of the listening FortiGate interface, in this example,
172.20.120.123.

4. Select Customize Port and set it to 10443.

5. Save your settings.

6. Log in using the sslvpnuser1 credentials and click FTM Push.

The FortiGate pushes a login request notification through the FortiToken mobile
application.

7. Check your mobile device and select Approve.

When the authentication is approved, sslvpnuser1 is logged into the SSL VPN tunnel.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor > SSL-VPN Monitor to verify the user’s connection.

2. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
To check the web portal login using the CLI:
get vpn ssl monitor
SSL VPN Login Users:
Index User Auth Type Timeout From HTTP in/out HTTPS in/out
0 sslvpnuser1 1(1) 229 10.1.100.254 0/0 0/0

SSL VPN sessions:


Index User Source IP Duration I/O Bytes Tunnel/Dest IP

To check the tunnel login using the CLI:


get vpn ssl monitor
SSL VPN Login Users:
Index User Auth Type Timeout From HTTP in/out HTTPS in/out
0 sslvpnuser1 1(1) 291 10.1.100.254 0/0 0/0

SSL VPN sessions:


Index User Source IP Duration I/O Bytes Tunnel/Dest IP
0 sslvpnuser1 10.1.100.254 9 22099/43228 10.212.134.200

Vous souhaitez que vos utilisateurs nomades aient toujours accès aux applications présentes au sein
de votre entreprise au travers d’un navigateur web? Dans ce tutoriel, je vais vous montrer comment
configurer un Firewall Fortinet (Fortigate) puis nous allons mettre en place un tunnel VPN SSL sur
celui-ci afin qu’un utilisateur externe à votre réseau puisse avoir accès à des applications bien
spécifiques.

Grâce au VPN SSL que nous allons configurer, nous allons donner l’autorisation aux utilisateurs de se
connecter sur certains équipements du réseau interne

Général

Connexion
Commencez par vous connecter sur l’interface d’administration du Firewall. Entrez
l’adresse IP de votre firewall sur un navigateur Web. Pour vous connecter, les identifiants par
défaut sont « admin » pour le login et le champ password sera vide.
Configuration des interfaces
Je commence par configurer l’interface WAN qui sera connectée sur mon port physique
1. Pour le champ « Role » sélectionnez « WAN » et dans la partie « IP/Network Mask »
remplacez « X.X.X.X » par l’adresse IP et « Y.Y.Y.Y » par le masque associé.

il faut ensuite configurer l’interface LAN. Dans le champ « Role », renseignez « LAN »
puis dans la partie « IP/Network Mask » renseignez l’adresse IP que vous allez affecter à
votre firewall ainsi que le masque associé.
Liaison LAN – WAN
Nous allons maintenant créer une règle afin d’autoriser le trafic du LAN vers le WAN.
Allez dans le menu « IPv4 Policy » et cliquez sur « Create New » :
Dans cette règle, nous allons autoriser tout le trafic du LAN à aller sur le WAN. Dans un
environnement réel, vous devez restreindre les flux à vos besoins.

A partir de cette étape, votre LAN doit avoir accès à Internet.


 

Configuration VPN SSL sous Fortigate

Changement du port d’administration du firewall


Afin d’éviter des soucis dans la suite de ce tutoriel, je vous conseille de changer le port
par défaut de l’interface d’administration qui est configuré de base sur le port 443.

Création d’un utilisateur


Nous allons à présent créer un utilisateur que nous autoriserons par la suite sur le portail
VPN SSL. Dans le menu cliquez sur « User & Device » puis sur « User Definition » et
sélectionnez « Create New ».
Sélectionnez « Local User » :

Renseignez le nom d’utilisateur et le mot de passe associé :


Sur la page suivante, laissez par défaut :

Laissez également par défaut sur la dernière page.

Configuration du portail SSL-VPN


Nous allons a présent passer à la configuration du portail SSL-VPN. Dans le menu,
sélectionnez « SSL-VPN Portals » puis cliquez sur « Create New » :

Remplissez les champs comme ci-dessous. Dans la partie « Predefined Bookmarks »


vous allez pouvoir définir des applications disponibles sur la page web du VPN SSL :
Dans cet exemple, je vais créer un raccourci pour se connecter sur l’interface Web de mon
Firewall. Si vous faites comme moi, n’oubliez pas d’activer les protocoles HTTP et HTTPS sur
l’interface LAN du firewall (menu Network -> Interfaces) :

Vous devriez avoir une configuration comme ci-dessous. Cliquez sur « OK » en bas de la page
pour appliquer vos changements.
Dans le menu « SSL-VPN Settings », remplissez les champs comme ci-dessous. Sélectionnez bien
l’interface Wan pour l’écoute (port 1 dans ce tutoriel) :
Création des règles de Firewall
Retournez dans le menu « IPv4 Policy » et cliquez sur « Create New » :

Remplissez les champs comme ci-dessous puis validez la règle :


Test

Après toute cette configuration, c’est le moment de tester! Accédez à votre VPN SSL via
un navigateur web en saisissant l’adresse suivante : https://[VOTRE_IP_PUBLIQUE]. Vous
devriez voir une page de demande de login s’afficher. Saisissez les identifiants de l’utilisateur
créé au début de ce tutoriel

Maintenant que vous êtes connecté à votre VPN SSL, vous allez pouvoir tester que le raccourci
que vous avez créé fonctionne. Cliquez sur « GUI_FW.

Vous arriverez sur la page d’administration :


Nous arrivons à la fin de ce tutoriel. Vous savez à présent comment configurer un VPN SSL sur
un Firewall Fortigate.
This recipe describes how to configure an SSL VPN tunnel using LDAP Authentication on a
FortiAuthenticator.

The VPN will be tested using FortiClient on a mobile Android device.

The recipe assumes that an LDAP server has already been configured and connected on the
FortiGate, containing the user ‘bwayne’. For instructions on configuring FortiAuthenticator as
an LDAP server, see LDAP authentication for SSL VPN with FortiAuthenticator.

1. Creating the LDAP user group


From the FortiGate GUI, go to User & Device > User > User Groups, and select Create New.

Enter a name for the user group, and under Remote Groups, select Create New.

Select the LDAP server under the Remote Server dropdown*.


In the new Add Group Match window, select the desired group under the Groups tab, select
Add Selected, and click OK.

The LDAP server has been added to the LDAP group.

2. Configuring the SSL VPN


Go to VPN > SSL > Portals, and edit the full-access portal.

Disable Split Tunneling.

Go to VPN > SSL > Settings.


Under Connection Settings set Listen on Port to 10443.

Under Authentication/Portal Mapping, select Create

Assign the LDAPgroup user group to the full-access portal, and assign All Other Users/Groups
to the desired portal.

3. Creating the security policies for VPN access to the Internet


Go to Policy & Objects > Policy > IPv4 and create an ssl.root – wan1 policy.

Set Source User(s) to the LDAPgroup user group.

Set Outgoing Interface to wan1 and Destination Address to all.

Set Service to ALL and ensure that you enable NAT.

If it is not already available, create another policy allowing internal access to the Internet.

4. Results
On your Android smartphone, open the FortiClient app and create a new VPN.
Give the VPN a name (in the example, SSL to 121.56), and set the VPN Type to SSL VPN. Select Create.

The SSL VPN settings will appear. Set Server to the IP of the FortiGate (in the example,
172.20.121.56), and set the Port to 10443.

Set Username to the desired LDAP user (in the example, bwayne), and set the user’s
password.
Return to FortiClient’s list of VPN Tunnels, and connect to the newly created SSL VPN.

If prompted, enter valid LDAP credentials.

User ‘bwayne’ is now connected to the SSL VPN tunnel and can securely browse the Internet.

You might also like