FortiOS 5.6 SSL VPN Basic configuration

Basic configuration

Configuring SSL VPN involves a number of configurations within FortiOS that you need to complete to make it all come together. This chapter describes the components required, and how and where to configure them to set up the FortiGate unit as an SSL VPN server. The configurations and steps are high level, to show you the procedures needed, and where to locate the options in FortiOS. For real-world examples, see Setup examples on page 54.

There are three or four key steps to configuring an SSL VPN tunnel. The first three in the points below are mandatory, while the others are optional. This chapter outlines these key steps as well as additional configurations for tighter security and monitoring.

The key steps are:

l Create user accounts and user groups for the remote clients.

(User accounts and groups on page 17) l Create a web portal to define user access to network resources.

(Configuring SSL VPN web portals on page 22) l Configure the security policies.

(Configuring security policies on page 1) l For tunnel-mode operation, add routing to ensure that client tunnel-mode packets reach the SSL VPN interface.

(Routing in tunnel mode on page 30) l Setup logging of SSL VPN activities.

(SSL VPN logs on page 37)

This section contains the following information:

User accounts and groups

Configuring SSL VPN web portals

Configuring encryption key algorithms

Additional configuration options

User accounts and groups

The first step for an SSL VPN tunnel is to add the users and user groups that will access the tunnel. You may already have users defined for other authentication-based security policies.

The user group is associated with the web portal that the user sees after logging in. You can use one policy for multiple groups, or multiple policies to handle differences between the groups such as access to different services, or different schedules.

To create a user account:

  • In the web-based manager, go to User & Device > User Definition, and select Create New.
  • In the CLI, use the commands in config user local.

All users accessing the SSL tunnel must be in a firewall user group. User names can be up to 64 characters long.

User accounts and groups

To create user groups:

  • In the web-based manager, go to User & Device > User Groups and select Create New. l In the CLI, use the commands in config user group.

Authentication

Remote users must be authenticated before they can request services and/or access network resources through the web portal. The authentication process can use a password defined on the FortiGate unit or optionally use established external authentication mechanisms such as RADIUS or LDAP.

To authenticate users, you can use a plain text password on the local FortiGate unit, forward authentication requests to an external RADIUS, LDAP or TACACS+ server, or utilize PKI certificates.

For information about how to create RADIUS, LDAP, TACACS+ or PKI user accounts and certificates, see the Authentication Guide.

FortiOS supports LDAP password renewal notification and updates through SSL VPN.

Configuration is enabled using the CLI commands:

config user ldap edit <username>

set server <domain>

set password-expiry-warning enable        set password-renewal enable end

For more information, see the Authentication Guide.

MAC host check

When a remote client attempts to log in to the portal, you can have the FortiGate unit check against the client’s MAC address to ensure that only a specific computer or device is connecting to the tunnel. This can ensure better security should a password be compromised.

MAC addresses can be tied to specific portals and can be either the entire MAC address or a subset of the address. MAC host checking is configured in the CLI using the folowing commands:

conf vpn ssl web portal edit portal set mac-addr-check enable set mac-addr-action allow config mac-addr-check-rule edit “rule1” set mac-addr-list 01:01:01:01:01:01 08:00:27:d4:06:5d set mac-addr-mask 48

end

end

User accounts and groups

IP addresses for users

After the FortiGate unit authenticates a request for a tunnel-mode connection, the FortiGate unit assigns the SSL VPN client an IP address for the session. The address is assigned from an IP Pool, which is a firewall address defining an IP address range.

Take care to prevent overlapping IP addresses. Do not assign to clients any IP addresses that are already in use on the private network. As a precaution, consider assigning IP addresses from a network that is not commonly used (for example, 10.254.254.0/24).

To set tunnel-mode client IP address range – web-based manager:

  1. Go to Policy & Objects > Addresses and select Create New.
  2. Enter an Name, for example, SSL_VPN_tunnel_range.
  3. Select a Type of IP Range.
  4. In the Subnet/IP Range field, enter the starting and ending IP addresses that you want to assign to SSL VPN clients, for example 254.254.[80-100].
  5. In Interface, select Any.
  6. Select OK.

To set tunnel-mode client IP address range – CLI:

If your SSL VPN tunnel range is for example 10.254.254.80 – 10.254.254.100, you could enter

config firewall address edit SSL_tunnel_users set type iprange set end-ip 10.254.254.100 set start-ip 10.254.254.80

end

Authentication of remote users

When remote users connect to the SSL VPN tunnel, they must perform authentication before being able to use the internal network resources. This can be as simple as assigning users with their own passwords, connecting to an LDAP server or using more secure options. FortiOS provides a number of options for authentication as well as security option for those connected users.

The web portal can include bookmarks to connect to internal network resources. A web (HTTP/HTTPS) bookmark can include login credentials so that the FortiGate unit automatically logs the user into the website. This means that the user logs into the SSL VPN and then does not have to enter any more credentials to visit preconfigured web sites.

Both the administrator and the end user can configure bookmarks, including SSO bookmarks. To add bookmarks as a web portal user, see Using the Bookmarks widget on page 47.

User accounts and groups

Setting the client authentication timeout

The client authentication timeout controls how long an authenticated user will remain connected. When this time expires, the system forces the remote client to authenticate again. As with the idle timeout, a shorter period of time is more secure. The default value is 28800 seconds (8 hours). You can only modify this timeout value in the CLI.

For example, to change the authentication timeout to 18 000 seconds, enter the following commands in the CLI:

config vpn ssl settings set auth-timeout 18000

end

You can also set the idle timeout for the client, to define how long the user does not access the remote resources before they are logged out.

Additional timeout settings

SSL VPN timeout settings are also available to counter ‘Slowloris’ and ‘R-U-Dead-Yet’ vulnerabilities that allow remote attackers to cause a denial of service via partial HTTP requests.

The FortiGate solution involves two attributes (http-request-header-timeout and http-requestbody-timeout).

CLI syntax

config vpn ssl settings set http-request-header-timeout [1-60] (seconds) set http-request-body-timeout [1-60] (seconds)

end

Allow one-time login per user

You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again.

To allow one-time login per user – web-based manager:

Go to VPN > SSL-VPN Portals, select a portal, and enable Limit Users to One SSL-VPN Connection at a Time. It is disabled by default.

To allow one-time login per user – CLI:

config vpn ssl web portal edit <portal_name> set limit-user-logins enable

end

Strong authentication with security certificates

The FortiGate unit supports strong (two-factor) authentication through X.509 security certificates (version 1 or 3). The FortiGate unit can require clients to authenticate using a certificate, and the client can require the FortiGate unit to authenticate using a certificate.

For information about obtaining and installing certificates, see the Authentication Guide.

User accounts and groups

You can select the Require Client Certificate option so that clients must authenticate using certificates. The client browser must have a local certificate installed, and the FortiGate unit must have the corresponding CA certificate installed.

When the remote client initiates a connection, the FortiGate unit prompts the client browser for its client-side certificate as part of the authentication process.

To require client authentication by security certificates – web-based manager:

  1. Go to VPN > SSL-VPN Settings.
  2. Select Require Client Certificate.
  3. Select Apply.

To require client authentication by security certificates – CLI:

config vpn ssl settings set reqclientcert enable

end

If your SSL VPN clients require strong authentication, the FortiGate unit must offer a CA certificate that the client browser has installed.

In the FortiGate unit SSL VPN settings, you can select which certificate the FortiGate offers to authenticate itself. By default, the FortiGate unit offers its factory installed (Fortinet_CA_SSLProxy) certificate from Fortinet to remote clients when they connect. If you leave the default setting, a warning appears that recommends you purchase a certificate for your domain and upload it for use.

To enable FortiGate unit authentication by certificate – web-based manager:

  1. Go to VPN > SSL-VPN Settings.
  2. From the Server Certificate list, select the certificate that the FortiGate unit uses to identify itself to SSL VPN clients.
  3. Select Apply.

To enable FortiGate unit authentication by certificate – CLI:

For example, to use the example_cert certificate

config vpn ssl settings set servercert example_cert

end

NSA Suite B cryptography support

FortiOS supports the use of ECDSA Local Certificates for SSL VPN Suite B. The National Security Agency (NSA) developed Suite B algorithms in 2005 to serve as a cryptographic base for both classified and unclassified information at an interoperable level.

 

FortiOS allows you to import, generate, and use ECDSA certificates defined by the Suite B cryptography set. To generate ECDSA certificates, use the following command in the CLI:

exec vpn certificate local generate ec <certificate-name_str> <elliptic-curve-name> <subject_str> [<optional_information>]

Configuring SSL VPN web portals

The SSL VPN portal enables remote users to access internal network resources through a secure channel using a web browser. FortiGate administrators can configure login privileges for system users as well as the network resources that are available to the users.

FortiOS supports LDAP password renewal notification and updates through SSL VPN.

Configuration is enabled using the CLI commands:

config user ldap edit <username>

set server <domain>

set password-expiry-warning enable        set password-renewal enable end

For more information, see the Authentication Guide.

This step in the configuration of the SSL VPN tunnel sets up the infrastructure; the addressing, encryption, and certificates needed to make the initial connection to the FortiGate unit. This step is also where you configure what the remote user sees with a successful connection. The portal view defines the resources available to the remote users and the functionality they have on the network.

SSL connection configuration

To configure the basic SSL VPN settings for encryption and login options, go to VPN > SSL-VPN Settings.

Listen on Interface(s) Define the interface which the FortiGate will use to listen for SSL VPN tunnel requests. This is generally your external interface.
Listen on Port Enter the port number for HTTPS access.

 

Redirect port 80 to this login port Enable to redirect the admin HTTP port to the admin HTTPS port.

There are two likely scenarios for this:

l SSL VPN is not in use, in which case the admin GUI runs on port 443 or 10443, and port 80 is redirected.

l SSL VPN runs on port 443, in which case port 80 is redirected to 443 and the admin port runs on 10443.

If the administrator chooses to run SSL VPN on port 80, the redirect option is invalid.

This can also be configured in the CLI as shown below (note that HTTPSredirect is disabled by default):

Syntax:

config vpn ssl settings

set https-redirect [enable | disable] end

Restrict Access Restrict accessibility to either Allow access from any host or to Limit access to specific hosts as desired. If selecting the latter, you must specify the hosts.
Idle Logout Type the period of time (in seconds) that the connection can remain inactive before the user must log in again. The range is from 10 to 28800 seconds. Setting the value to 0 will disable the idle connection timeout. This setting applies to the SSL VPN session. The interface does not time out when web application sessions or tunnels are up.
Server Certificate Select the signed server certificate to use for authentication. If you leave the default setting (Fortinet_CA_SSLProxy), the FortiGate unit offers its built-in certificate from Fortinet to remote clients when they connect. A warning appears that recommends you purchase a certificate for your domain and upload it for use.
Require Client Certificate Select to use group certificates for authenticating remote clients. When the remote client initiates a connection, the FortiGate unit prompts the client for its client-side certificate as part of the authentication process.

For information on using PKI to provide client certificate authentication, see the Authentication Guide.

Address Range Select Automatically assign addresses or Specify custom IP ranges. The latter will allow you to select the range or subnet firewall addresses that represent IP address ranges reserved for tunnel-mode SSL VPN clients.
DNS Server If you select Specify, you may enter up to two DNS servers (IPv4 or IPv6) to be provided for the use of clients.

Note: It is possible to implement a unique DNS suffix per SSL VPN portal using the CLI. Each suffix setting for each specific portal will override the dns-suffix setting under config vpn ssl settings. This is a

CLI-only option, using the following syntax:

config vpn ssl web portal edit <example> set dns-suffix <string>

end

Specify WINS Servers Enable to access options for entering up to two WINS servers (IPv4 or IPv6) to be provided for the use of clients.
Allow Endpoint

Registration

Select so that FortiClient registers with the FortiGate unit when connecting. If you configured a registration key by going to System > Config > Advanced, the remote user is prompted to enter the key. This only occurs on the first connection to the FortiGate unit.

Portal configuration

The portal configuration determines what the remote user sees when they log in to the portal. Both the system administrator and the user have the ability to customize the SSL VPN portal.

To view the portals settings page, go to VPN > SSL-VPN Portals.

There are three pre-defined default portal configurations available:

l full-access l tunnel-access l web-access

Each portal type includes similar configuration options. Select between the different portals by double-clicking one of the default portals in the list. You can also create a custom portal by selecting the Create New option at the top.

Portal Setting Description
Name The name for the portal.
Limit Users to One SSL-VPN Connection at a Time You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again. This option is disabled by default.
Tunnel Mode These settings determine how tunnel mode clients are assigned IPv4 addresses.

 

Portal Setting Description
Enable Split Tunneling Select so that the VPN carries only the traffic for the networks behind the FortiGate unit. The user’s other traffic follows its normal route.

If you enable split tunneling, you are required to set the Routing Address, which is the address that your corporate network is using. Traffic intended for the Routing Address will not be split from the tunnel.

Source IP Pools Select an IP Pool for users to acquire an IP address when connecting to the portal. There is always a default pool available if you do not create your own.
Tunnel Mode Client Options These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a check box for the corresponding option appears on the VPN login screen in FortiClient, and is not enabled by default.

l Allow client to save password – When enabled, if the user

selects this option, their password is stored on the user’s computer and will automatically populate each time they connect to the VPN.

l Allow client to connect automatically – When enabled, if the

user selects this option, when the FortiClient application is launched, for example after a reboot or system startup, FortiClient will automatically attempt to connect to the VPN tunnel.

l Allow client to keep connections alive – When enabled, if the

user selects this option, the FortiClient should try to reconnect once it detects the VPN connection is down unexpectedly (not manually disconnected by user).

Enable Web Mode Select to enable web mode access.
Portal Message This is a text header that appears on the top of the web portal.
Theme Select a color styling specifically for the web portal.
Show Session Information The Show Session Information widget displays the login name of the user, the amount of time the user has been logged in and the inbound and outbound traffic statistics.
Show Connection Launcher Displays the Connection Launcher widget in the web portal.
Show Login History Select to include user login history on the web portal.
Portal Setting Description
User Bookmarks Enable to allow users to add their own bookmarks in the web portal.
Predefined Bookmarks Select to include bookmarks on the web portal. Bookmarks are used as links to internal network resources. When a bookmark is selected from a bookmark list, a pop-up window appears with the web page. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML filebrowser.

Options to allow firewall address to be used in routing table for SSL VPN

If destination Named Address is set in Network > Static Routes and Address Range is set to

Automatically assign addresses in VPN > SSL-VPN Settings, SSL VPN should refresh the routing table automatically.

If your network configuration does not contain a default SSL VPN portal, you might receive the error message “Input value is invalid” when you attempt to access VPN > SSL-VPN Portals.

            To enable a default portal – CLI:

config vpn ssl settings set default-portal <full-access | tunnel-access |

web-access> end

Adding bookmarks

A web bookmark can include login credentials to automatically log the SSL VPN user into the website. When the administrator configures bookmarks, the website credentials must be the same as the user’s SSL VPN credentials. Users configuring their own bookmarks can specify alternative credentials for the website.

To add a bookmark – web-based manager:

  1. On the VPN > SSL-VPN Portals page, ensure Enable User Bookmarks is enabled.
  2. Select Create New and enter the following information:
Category Select a category, or group, to include the bookmark. If this is the first bookmark added, you will be prompted to add a category. Otherwise, select Create from the drop-down list.
Name Enter a name for the bookmark.
Type Select the type of link from the drop-down list. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML file-browser.
URL Enter the IP address source.
Description Enter a brief description of the link.
Single Sign-On Enable if you wish to use Single Sign-On (SSO) for any links that require authentication.

When including a link using SSO, be sure to use the entire URL. For example, http://10.10.1.0/login, rather than just the IP address.

  1. Select OK.

For more configuration options, see Configuring SSL VPN web portals on page 22.

Personal bookmarks

The administrator has be ability to view bookmarks the remote client has added to their SSL VPN login in the bookmarks widget. This enables the administrator to monitor and, if needed, remove unwanted bookmarks that do not meet with corporate policy.

To view and maintain remote client bookmarks, go to VPN > SSL-VPN Personal Bookmarks.

For more information about available bookmark applications, see Applications available in the web portal on page 46

To enable personal bookmarks:

  1. Go to System > Feature Select.
  2. Enable SSL-VPN Personal Bookmark Management.
  3. Select Apply.

Moving and cloning bookmarks

The administrator also has the ability to move and clone personal bookmarks in the GUI and CLI.

CLI syntax

config vpn ssl web user-bookmark edit ‘name’ config bookmarks move bookmark1 after/before clone bookmark1 to

next

end

Group-based SSL VPN bookmarks

The administrator can add bookmarks for groups of users. SSL VPN will only output the matched group-name entry to the client. This can only be done via the CLI.

To add group-based SSL VPN bookmarks – CLI:

config vpn ssl web portal edit “portal-name”

set user-group-bookmark enable*/disable

next

end

config vpn ssl web user-group-bookmark edit “group-name” config bookmark edit “bookmark1” ….

next

end

next

end

Remote desktop bookmark creation with no password

If NLA security is chosen when creating an RDP bookmark, a username and password must be provided. However there may be instances where the user might want to use a blank password, despite being highly unrecommended. If a username is provided but the password is empty, the CLI will display a warning. See example CLI below, where the warning appears as a caution before finishing the command:

config vpn ssl web user-group-bookmark edit <group-name> config bookmarks edit <bookmark-name> set apptype rdp set host 172.16.200.121 set security nla set port 3389 set logon-user <username>

next

end

Warning: password is empty. It might fail user authentication and remote desktop connection would be failed.

end

If no username (logon-user) is specified, the following warning message will appear:

Please enter user name for RDP security method NLA. object set operator error, -2010 discard the setting Command fail. Return code -2010

SSL VPN Realms

You can go to VPN > SSL-VPN Realms and create custom login pages for your SSL VPN users. You can use this feature to customize the SSL VPN login page for your users and also to create multiple SSL VPN logins for different user groups.

In order to create a custom login page using the web-based manager, this feature must be enabled using Feature Select.

 

Configuring encryption key algorithms

To configure SSL VPN Realms – web-based manager:

  1. Configure a custom SSL VPN login by going to VPN > SSL-VPN Realms and selecting Create New. Users access different portals depending on the URL they enter.
  2. The first option in the custom login page is to enter the path of the custom URL.

This path is appended to the address of the FortiGate unit interface to which SSL VPN users connect. The actual path for the custom login page appears beside the URL path field.

  1. You can also limit the number of users that can access the custom login at any given time.
  2. You can use HTML code to customize the appearance of the login page.
  3. After adding the custom login, you must associate it with the users that will access the custom login. Do this by going to VPN > SSL-VPN Settings and adding a rule to the Authentication/Portal Mapping
  4. Under Authentication/Portal Mapping, click Create New and select the user group(s) and the associated Realm.

To configure SSL VPN Realms – CLI:

config vpn ssl web realm edit <url-path> set login-page <content_str> set max-concurrent-user <int> set virtual-host <hostname_str>

end

Where the following variables are set:

Variable Description Default
edit <url-path> Enter the URL path to access the SSL-VPN login page.

Do not include “http://”.

No default.
login-page <content_str> Enter replacement HTML for SSL-VPN login page. No default.
max-concurrent-user <int> Enter the maximum number of concurrent users allowed. Range 0-65 535. 0 means unlimited. 0
virtual-host <hostname_str> Enter the virtual host name for this realm. Optional. Maximum length 255 characters. No default.

Configuring encryption key algorithms

The FortiGate unit supports a range of cryptographic cipher suites to match the capabilities of various web browsers. The web browser and the FortiGate unit negotiate a cipher suite before any information (for example, a user name and password) is transmitted over the SSL link. You can only configure encryption key algorithms for SSL VPN in the CLI.

To configure encryption key algorithms – CLI:

Use the following CLI command,

config vpn ssl settings set algorithm <cipher_suite>

end

where one of the following variables replaces <cipher_suite>:

Variable Description
low Use any cipher suite; AES, 3DES, RC4, or DES.
medium Use a 128-bit or greater cipher suite; AES, 3DES, or RC4.
high Use a ciper suite grather than 128 bits; AES or 3DES.

Note that the algorithm <cipher_suite> syntax is only available when the sslvpn-enable attribute is set to enable.

Controlling the use of specific cipher suites

Administrators can ban the use of specific cipher suites in the CLI for SSL VPN, so PCI-DSS (Payment Card Industry Data Security Standard) certification can be met.

To ban the use of specific cipher suites for SSL VPN – CLI:

config vpn ssl settings

set banned-cipher [RSA | DH | DHE | ECDH | ECDHE | DSS | ECDSA | AES | AESGCM | CAMELLIA | 3DES | SHA1 | SHA256 | SHA384]

Additional configuration options

Beyond the basics of setting up the SSL VPN, you can configure a number of other options that can help to ensure your internal network is secure and can limit the possibility of attacks and viruses entering the network from an outside source.

Routing in tunnel mode

If you are creating a SSL VPN connection in tunnel mode, you need to add a static route so that replies from the protected network can reach the remote SSL VPN client.

To add the tunnel mode route – web-based manager:

  1. Go to Network > Static Routes and select Create New.
  2. Enter the Destination IP/Mask of the tunnel IP address that you assigned to the users of the web portal.
  3. Select the SSL VPN virtual interface for the Device.
  4. Select OK.

To add the tunnel mode route – CLI:

If you assigned 10.11.254.0/24 as the tunnel IP range, you would enter:

config router static

edit <id> set device ssl.root set dst 10.11.254.0/24

end

Changing the port number for web portal connections

You can specify a different TCP port number for users to access the web portal login page through the HTTPS link. By default, the port number is 443 and users can access the web portal login page using the following default URL:

https://:443/remote/login

where <FortiGate_IP_address> is the IP address of the FortiGate interface that accepts connections from remote users.

To change the SSL VPN port – web-based manager:

  1. If Current VDOM appears at the bottom left of the screen, select Global from the list of VDOMs.
  2. Go to VPN > SSL-VPN Settings.
  3. Type an unused port number in the Listen on Port field and select Apply.

To change the SSL VPN port – CLI:

This is a global setting. For example, to set the SSL VPN port to 10443, enter the following:

config vpn ssl settings set port 10443

end

HTTP to HTTPS redirect support

The admin HTTP port can be redirected to the admin HTTPS port. This is enabled in VPN > SSL-VPN Settings using the option Redirect port 80 to this login port.

There are two likely scenarios for this:

l SSL VPN is not in use, in which case the admin GUI runs on port 443 or 10443, and port 80 is redirected. l SSL VPN runs on port 443, in which case port 80 is redirected to 443 and the admin port runs on 10443.

If the administrator chooses to run SSL VPN on port 80, the redirect option is invalid.

This can also be configured in the CLI as described below:

To redirect HTTP to HTTPS port – CLI:

config vpn ssl settings set https-redirect [enable | disable] (default: disabled)

end

SSL offloading

To configure SSL offloading, which allows or denies client renegotiation, you must use the CLI. This helps to resolve the issues that affect all SSL and TLS servers that support renegotiation, identified by the Common Vulnerabilities and Exposures system in CVE-2009-3555. The SSL offloading renegotiation feature is considered a workaround until the IETF permanently resolves the issue.

The CLI command is ssl-client-renegotiation and is found under the config firewall vip syntax.

Host check

When you enable AV, FW, or AV-FW host checking in the web portal Security Control settings, each client is checked for security software that is recognized by the Windows Security Center. As an alternative, you can create a custom host check that looks for security software selected from the Host Check list. For more information, see Additional configuration options on page 30.

The Host Check list includes default entries for many security software products.

To configure host checking – CLI:

To configure the full-access portal to check for AV and firewall software on client Windows computers, you would enter the following:

config vpn ssl web portal edit full-access set host-check av-fw

end

To configure the full-access portal to perform a custom host check for FortiClient Host Security AV and firewall software, you would enter the following:

config vpn ssl web portal edit full-access set host-check custom

set host-check-policy FortiClient-AV FortiClient-FW

end

Replacing the host check error message

You can add your own host security check error message using either the web-based manager or the CLI. The default message reads: “Your PC does not meet the host checking requirements set by the firewall. Please check that your OS version or antivirus and firewall applications are installed and running properly or you have the right network interface.”

To replace the host check error message – web-based manager:

  1. Navigate to System > Replacement Messages and select Extended View in the upper right corner.
  2. Scroll down to SSL VPN and select Hostcheck Error Message.
  3. Edit the text in the right-hand column below and select Save.

If you are unhappy with the new message, you can restore the message to its default by selecting Restore Default instead of Save.

To replace the host check error message – CLI:

Configure the host check error message using the following command.

config system replacemsg sslvpn hostcheck-error

Creating a custom host check list

You can add your own software requirements to the host check list using the CLI. Host integrity checking is only possible with client computers running Microsoft Windows platforms. Enter the following commands:

config vpn ssl web host-check-software edit <software_name> set guid <guid_value> set type <av | fw> set version <version_number>

end

If known, enter the Globally Unique Identifier (GUID) for the host check application. Windows uses GUIDs to identify applications in the Windows Registry. The GUID can be found in the Windows registry in the HKEY_ CLASSES_ROOT section.

To obtain the exact versioning, in Windows, right-click on the .EXE file of the application and select Properties, then select the Version tab.

Example Tunnel Mode Host Check – Registry Key Check

l Check to see if a required registry key is present:

config vpn ssl web host-check-software edit <computer_name> config check-item-list edit 1 set target “HKEY_LOCAL_

MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveCompute rName:ComputerName=WINXP32SP3B62”

set type registry <<<—–

next

end

next

end

Example Tunnel Mode Host Check – Application Running Check

l Check to see if a required application is isntalled and/or running:

config vpn ssl web host-check-software edit “calc” config check-item-list edit 1 set target “calc.exe” set type process <<<—–

next

end

next end

Example Tunnel Mode Host Check – File Check

l Check to see if a specific file exists at a specific location:

config vpn ssl web host-check-software edit “putty” config check-item-list edit 1 set target “C:\\software\\putty.txt”

set md5s <ENC>

next

end

next

end

Configuring virtual desktop

Available for 32-bit Windows XP, Windows Vista, and Windows 7 client PCs, the virtual desktop feature completely isolates the SSL VPN session from the client computer’s desktop environment. All data is encrypted, including cached user credentials, browser history, cookies, temporary files, and user files created during the session. When the SSL VPN session ends normally, the files are deleted. If the session ends due to a malfunction, files might remain, but they are encrypted so that the information is protected.

When the user starts an SSL VPN session that has virtual desktop enabled, the virtual desktop replaces the user’s normal desktop. When the virtual desktop exits, the user’s normal desktop is restored.

Virtual desktop requires the Fortinet cache cleaner plugin. If the plugin is not present, it automatically downloads to the client computer.

To enable virtual desktop :

To enable virtual desktop on the full-access portal and apply the application control list ‘List1’, for example, you would enter:

config vpn ssl web portal edit full-access set virtual-desktop enable set virtual-desktop-app-list List1

end

Configuring virtual desktop application control

You can control which applications users can run on their virtual desktop. To do this, you create an Application Control List of either allowed or blocked applications. When you configure the web portal, you select the list to use.

Configure the application control list in the CLI.

To create an Application Control List – CLI:

If you want to add ‘BannedApp’ to ‘List1’, a list of blocked applications, you would enter:

config vpn ssl web virtual-desktop-app-list edit “List1” set action block config apps edit “BannedApp”

set md5s “06321103A343B04DF9283B80D1E00F6B”

end

end

Configuring client OS Check

The SSLVPN client OS Check feature can determine if clients are running the Windows 2000, Windows XP, Windows Vista, Windows 7, or Windows 10 operating system. You can configure the OS Check to do any of the following:

  • Allow the client access.
  • Allow the client access only if the operating system has been updated to a specified patch (service pack) version.
  • Deny the client access.

The OS Check has no effect on clients running other operating systems.

The Windows patch check enables you to define the minimum Windows version and patch level allowed when connecting to the SSL VPN portal. When the user attempts to connect to the web portal, FortiOS performs a query on the version of Windows the user has installed. If it does not match the minimum requirement, the connection is denied. The Windows patch check is configured in the CLI.

To specify the acceptable patch level, you set the latest-patch-level and the tolerance. The lowest acceptable patch level is latest-patch-level minus tolerance. In this case, latest-patch-level is 3 and tolerance is 1, so 2 is the lowest acceptable patch level.

To configure OS Check:

OS Check is configurable only in the CLI.

config vpn ssl web portal edit <portal_name> set os-check enable config os-check-list [windows-2000 | windows-xp | windows-vista | windows-7 | windows-10]

set action [allow | check-up-to-date | deny] set latest-patch-level [disable | 0 – 255]

set tolerance <tolerance_num>

end

end

Host check for Windows firewall

The Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, but you can use a registry value to detect the firewall status.

If Windows firewall is on, the following registry value will be set to 1:

l KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\

FirewallPolicy\StandardProfile l ValueName: EnableFirewall

In FortiOS, use the registry-value-check feature to define the Windows Firewall software by entering the following in the CLI:

config vpn ssl web host-check-software edit “Microsoft-Windows-Firewall” config check-item-list

edit 1 set target

“HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\Firew allPolicy\\StandardProfile:EnableFirewall==1”

set type registry

next edit 2 set target

“HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\Firew allPolicy\\PublicProfile:EnableFirewall==1”

set type registry

next edit 3 set target

“HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\Firew allPolicy\\DomainProfile:EnableFirewall==1”

set type registry

next

end

set type fw next

set host-check custom set host-check-policy Microsoft-Windows-Firewall

Adding WINS and DNS services for clients

You can specify the WINS or DNS servers that are made available to SSL-VPN clients.

DNS servers provide the IP addresses that browsers need to access web sites. For Internet sites, you can specify the DNS server that your FortiGate unit uses. If SSL VPN users will access intranet sites using URLs, you need to provide them access to the intranet’s DNS server. You specify a primary and a secondary DNS server.

A WINS server provides IP addresses for named servers in a Windows domain. If SSL VPN users will access a Windows network, you need to provide them access to the domain WINS server. You specify a primary and a secondary WINS server.

To specify WINS and DNS services for clients – web-based manager:

  1. Go to VPN > SSL-VPN Settings.
  2. Next to DNS Server select Specify.
  3. Enter the IP addresses of DNS servers in the DNS Server fields as needed. Fields are available for both IPv4 and IPv6 addresses.
  4. Select Specify WINS Servers, and enter the IP addresses of WINS servers in the WINS Server fields as needed. Fields are available for both IPv4 and IPv6 addresses.
  5. Select Apply.

To specify WINS and DNS services for clients – CLI:

config vpn ssl settings set dns-server1 <address_ipv4> set dns-server2 <address_ipv4> set wins-server1 <address_ipv4> set wins-server2 <address_ipv4> end

Idle timeout

The idle timeout setting controls how long the connection can remain idle before the system forces the remote user to log in again. For security, keep the default value of 5000 seconds or less. Set the timeout value to 0 to disable idle timeouts.

To set the idle timeout – web-based manager:

  1. Go to VPN > SSL-VPN Settings and enable Idle Logout.
  2. In the Inactive For field, enter the timeout value. The valid range is from 10 to 28800 seconds.
  3. Select Apply.

To set the idle timeout – CLI:

config vpn ssl settings set idle-timeout <seconds_int>

end

Login timeout

With long network latency, the FortiGate can timeout the client before it can finish negotiation processes, such as DNS lookup and time to enter a token. Two CLI commands under config vpn ssl settings allow the login timeout to be configured, replacing the previous hard timeout value. The second command can be used to set the SSL VPN maximum DTLS hello timeout.

CLI syntax

config vpn ssl settings edit <example> set login-timeout [10-180] Default is 30 seconds.

set dtls-hello-timeout [10-60] Default is 10 seconds.

end

Login failure limit

The following CLI allows the administrator to configure the number of times wrong credentials are allowed before the SSL VPN server blocks an IP address, and also how long the block would last.

CLI syntax

config vpn ssl settings set login-attempt-limit [0-10] Default is 2.

set login-block-time [0-86400] Default is 60 seconds. end

SSL VPN logs

Logging is available for SSL VPN traffic so you can monitor users connected to the FortiGate unit and their activity. For more information on configuring logs on the FortiGate unit, see the Logging and Reporting Guide.

To enable logging of SSL VPN events – web-based manager:

  1. Go to Log & Report > Log Settings.
  2. Enable Event Logging, and select VPN activity event.
  3. Select Apply.

To view the SSL VPN log data, in the web-based manager, go to Log & Report and select either the Event Log or Traffic Log.

In event log entries, look for the sub-types “sslvpn-session” and “sslvpn-user”.

For information about how to interpret log messages, see the FortiGate Log Message Reference.

Monitoring active SSL VPN sessions

You can go to User & Device > Monitor to view a list of active SSL VPN sessions. The list displays the user name of the remote user, the IP address of the remote client, and the time the connection was made. You can also see which services are being provided, and delete an active web session from the FortiGate unit.

To monitor SSL VPNs – web-based manager:

To view the list of active SSL VPN sessions, go to Monitor > SSL-VPN Monitor.

When a tunnel-mode user is connected, the Description field displays the IP address that the FortiGate unit assigned to the remote host.

If required, you can end a session/connection by selecting its checkbox and then clicking the Delete icon.

Importing and using a CA-signed SSL certificate

Use the following set of instructions to import a CA-signed SSL certificate and configure an SSL VPN using that certificate.

Import the signed certificate into your FortiGate device

  1. Unzip the file downloaded from the CA.

There should be two .CRT files: a CA certificate with bundle in the file name, and a local certificate.

  1. Log in to your FortiGate unit and browse to System > Certificates.
  2. Select Create New > Local Certificate to import the local certificate. The status of the certificate will change from PENDING to OK.
  3. Import the CA certificate by selecting Import > CA Certificate.

It will be listed in the CA Certificates section of the certificates list. You can now configure SSL VPN using the signed certificate.

Configure your FortiGate device to use the signed certificate

  1. Log in to your FortiGate unit and browse to VPN > SSL-VPN Settings.
  2. In the Connection Settings section, locate the Server Certificate
  3. Select the new certificate from the drop-down menu.
  4. Select Apply to configure SSL VPN to use the new certificate.

Implement post-authentication CSRF protection in SSL VPN web mode

This attribute can enable/disable verification of a referrer in the HTTP request header in order to prevent a CrossSite Request Forgery attack.

CLI Syntax

config vpn ssl settings set check-referer [enable|disable]

end

DTLS support

The Datagram Transport Layer Security (DTLS) protocol is supported for SSL VPN connections. DTLS allows datagram-based applications to communicate in a way that prevents eavesdropping, tampering, or message forgery. It can also be used to improve upload/download throughput. It is similar to the Transport Layer Security (TLS) protocol.

DTLS support can be enabled in the CLI as described below.

CLI Syntax

config vpn ssl settings set dtls-tunnel [enable | disable] (default: enabled)

end

Allow firewall address to be used in routing table for SSL VPN

If destination Named Address is set in Network > Static Routes and Address Range is set to

Automatically assign addresses is enabled in VPN > SSL-VPN Settings, SSL VPN should refresh the routing table automatically.

To view the routes in the routing table, go to Monitor > Routing Monitor.

WAN link load balancing

You can set virtual-wan-link as the destination interface in a firewall policy (when SSL VPN is the source interface) for WAN link load balancing. This allows logging into a FortiGate via SSL VPN for traffic inspection and then have outbound traffic load balanced by WAN link load balancing.

CLI syntax

config firewall policy edit <example> set dstintf virtual-wan-link

end

 

This entry was posted in Administration Guides, FortiOS, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.