FortiOS 5.6 SSL VPN Setup examples

Setup examples

The examples in this chapter demonstrate the basic configurations needed for common connections to the SSL VPN tunnel and portals, applying the steps outlined in Basic configuration on page 17.

The following examples are included:

Secure Internet browsing

Split Tunnel

Multiple user groups with different access permissions

Client device certificate authentication with multiple groups

Secure Internet browsing

This example sets up an SSL VPN tunnel that provides remote users the ability to access the Internet while traveling, and ensures that they are not subject to malware and other dangers, by using the corporate firewall to filter all of their Internet traffic. Essentially, the remote user will connect to the corporate FortiGate unit to surf the Internet.

Using SSL VPN and FortiClient SSL VPN software, you create a means to use the corporate FortiGate to browse the Internet safely.

Creating an SSL VPN IP pool and SSL VPN web portal

  1. Go to VPN > SSL-VPN Portals and select tunnel-access.
  2. Disable Split Tunneling.
  3. For Source IP Pools select SSLVPN_TUNNEL_ADDR1.
  4. Select OK.

Creating the SSL VPN user and user group

  1. Create the SSL VPN user and add the user to a user group configured for SSL VPN use.
  2. Go to User & Device > User Definition and select Create New to add the user:

 

Secure Internet browsing

User Name twhite
Password password
  1. Select OK.
  2. Go to User & Device > User Groups and select Create New to add twhite to a group called SSL VPN:
Name SSL VPN
Type Firewall
  1. Move twhite to the Members
  2. Select OK.

Creating a static route for the remote SSL VPN user

Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.

  1. Go to Network > Static Routes and select Create New to add the static route.
Destination IP/Mask 10.212.134.0/255.255.255.0
Device ssl.root
  1. Select OK.

Creating security policies

Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Add an SSL VPN security policy as below, and click OK.
Incoming Interface ssl.root
Outgoing Interface internal
Source Address all
Source User Group SSL VPN
Destination all
  1. Select OK.

Split Tunnel

Configuring authentication rules

  1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
  2. Add an authentication rule for the remote user:
Users/Groups Tunnel
Portal tunnel-access
  1. Select OK and Apply.

Results

Using the FortiClient SSLVPN application, access the VPN using the address https://172.20.120.136:443/ and log in as twhite. Once connected, you can browse the Internet.

From the FortiGate web-based manager, go to Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects to the Internet.

Split Tunnel

In this configuration, remote users are able to securely access the head office internal network through the head office firewall, yet browse the Internet without going through the head office FortiGate. Split tunneling is enabled by default for SSL VPN on FortiGate units.

The solution below describes how to configure FortiGate SSL VPN split tunneling using the FortiClient SSL VPN software, available from the Fortinet Support site.

Without split tunneling, all communication from remote SSL VPN users to the head office internal network and to the Internet uses an SSL VPN tunnel between the user’s PC and the head office FortiGate unit. Connections to the Internet are routed back out the head office FortiGate unit to the Internet. Replies come back into the head office FortiGate unit before being routed back through the SSL VPN tunnel to the remote user.

In short, enabling split tunneling protects the head office from potentially harmful access and external threats that may occur as a result of the end user’s indiscretion while browsing the Internet. By contrast, disabling split tunneling protects the end user by forcing all their Internet traffic to pass through the FortiGate firewall.

Creating a firewall address for the head office server

  1. Go to Policy & Objects > Addresses and select Create New and add the head office server address:
Category Address
Name Head office server
Type Subnet
Subnet / IP Range 192.168.1.12
Interface Internal

Split Tunnel

  1. Select OK.

Creating an SSL VPN IP pool and SSL VPN web portal

  1. Go to VPN > SSL-VPN Portals and select tunnel-access.
  2. Enter the following:
Name Connect to head office server
Enable Tunnel Mode Enable
Enable Split Tunneling Enable
Routing Address Internal
Source IP Pools SSLVPN_TUNNEL_ADDR1
  1. Select OK.

Creating the SSL VPN user and user group

Create the SSL VPN user and add the user to a user group.

  1. Go to User & Device > User Definition, select Create New and add the user:
User Name twhite
Password password
  1. Select OK.
  2. Go to User & Device > User Groups and select Create New to add the new user to the SSL VPN user group:
Name Tunnel
Type Firewall
  1. Move twhite to the Members
  2. Select OK.

Creating a static route for the remote SSL VPN user

Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.

  1. Go to Network > Static Routes and select Create New
Destination IP/Mask 10.212.134.0/255.255.255.0
Device ssl.root
  1. Select OK.

Split Tunnel

Creating security policies

Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. Create a normal security policy from ssl.root to wan1 to allow SSL VPN traffic to connect to the Internet.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Complete the following:
Incoming Interface ssl.root
Source Address all
Source User(s) Tunnel
Outgoing Interface internal
Destination Address Head office server
  1. Select OK.
  2. Add a security policy that allows remote SSL VPN users to connect to the Internet.
  3. Select Create New.
  4. Complete the following and select OK:
Incoming Interface ssl.root
Source Address all
Source User(s) Tunnel
Outgoing Interface wan1
Destination Address all
Schedule always
Service ALL
Action ACCEPT

Configuring authentication rules

  1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
  2. Add an authentication rule for the remote user:
Users/Groups Tunnel
Portal tunnel-access
  1. Select OK and Apply.

 

Results

Using the FortiClient SSL VPN application on the remote PC, connect to the VPN using the address https://172.20.120.136:443/ and log in with the twhite user account. Once connected, you can connect to the head office server or browse to web sites on the Internet.

From the web-based manager, go to Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects SSL VPN sessions to the Internet.

Multiple user groups with different access permissions

You might need to provide access to several user groups with different access permissions. Consider the following example topology in which users on the Internet have controlled access to servers and workstations on private networks behind a FortiGate unit. In this example configuration, there are two users:

l User1 can access the servers on Subnet_1. l User2 can access the workstation PCs on Subnet_2.

You could easily add more users to either user group to provide them access to the user group’s assigned web portal.

General configuration steps

  1. Create firewall addresses for: l The destination networks.
    • Two non-overlapping tunnel IP address ranges that the FortiGate unit will assign to tunnel clients in the two user groups.
  2. Create two web portals.
  3. Create two user accounts, User1 and User2.
  4. Create two user groups. For each group, add a user as a member and select a web portal. In this example, User1 will belong to Group1, which will be assigned to Portal1 (similar configuration for User2).
  5. Create security policies:
    • Two SSL VPN security policies, one to each destination. l Two tunnel-mode policies to allow each group of users to reach its permitted destination network.
  6. Create the static route to direct packets for the users to the tunnel.

Creating the firewall addresses

Security policies do not accept direct entry of IP addresses and address ranges. You must define firewall addresses in advance.

Creating the destination addresses

SSL VPN users in this example can access either Subnet_1 or Subnet_2.

Multiple user groups with different access permissions

To define destination addresses – web-based manager:

  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information, and select OK:
Name Subnet_1
Type Subnet
Subnet/IP Range 10.11.101.0/24
Interface port2
  1. Select Create New, enter the following information, and select OK:
Name Subnet_2
Type Subnet
Subnet/IP Range 10.11.201.0/24
Interface port3

Creating the tunnel client range addresses

To accommodate the two groups of users, split an otherwise unused subnet into two ranges. The tunnel client addresses must not conflict with each other or with other addresses.

To define tunnel client addresses – web-based manager:

  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information, and select OK:
Name Tunnel_group1
Type IP Range
Subnet/IP Range 10.11.254.1-10.11.254.50
Interface Any
  1. Select Create New, enter the following information, and select OK.
Name Tunnel_group2
Type IP Range
Subnet/IP Range 10.11.254.51-10.11.254.100
Interface Any

Creating the web portals

To accommodate two different sets of access permissions, you need to create two web portals, portal1 and portal2, for example. Later, you will create two SSL VPN user groups, one to assign to portal1 and the other to assign to portal2.

To create the portal1 web portal:

  1. Go to VPN > SSL-VPN Portals and select Create New.
  2. Enter portal1 in the Name
  3. In Source IP Pools, select Tunnel_ group1.
  4. Select OK.

To create the portal2 web portal:

  1. Go to VPN > SSL-VPN Portals and select Create New.
  2. Enter portal2 in the Name field and select OK. In IP Pools, select Tunnel_ group2
  3. Select OK.

Later, you can configure these portals with bookmarks and enable connection tool capabilities for the convenience of your users.

Creating the user accounts and user groups

After enabling SSL VPN and creating the web portals that you need, you need to create the user accounts and then the user groups that require SSL VPN access.

Go to User & Device > User Definition and create user1 and user2 with password authentication. After you create the users, create the SSL VPN user groups.

To create the user groups – web-based manager:

  1. Go to User & Device > User Groups.
  2. Select Create New and enter the following information:
Name Group1
Type Firewall
  1. From the Available list, select User1 and move it to the Members list by selecting the right arrow button.
  2. Select OK.
  3. Repeat steps 2 through 4 to create Group2, assigned to Portal2, with User2 as its only member.

Creating the security policies

You need to define security policies to permit your SSL VPN clients, web-mode or tunnel-mode, to connect to the protected networks behind the FortiGate unit. Before you create the security policies, you must define the source and destination addresses to include in the policy. See Creating the firewall addresses on page 59.

Multiple user groups with different access permissions

Two types of security policy are required:

  • An SSL VPN policy enables clients to authenticate and permits a web-mode connection to the destination network. In this example, there are two destination networks, so there will be two SSL VPN policies. The authentication ensures that only authorized users can access the destination network.
  • A tunnel-mode policy is a regular ACCEPT security policy that enables traffic to flow between the SSL VPN tunnel interface and the protected network. Tunnel-mode policies are required if you want to provide tunnel-mode connections for your clients. In this example, there are two destination networks, so there will be two tunnel-mode policies.

To create the SSL VPN security policies – web-based manager:

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and click OK:
Incoming Interface ssl.root (sslvpn tunnel interface)
Source Address All
Source User(s) Group1
Outgoing Interface port2
Destination Address Subnet_1
Service All
  1. Select Create New.
  2. Enter the following information:
Incoming Interface ssl.root (sslvpn tunnel interface)
Source Address All
Source User(s) Group2
Outgoing Interface port3
Destination Address Subnet_2
Service All
  1. Click OK.

Configuring authentication rules

  1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
  2. Add an authentication rule for the first remote group:
Users/Groups Group1
Portal Portal1
  1. Select OK and Apply.
  2. Select Create New and add an authentication rule for the second remote group:
Users/Groups Group2
Portal Portal2
  1. Select OK and Apply.

To create the tunnel-mode security policies – web-based manager:

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information, and select OK:
Incoming Interface ssl.root (sslvpn tunnel interface)
Source Address Tunnel_group1
Source User(s) Group1
Outgoing Interface port2
Destination Address Subnet_1
Service All
Action ACCEPT
Enable NAT Enable
  1. Select Create New.
  2. Enter the following information, and select OK:
Incoming Interface ssl.root (sslvpn tunnel interface)
Source Address Tunnel_group2
Source User(s) Group2
Outgoing Interface port3
Destination Address Subnet_2
Service All
Action ACCEPT
Enable NAT Enable

Client device certificate authentication with multiple groups

Create the static route to tunnel mode clients

Reply packets destined for tunnel mode clients must pass through the SSL VPN tunnel. You need to define a static route to allow this.

To add a route to SSL VPN tunnel mode clients – web-based manager:

  1. Go to Network > Static Routes and select Create New.
  2. Enter the following information and select OK.
Destination IP/Mask 10.11.254.0/24

This IP address range covers both ranges that you assigned to SSL VPN tunnel-mode users. See Creating the tunnel client range addresses on page 60.

Device Select the SSL VPN virtual interface, ssl.root for example.

Client device certificate authentication with multiple groups

In the following example, we require clients connecting to a FortiGate SSL VPN to have a device certificate installed on their machine in order to authenticate to the VPN.

Employees (in a specific OU in AD) will be required to have a device certificate to connect, while vendors (in a separate OU in AD) will not be required to have a device certificate.

This can only be performed in the CLI console.

The Authentication-rule option is only available in theCLI as an advanced setting to achieve your requirements. It is not available on the GUI. So in VPN > SSL-VPN Settings, do not enable Require Client Certificate, but selectively enable client-cert in each authentication-rule based on the requirements through CLI instead.

Configuring SSL VPN shared settings and authentication rules – CLI:

The following example assumes that remote LDAP users/groups have been pre-configured.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1”

set port 443 set source-interface “wan1” set source-address “all”

 

Client device certificate authentication with multiple groups

set default-portal “full-access” config authentication-rule edit 1 set source-interface “wan1 set source-address “all” set groups “Employees” set portal “full-access” set client-cert enable

next edit 2 set source-interface “wan1” set source-address “all” set groups “Vendors” set portal “full-access” set client-cert disable <– Set by default and will not be displayed.

next

end

end

Configure the remainder of the SSL VPN tunnel as normal (creating a firewall policy allowing SSL VPN access to the internal network, including the VPN groups, necessary security profiles, etc.).

If configured correctly, only the ‘Employees’ group should require a client certificate to authenticate to the VPN.

This entry was posted in Administration Guides, FortiOS, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

3 thoughts on “FortiOS 5.6 SSL VPN Setup examples

  1. Dan

    Love your site, full of great information on a fantastic but under documented product line. I am looking for some advice on setting up SSL vpn to authenticate via LDAP to my active directory. We have several network zones configured and would like to apply network policies for remote users based on group membership. Any chance you have a post about such a scenario?
    Thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.