Setup examples
The examples in this chapter demonstrate the basic configurations needed for common connections to the SSL VPN tunnel and portals, applying the steps outlined in Basic configuration on page 17.
The following examples are included:
Secure Internet browsing
Split Tunnel
Multiple user groups with different access permissions
Client device certificate authentication with multiple groups
Secure Internet browsing
This example sets up an SSL VPN tunnel that provides remote users the ability to access the Internet while traveling, and ensures that they are not subject to malware and other dangers, by using the corporate firewall to filter all of their Internet traffic. Essentially, the remote user will connect to the corporate FortiGate unit to surf the Internet.
Using SSL VPN and FortiClient SSL VPN software, you create a means to use the corporate FortiGate to browse the Internet safely.
Creating an SSL VPN IP pool and SSL VPN web portal
- Go to VPN > SSL-VPN Portals and select tunnel-access.
- Disable Split Tunneling.
- For Source IP Pools select SSLVPN_TUNNEL_ADDR1.
- Select OK.
Creating the SSL VPN user and user group
- Create the SSL VPN user and add the user to a user group configured for SSL VPN use.
- Go to User & Device > User Definition and select Create New to add the user:
Secure Internet browsing
User Name | twhite |
Password | password |
- Select OK.
- Go to User & Device > User Groups and select Create New to add twhite to a group called SSL VPN:
Name | SSL VPN | |
Type | Firewall |
- Move twhite to the Members
- Select OK.
Creating a static route for the remote SSL VPN user
Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.
- Go to Network > Static Routes and select Create New to add the static route.
Destination IP/Mask | 10.212.134.0/255.255.255.0 |
Device | ssl.root |
- Select OK.
Creating security policies
Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit.
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Add an SSL VPN security policy as below, and click OK.
Incoming Interface | ssl.root |
Outgoing Interface | internal |
Source Address | all |
Source User Group | SSL VPN |
Destination | all |
- Select OK.
Split Tunnel
Configuring authentication rules
- Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
- Add an authentication rule for the remote user:
Users/Groups | Tunnel |
Portal | tunnel-access |
- Select OK and Apply.
Results
Using the FortiClient SSLVPN application, access the VPN using the address https://172.20.120.136:443/ and log in as twhite. Once connected, you can browse the Internet.
From the FortiGate web-based manager, go to Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects to the Internet.
Split Tunnel
In this configuration, remote users are able to securely access the head office internal network through the head office firewall, yet browse the Internet without going through the head office FortiGate. Split tunneling is enabled by default for SSL VPN on FortiGate units.
The solution below describes how to configure FortiGate SSL VPN split tunneling using the FortiClient SSL VPN software, available from the Fortinet Support site.
Without split tunneling, all communication from remote SSL VPN users to the head office internal network and to the Internet uses an SSL VPN tunnel between the user’s PC and the head office FortiGate unit. Connections to the Internet are routed back out the head office FortiGate unit to the Internet. Replies come back into the head office FortiGate unit before being routed back through the SSL VPN tunnel to the remote user.
In short, enabling split tunneling protects the head office from potentially harmful access and external threats that may occur as a result of the end user’s indiscretion while browsing the Internet. By contrast, disabling split tunneling protects the end user by forcing all their Internet traffic to pass through the FortiGate firewall.
Creating a firewall address for the head office server
- Go to Policy & Objects > Addresses and select Create New and add the head office server address:
Category | Address |
Name | Head office server |
Type | Subnet |
Subnet / IP Range | 192.168.1.12 |
Interface | Internal |
Split Tunnel
- Select OK.
Creating an SSL VPN IP pool and SSL VPN web portal
- Go to VPN > SSL-VPN Portals and select tunnel-access.
- Enter the following:
Name | Connect to head office server |
Enable Tunnel Mode | Enable |
Enable Split Tunneling | Enable |
Routing Address | Internal |
Source IP Pools | SSLVPN_TUNNEL_ADDR1 |
- Select OK.
Creating the SSL VPN user and user group
Create the SSL VPN user and add the user to a user group.
- Go to User & Device > User Definition, select Create New and add the user:
User Name | twhite |
Password | password |
- Select OK.
- Go to User & Device > User Groups and select Create New to add the new user to the SSL VPN user group:
Name | Tunnel | |
Type | Firewall |
- Move twhite to the Members
- Select OK.
Creating a static route for the remote SSL VPN user
Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.
- Go to Network > Static Routes and select Create New
Destination IP/Mask | 10.212.134.0/255.255.255.0 |
Device | ssl.root |
- Select OK.
Split Tunnel
Creating security policies
Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. Create a normal security policy from ssl.root to wan1 to allow SSL VPN traffic to connect to the Internet.
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Complete the following:
Incoming Interface | ssl.root |
Source Address | all |
Source User(s) | Tunnel |
Outgoing Interface | internal |
Destination Address | Head office server |
- Select OK.
- Add a security policy that allows remote SSL VPN users to connect to the Internet.
- Select Create New.
- Complete the following and select OK:
Incoming Interface | ssl.root |
Source Address | all |
Source User(s) | Tunnel |
Outgoing Interface | wan1 |
Destination Address | all |
Schedule | always |
Service | ALL |
Action | ACCEPT |
Configuring authentication rules
- Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
- Add an authentication rule for the remote user:
Users/Groups | Tunnel |
Portal | tunnel-access |
- Select OK and Apply.
Results
Using the FortiClient SSL VPN application on the remote PC, connect to the VPN using the address https://172.20.120.136:443/ and log in with the twhite user account. Once connected, you can connect to the head office server or browse to web sites on the Internet.
From the web-based manager, go to Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects SSL VPN sessions to the Internet.
Multiple user groups with different access permissions
You might need to provide access to several user groups with different access permissions. Consider the following example topology in which users on the Internet have controlled access to servers and workstations on private networks behind a FortiGate unit. In this example configuration, there are two users:
l User1 can access the servers on Subnet_1. l User2 can access the workstation PCs on Subnet_2.
You could easily add more users to either user group to provide them access to the user group’s assigned web portal.
General configuration steps
- Create firewall addresses for: l The destination networks.
- Two non-overlapping tunnel IP address ranges that the FortiGate unit will assign to tunnel clients in the two user groups.
- Create two web portals.
- Create two user accounts, User1 and User2.
- Create two user groups. For each group, add a user as a member and select a web portal. In this example, User1 will belong to Group1, which will be assigned to Portal1 (similar configuration for User2).
- Create security policies:
- Two SSL VPN security policies, one to each destination. l Two tunnel-mode policies to allow each group of users to reach its permitted destination network.
- Create the static route to direct packets for the users to the tunnel.
Creating the firewall addresses
Security policies do not accept direct entry of IP addresses and address ranges. You must define firewall addresses in advance.
Creating the destination addresses
SSL VPN users in this example can access either Subnet_1 or Subnet_2.
Multiple user groups with different access permissions
To define destination addresses – web-based manager:
- Go to Policy & Objects > Addresses.
- Select Create New, enter the following information, and select OK:
Name | Subnet_1 |
Type | Subnet |
Subnet/IP Range | 10.11.101.0/24 |
Interface | port2 |
- Select Create New, enter the following information, and select OK:
Name | Subnet_2 |
Type | Subnet |
Subnet/IP Range | 10.11.201.0/24 |
Interface | port3 |
Creating the tunnel client range addresses
To accommodate the two groups of users, split an otherwise unused subnet into two ranges. The tunnel client addresses must not conflict with each other or with other addresses.
To define tunnel client addresses – web-based manager:
- Go to Policy & Objects > Addresses.
- Select Create New, enter the following information, and select OK:
Name | Tunnel_group1 |
Type | IP Range |
Subnet/IP Range | 10.11.254.1-10.11.254.50 |
Interface | Any |
- Select Create New, enter the following information, and select OK.
Name | Tunnel_group2 |
Type | IP Range |
Subnet/IP Range | 10.11.254.51-10.11.254.100 |
Interface | Any |
Creating the web portals
To accommodate two different sets of access permissions, you need to create two web portals, portal1 and portal2, for example. Later, you will create two SSL VPN user groups, one to assign to portal1 and the other to assign to portal2.
To create the portal1 web portal:
- Go to VPN > SSL-VPN Portals and select Create New.
- Enter portal1 in the Name
- In Source IP Pools, select Tunnel_ group1.
- Select OK.
To create the portal2 web portal:
- Go to VPN > SSL-VPN Portals and select Create New.
- Enter portal2 in the Name field and select OK. In IP Pools, select Tunnel_ group2
- Select OK.
Later, you can configure these portals with bookmarks and enable connection tool capabilities for the convenience of your users.
Creating the user accounts and user groups
After enabling SSL VPN and creating the web portals that you need, you need to create the user accounts and then the user groups that require SSL VPN access.
Go to User & Device > User Definition and create user1 and user2 with password authentication. After you create the users, create the SSL VPN user groups.
To create the user groups – web-based manager:
- Go to User & Device > User Groups.
- Select Create New and enter the following information:
Name | Group1 | |
Type | Firewall |
- From the Available list, select User1 and move it to the Members list by selecting the right arrow button.
- Select OK.
- Repeat steps 2 through 4 to create Group2, assigned to Portal2, with User2 as its only member.
Creating the security policies
You need to define security policies to permit your SSL VPN clients, web-mode or tunnel-mode, to connect to the protected networks behind the FortiGate unit. Before you create the security policies, you must define the source and destination addresses to include in the policy. See Creating the firewall addresses on page 59.
Multiple user groups with different access permissions
Two types of security policy are required:
- An SSL VPN policy enables clients to authenticate and permits a web-mode connection to the destination network. In this example, there are two destination networks, so there will be two SSL VPN policies. The authentication ensures that only authorized users can access the destination network.
- A tunnel-mode policy is a regular ACCEPT security policy that enables traffic to flow between the SSL VPN tunnel interface and the protected network. Tunnel-mode policies are required if you want to provide tunnel-mode connections for your clients. In this example, there are two destination networks, so there will be two tunnel-mode policies.
To create the SSL VPN security policies – web-based manager:
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Enter the following information and click OK:
Incoming Interface | ssl.root (sslvpn tunnel interface) |
Source Address | All |
Source User(s) | Group1 |
Outgoing Interface | port2 |
Destination Address | Subnet_1 |
Service | All |
- Select Create New.
- Enter the following information:
Incoming Interface | ssl.root (sslvpn tunnel interface) |
Source Address | All |
Source User(s) | Group2 |
Outgoing Interface | port3 |
Destination Address | Subnet_2 |
Service | All |
- Click OK.
Configuring authentication rules
- Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
- Add an authentication rule for the first remote group:
Users/Groups | Group1 |
Portal | Portal1 |
- Select OK and Apply.
- Select Create New and add an authentication rule for the second remote group:
Users/Groups | Group2 |
Portal | Portal2 |
- Select OK and Apply.
To create the tunnel-mode security policies – web-based manager:
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Enter the following information, and select OK:
Incoming Interface | ssl.root (sslvpn tunnel interface) |
Source Address | Tunnel_group1 |
Source User(s) | Group1 |
Outgoing Interface | port2 |
Destination Address | Subnet_1 |
Service | All |
Action | ACCEPT |
Enable NAT | Enable |
- Select Create New.
- Enter the following information, and select OK:
Incoming Interface | ssl.root (sslvpn tunnel interface) |
Source Address | Tunnel_group2 |
Source User(s) | Group2 |
Outgoing Interface | port3 |
Destination Address | Subnet_2 |
Service | All |
Action | ACCEPT |
Enable NAT | Enable |
Client device certificate authentication with multiple groups
Create the static route to tunnel mode clients
Reply packets destined for tunnel mode clients must pass through the SSL VPN tunnel. You need to define a static route to allow this.
To add a route to SSL VPN tunnel mode clients – web-based manager:
- Go to Network > Static Routes and select Create New.
- Enter the following information and select OK.
Destination IP/Mask | 10.11.254.0/24
This IP address range covers both ranges that you assigned to SSL VPN tunnel-mode users. See Creating the tunnel client range addresses on page 60. |
Device | Select the SSL VPN virtual interface, ssl.root for example. |
Client device certificate authentication with multiple groups
In the following example, we require clients connecting to a FortiGate SSL VPN to have a device certificate installed on their machine in order to authenticate to the VPN.
Employees (in a specific OU in AD) will be required to have a device certificate to connect, while vendors (in a separate OU in AD) will not be required to have a device certificate.
This can only be performed in the CLI console.
The Authentication-rule option is only available in theCLI as an advanced setting to achieve your requirements. It is not available on the GUI. So in VPN > SSL-VPN Settings, do not enable Require Client Certificate, but selectively enable client-cert in each authentication-rule based on the requirements through CLI instead.
Configuring SSL VPN shared settings and authentication rules – CLI:
The following example assumes that remote LDAP users/groups have been pre-configured.
config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1”
set port 443 set source-interface “wan1” set source-address “all”
Client device certificate authentication with multiple groups
set default-portal “full-access” config authentication-rule edit 1 set source-interface “wan1 set source-address “all” set groups “Employees” set portal “full-access” set client-cert enable
next edit 2 set source-interface “wan1” set source-address “all” set groups “Vendors” set portal “full-access” set client-cert disable <– Set by default and will not be displayed.
next
end
end
Configure the remainder of the SSL VPN tunnel as normal (creating a firewall policy allowing SSL VPN access to the internal network, including the VPN groups, necessary security profiles, etc.).
If configured correctly, only the ‘Employees’ group should require a client certificate to authenticate to the VPN.
Love your site, full of great information on a fantastic but under documented product line. I am looking for some advice on setting up SSL vpn to authenticate via LDAP to my active directory. We have several network zones configured and would like to apply network policies for remote users based on group membership. Any chance you have a post about such a scenario?
Thanks
There is a specific page somewhere that mentions it. I will find it and link you.
I’ve fortigate 90d (6.0) and 80c (5.6) but haven’t VPN > SSL menu.