Common issues

To troubleshoot getting no response from the SSL VPN URL:

1. Go to VPN > SSL-VPN Settings.
   1. Check the SSL VPN port
   2. Check the Restrict Access settings to ensure the host you are connecting from is allowed.
2. Go to Policy > IPv4 Policy or Policy > IPv6 policy.
   1. Check that the policy for SSL VPN traffic is configured correctly.
   2. Check the URL you are attempting to connect to. It should follow this pattern:

https://<FortiGate IP>:<Port>

1. Check that you are using the correct port number in the URL. Ensure FortiGate is reachable from the computer.

ping <FortiGate IP>

1. Check the browser has TLS 1.1, TLS 1.2, and TLS 1.3

To troubleshoot FortiGate connection issues:

1. Check the Release Notes to ensure that the FortiClient version is compatible with your version of FortiOS.
2. FortiClient uses IE security setting, In IE Internet Option > Advanced > Security, check that Use TLS 1.1 and Use TLS 1.2 are enabled.
3. Check that SSL VPN ip-pools has free IPs to sign out. The default ip-pools SSLVPN_TUNNEL_ADDR1 has 10 IP addresses.
4. Export and check FortiClient debug logs.
5. Go to File > Settings.
6. In the Logging section, enable Export logs.
7. Set the Log Level to Debug and select Clearlogs.
8. Try to connect to the VPN.
9. When you get a connection error, select Export logs.

To troubleshoot SSL VPN hanging or disconnecting at 98%:

1. A new SSL VPN driver was added to FortiClient 5.6.0 and later to resolve SSL VPN connection issues. If your FortiOS version is compatible, upgrade to use one of these versions.
2. Latency or poor network connectivity can cause the default login timeout limit to be reached on the FortiGate. In

FortiOS 5.6.0 and later, use the following commands to allow a user to increase timers related to SSL VPN login.

config vpn ssl settings

set login-timeout 180 (default is 30) set dtls-hello-timeout 60 (default is 10)

end

To troubleshoot tunnel mode connections shutting down after a few seconds:

This might occur if there are multiple interfaces connected to the Internet, for example, SD-WAN. This can cause the session to become “dirty”. To allow multiple interfaces to connect, use the following CLI commands.

If you are using a FortiOS 6.0.1 or later:

config system interface

edit <name>

set preserve-session-route enable

next

end

If you are using a FortiOS 6.0.0 or earlier:

config vpn ssl settings set route-source-interface enable

end

To troubleshoot users being assigned to the wrong IP range:

1. Go to VPN > SSL-VPN Portals and VPN > SSL-VPN Settings and ensure the same IP Pool is used in both places.

Using the same IP Pool prevents conflicts. If there is a conflict, the portal settings are used.

To troubleshoot slow SSL VPN throughput:

Many factors can contribute to slow throughput.

This recommendation is try improving throughput by using the FortiOS Datagram Transport Layer Security (DTLS) tunnel option, available in FortiOS 5.4 and above.

DTLS allows the SSL VPN to encrypt the traffic using TLS and uses UDP as the transport layer instead of TCP. This avoids retransmission problems that can occur with TCP-in-TCP.

FortiClient 5.4.0 to 5.4.3 uses DTLS by default. FortiClient 5.4.4 and later uses normal TLS, regardless of the DTLS setting on the FortiGate.

To use DTLS with FortiClient:

1. Go to File > Settings and enable Preferred DTLS Tunnel.

To enable DTLS tunnel on FortiGate, use the following CLI commands:

config vpn ssl settings

set dtls-tunnel enable end

SSL VPN troubleshooting

This topic provides a tips for SSL VPN troubleshooting.

Diagnose commands

SSL VPN debug command

Use the following diagnose commands to identify SSL VPN issues. These commands enable debugging of SSL VPN with a debug level of -1. The -1 debug level produces detailed results.

diagnose debug application sslvpn -1 diagnose debug enable

The CLI displays debug output similar to the following:

FGT60C3G10002814 # [282:root]SSL state:before/accept initialization (172.20.120.12)

[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)

[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)

[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)

[282:root]SSL state:SSLv3 write finished B (172.20.120.12)

[282:root]SSL state:SSLv3 flush data (172.20.120.12)

[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)

[282:root]SSL state:SSLv3 read finished A (172.20.120.12)

[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)

[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1

To disable the debug:

diagnose debug disable diagnose debug reset

Remote user authentication debug command

Use the following diagnose commands to identify remote user authentication issues.

diagnose debug application fnbamd -1 diagnose debug reset

SSL VPN with LDAP user password renew

This topic provides a sample configuration of SSL VPN for LDAP users with Force Password Change on next logon. In this example, the LDAP server is a Windows 2012 AD server. A user ldu1 is configured on Windows 2012 AD server with Force password change on next logon.

You must have generated and exported a CA certificate from the AD server and then have imported it as an external CA certificate into the FortiGate.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. Port1 interface connects to the internal network.
   1. Go to Network > Interface and edit the wan1
   2. Set IP/Network Mask to 20.120.123/255.255.255.0.
   3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
   4. Click OK.
   5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
2. Import CA certificate into FortiGate.
   1. Go to System > Features Visibility and enable Certificates.
   2. Go to System > Certificates and select Import > CA Certificate.
   3. Select Local PC and then select the certificate file.

The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.

1. If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:

config vpn certificate ca rename CA_Cert_1 to LDAPS-CA

end

3. Configure the LDAP user.
   1. Go to User& Device > LDAP Servers > Create New.
      • Specify Name and ServerIP/Name.
      • Specify Common Name Identifier, Distinguished Name. l Set Bind Type to Regular. l Specify Username and Password. l Enable Secure Connection and set Protocol to LDAPS. l For Certificate, select LDAP serverCA LDAPS-CA from the list.
   2. To enable the password-renew option, use these CLI commands.

config user ldap edit “ldaps-server” set password-expiry-warning enable set password-renewal enable

next

end

4. Configure user group.
   1. Go to User& Device > UserGroups to create a user group.
   2. Enter a Name.
   3. In Remote Groups, click Add to add ldaps-server.
5. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

6. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Set ServerCertificate to the authentication certificate.
   5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group ldaps-group mapping portal full-access.
7. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name, in this example, sslvpn certificate auth.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Set the Source Address to all and Source User to ldaps-group.
   5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network, in this example, port1.
   6. Set Destination Address to the internal protected subnet 168.1.0.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Enable NAT.
   9. Configure any remaining firewall and security options as desired.
   10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet.

Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

2. Import CA certificate into FortiGate.
   1. Go to System > Features Visibility and enable Certificates.
   2. Go to System > Certificates and select Import > CA Certificate.
   3. Select Local PC and then select the certificate file.

The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.

1. If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:

config vpn certificate ca rename CA_Cert_1 to LDAPS-CA

end

3. Configure the LDAP server.

config user ldap edit “ldaps-server” set server “172.20.120.161”

set cnid “cn”

set dn “cn=Users,dc=qa,dc=fortinet,dc=com”

set type regular

set username “CN=Administrator,cn=users,DC=qa,DC=fortinet,DC=com” set password ENC

Uf/OvqAbjSpeZz4wv9Tapl3xyMn1DGSTSxb2ZAB5dA5kVd0wVsGaeAhuX1Hl7mRtJQdRL8L2mzSfV6NTyQsdJ8E+rZy mImS2rfQg0OZ0IRRYKp0v3qFXgsmW9x9xRP2u79OcpUR5JmnnW8DFnK9jSUGix+DvYpbBn8EwweoDQq55Ej9FLwKSBY iYZs18V9ktSxT49w== set group-member-check group-object

set secure ldaps set ca-cert “LDAPS-CA” set port 636

set password-expiry-warning enable set password-renewal enable

next

end

4. Configure user group.

config user group edit “ldaps-group” set member “ldaps-server”

next end

5. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

6. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “ldaps-group” set portal “full-access”

next

end

7. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “ldaps-group” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of the SSL VPN web connection:

1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the ldu1

Use a user which is configured on FortiAuthenticator with Force password change on next logon.

3. Click Login. You are prompted to enter a new password.
4. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.

To see the results of the SSL VPN tunnel connection:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
3. Add a new connection.
   • Set the connection name.
   • Set Remote Gateway to the IP of the listening FortiGate interface, in this example, 20.120.123.
4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Log in using the ldu1

You are prompted to enter a new password.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > VPN Events to view the details of the SSL VPN connection event log.
3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:
Index User       Auth Type      Timeout	From      HTTP in/out   HTTPS in/out
0        ldu1          1(1)            229 SSL VPN sessions:	10.1.100.254 0/0       0/0
Index User       Source IP      Duration To check the tunnel login using the CLI: get vpn ssl monitor SSL VPN Login Users:	I/O Bytes        Tunnel/Dest IP
Index User       Auth Type      Timeout	From      HTTP in/out   HTTPS in/out
0        ldu1          1(1)            291 SSL VPN sessions:	10.1.100.254 0/0       0/0
Index User       Source IP      Duration	I/O Bytes        Tunnel/Dest IP
0        ldu1          10.1.100.254    9	22099/43228    10.212.134.200

SSL VPN with RADIUS password renew on FortiAuthenticator

This topic provides a sample configuration of SSL VPN for RADIUS users with Force Password Change on next logon. In this example, the RADIUS server is a FortiAuthenticator. A user test1 is configured on FortiAuthenticator with Force password change on next logon.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. Port1 interface connects to the internal network.
   1. Go to Network > Interface and edit the wan1
   2. Set IP/Network Mask to 20.120.123/255.255.255.0.
   3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
   4. Click OK.
   5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
2. Create a RADIUS user.
   1. Go to User& Device > RADIUS Servers to create a user.
   2. Set Authentication method to MS-CHAP-v2.
   3. Enter the IP/Name and Secret.
   4. Click Create.

Password renewal only works with the MS-CHAP-v2 authentication method.

1. To enable the password-renew option, use these CLI commands.

config user radius edit “fac” set server “172.20.120.161” set secret <fac radius password> set auth-type ms_chap_v2 set password-renewal enable

next

end

3. Configure user group.
   1. Go to User& Device > UserGroups to create a user group.
   2. For the Name, enter fac-group.
   3. In Remote Groups, click Add to add Remote Server you just created.
4. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

5. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Set ServerCertificate to the authentication certificate.
   5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group fac-group mapping portal full-access.
6. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name, in this example, sslvpn certificate auth.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Set the Source Address to all and Source User to fac-group.
   5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network, in this example, port1.
   6. Set Destination Address to the internal protected subnet 168.1.0.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Enable NAT.
   9. Configure any remaining firewall and security options as desired.
   10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next end

2. Configure the RADIUS server.

config user radius edit “fac” set server “172.18.58.107” set secret <fac radius password> set auth-type ms_chap_v2 set password-renewal enable

next

end

3. Configure user group.

config user group edit “fac-group” set member “fac”

next

end

4. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

5. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “fac-group” set portal “full-access”

next

end

6. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access” set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “fac-group” set action accept set schedule “always” set service “ALL”

set nat enable

next

end

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

2. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

3. Configure and assign the password policy.
   1. Configure a password policy that includes an expiration date and warning time. The default start time for the password is the time the user was created.

config user password-policy

edit “pwpolicy1” set expire-days 2 set warn-days 1

next

end

1. Assign the password policy to the user you just created.

config user local

edit “sslvpnuser1”

set type password set passwd-policy “pwpolicy1”

next

end

4. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

5. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

next

end

6. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of the SSL VPN web connection:

1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the test1

Use a user which is configured on FortiAuthenticator with Force password change on next logon.

3. Click Login. You are prompted to enter a new password.
4. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.

To see the results of the SSL VPN tunnel connection:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
3. Add a new connection.
   • Set the connection name.
   • Set Remote Gateway to the IP of the listening FortiGate interface, in this example, 20.120.123.
4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Log in using the test1

You are prompted to enter a new password.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > VPN Events to view the details of the SSL VPN connection event log.
3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:
Index User       Auth Type      Timeout	From     HTTP in/out   HTTPS in/out
0        test1          1(1)            229 SSL VPN sessions:	10.1.100.254 0/0       0/0
Index User       Source IP      Duration To check the tunnel login using the CLI: get vpn ssl monitor SSL VPN Login Users:	I/O Bytes       Tunnel/Dest IP
Index User       Auth Type      Timeout	From     HTTP in/out   HTTPS in/out
0        test1          1(1)            291 SSL VPN sessions:	10.1.100.254 0/0       0/0
Index User       Source IP      Duration	I/O Bytes       Tunnel/Dest IP
0        test1          10.1.100.254    9	22099/43228    10.212.134.200

SSL VPN with local user password policy

This topic provides a sample configuration of SSL VPN for users with passwords that expire after two days. Users are warned after one day about the password expiring. The password policy can be applied to any local user password. The password policy cannot be applied to a user group or a local remote user such as LDAP/RADIUS/TACACS+.

In FortiOS 6.2, users are warned after one day about the password expiring and have one day to renew it. When the expiration time is reached, the user cannot renew the password and must contact the administrator for assistance.

In FortiOS 6.0/5.6, users are warned after one day about the password expiring and have to renew it. When the expiration time is reached, the user can still renew the password.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. Port1 interface connects to the internal network.
   1. Go to Network > Interface and edit the wan1
   2. Set IP/Network Mask to 20.120.123/255.255.255.0.
   3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
   4. Click OK.
   5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
2. Configure user and user group.
   1. Go to User& Device > UserDefinition to create a local user.
   2. Enter the user’s Email Address.
   3. If you want, enable Two-factorAuthentication,
   4. Click Next and click Submit.
   5. Go to User& Device > UserGroups to create a user group and add that local user to it.
3. Configure and assign the password policy using the CLI.
   1. Configure a password policy that includes an expiration date and warning time. The default start time for the password is the time the user was created.

config user password-policy

edit “pwpolicy1” set expire-days 2 set warn-days 1

next end

1. Assign the password policy to the user you just created.

config user local

edit “sslvpnuser1”

set type password set passwd-policy “pwpolicy1”

next

end

4. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

5. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Set ServerCertificate to the authentication certificate.
   5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
6. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Set the Source Address to all and Source User to sslvpngroup.
   5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
   6. Set Destination Address to the internal protected subnet 168.1.0.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Enable NAT.
   9. Configure any remaining firewall and security options as desired.
   10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

2. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

3. Configure and assign the password policy.
   1. Configure a password policy that includes an expiration date and warning time. The default start time for the password is the time the user was created.

config user password-policy

edit “pwpolicy1” set expire-days 2 set warn-days 1

next

end

1. Assign the password policy to the user you just created.

config user local

edit “sslvpnuser1”

set type password set passwd-policy “pwpolicy1”

next

end

4. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

5. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1”

set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

next

end

6. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of the SSL VPN web connection:

1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the sslvpnuser1

When the warning time is reached , the user is prompted to enter a new password.

In FortiOS 6.2, when the expiration time is reached, the user cannot renew the password and must contact the administrator.

In FortiOS 6.0/5.6, when the expiration time is reached, the user can still renew the password.

3. On the FortiGate, go to Monitor> SSL-VPN Monitor to confirm the user connection.

To see the results of the SSL VPN tunnel connection:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
3. Add a new connection.
   • Set the connection name.
   • Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 20.120.123.
4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Log in using the sslvpnuser1

When the warning time is reached , the user is prompted to enter a new password.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check that login failed due to password expired on GUI:

1. Go to Log & Report > VPN Events to see the SSL VPN alert labeled ssl-login-fail.
2. Click Details to see the log details about the Reason sslvpn_login_password_expired.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:
Index User       Auth Type      Timeout	From     HTTP in/out   HTTPS in/out
0        sslvpnuser1          1(1) SSL VPN sessions:	229      10.1.100.254 0/0      0/0
Index User       Source IP      Duration To check the tunnel login using the CLI: get vpn ssl monitor SSL VPN Login Users:	I/O Bytes       Tunnel/Dest IP
Index User       Auth Type      Timeout	From     HTTP in/out   HTTPS in/out
0        sslvpnuser1          1(1) SSL VPN sessions:	291      10.1.100.254 0/0      0/0
Index User       Source IP      Duration	I/O Bytes       Tunnel/Dest IP
0        sslvpnuser1          10.1.100.254	9        22099/43228    10.212.134.200

To check the FortiOS 6.2 login password expired event log:

FG201E4Q17901354 # execute log	filter category event
FG201E4Q17901354 # execute log	filter field subtype vpn
FG201E4Q17901354 # execute log	filter field action ssl-login-fail
FG201E4Q17901354 # execute log	display
1: date=2019-02-15 time=10:57:56 logid=”0101039426″ type=”event” subtype=”vpn” level=”alert”

vd=”root” eventtime=1550257076 logdesc=”SSL VPN login fail” action=”ssl-login-fail” tunneltype=”ssl-web” tunnelid=0 remip=10.1.100.254 user=”u1″ group=”g1″ dst_host=”N/A” reason=”sslvpn_login_password_expired” msg=”SSL user failed to logged in”

SSL VPN with RADIUS and FortiToken mobile push on FortiAuthenticator

This topic provides a sample configuration of SSL VPN that uses FortiAuthenticator as a RADIUS authentication server and FortiToken Mobile Push two-factor authentication. If you enable push notifications, the user can easily accept or deny the authentication request.

Sample network topology

Sample configuration

To configure FortiAuthenticator using the GUI:

1. Add a FortiToken mobile license on the FortiAuthenticator.
   1. On the FortiAuthenticator, go to Authentication > UserManagement > FortiTokens. Click Create New.
   2. Set Token type to FortiToken Mobile and enter the FortiToken Activation codes.
2. Create the RADIUS client (FortiGate) on the FortiAuthenticator.
   1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients to add the FortiGate as a RADIUS client OfficeServer).
   2. Enter the FortiGate IP address and set a Secret.

The secret is a pre-shared secure password that the FortiGate uses to authenticate to the FortiAuthenticator.

1. Set Authentication method to Enforce two-factorauthentication.
2. Select Enable FortiToken Mobile push notifications authentication.
3. Set Realms to local |Local users.

3. Create a user and assign FortiToken Mobile to the user on the FortiAuthenticator.
   1. On the FortiAuthenticator, go to Authentication > UserManagement > Local Users to create a user sslvpnuser1.
   2. Enable Allow RADIUS authentication and click OK to access additional settings.
   3. Enable Token-based authentication and select to deliver the token code by FortiToken.
   4. Select the FortiToken added from the FortiToken Mobile dropdown menu.
   5. Set Delivery method to Email and fill in the UserInformation
   6. Go to Authentication > UserManagement > UserGroups to create a group sslvpngroup.
   7. Add sslvpnuser1 to the group by moving the user from Available users to Selected users.
4. Install the FortiToken Mobile application on your smartphone, for Android or iOS.

The FortiAuthenticator sends the FortiToken Mobile activation to the user’s email address.

5. Activate the FortiToken Mobile through the FortiToken Mobile application by either entering the activation code or by scanning the QR code.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address.

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

Port1 interface connects to the internal network.

1. Go to Network > Interface and edit the wan1
2. Set IP/Network Mask to 20.120.123/255.255.255.0.
3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
4. Click OK.
5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.

2. Create a RADIUS user and user group.
   1. On the FortiGate, go to User& Device > RADIUS Servers to create a user to connect to the RADIUS server

(FortiAuthenticator).

1. For Name, use FAC-RADIUS.
2. Enter the IP address of the FortiAuthenticator, and enter the Secret created above.
3. Click Test Connectivity to ensure you can connect to the RADIUS server.
4. Select Test UserCredentials and enter the credentials for sslvpnuser1.

The FortiGate can now connect to the FortiAuthenticator as the RADIUS client.

1. Go to User& Device > UserGroups and click Create New to map authenticated remote users to a user group on the FortiGate.
2. For Name, use SSLVPNGroup.
3. In Remote Groups, click Add.
4. In the Remote Server dropdown list, select FAC-RADIUS.
5. Leave the Groups field blank.

3. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

4. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Set ServerCertificate to the authentication certificate.
   5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
5. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Set the Source Address to all and Source User to sslvpngroup.
   5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
   6. Set Destination Address to the internal protected subnet 168.1.0.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Enable NAT.
   9. Configure any remaining firewall and security options as desired.
   10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

2. Create a RADIUS user and user group.

config user radius edit “FAC-RADIUS” set server “172.20.120.161” set secret <FAC client secret>

next

end

config user group edit “sslvpngroup” set member “FAC-RADIUS”

next end

3. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

4. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

next

end

5. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of web portal:

1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the sslvpnuser1

The FortiAuthenticator pushes a login request notification through the FortiToken Mobile application.

3. Check your mobile device and select Approve.

When the authentication is approved, sslvpnuser1 is logged into the SSL VPN portal.

4. On the FortiGate, go to Monitor> SSL-VPN Monitor to confirm the user connection.

To see the results of tunnel connection:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
3. Add a new connection.
   • Set the connection name.
   • Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 20.120.123.
4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Log in using the sslvpnuser1 credentials and click FTM Push.

The FortiAuthenticator pushes a login request notification through the FortiToken Mobile application.

7. Check your mobile device and select Approve.

When the authentication is approved, sslvpnuser1 is logged into the SSL VPN tunnel.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:
Index User       Auth Type	Timeout	From     HTTP in/out   HTTPS in/out
0        sslvpnuser1 SSL VPN sessions:	1(1)	229      10.1.100.254 0/0      0/0
Index User       Source IP To check the tunnel login on CLI: get vpn ssl monitor SSL VPN Login Users:	Duration	I/O Bytes       Tunnel/Dest IP
Index User       Auth Type	Timeout	From     HTTP in/out   HTTPS in/out
0        sslvpnuser1 SSL VPN sessions:	1(1)	291      10.1.100.254 0/0      0/0
Index User       Source IP	Duration	I/O Bytes       Tunnel/Dest IP
0        sslvpnuser1	10.1.100.254	9       22099/43228    10.212.134.200

SSL VPN with RADIUS on FortiAuthenticator

This topic provides a sample configuration of SSL VPN that uses FortiAuthenticator as a RADIUS authentication server.

Sample network topology

Sample configuration

To configure FortiAuthenticator using the GUI:

1. Create a user on the FortiAuthenticator.
   1. On the FortiAuthenticator, go to Authentication > UserManagement > Local Users to create a user sslvpnuser1.
   2. Enable Allow RADIUS authentication and click OK to access additional settings.
   3. Go to Authentication > UserManagement > UserGroups to create a group sslvpngroup.
   4. Add sslvpnuser1 to the group by moving the user from Available users to Selected users.
2. Create the RADIUS client (FortiGate) on the FortiAuthenticator.
   1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients to add the FortiGate as a RADIUS client OfficeServer).
   2. Enter the FortiGate IP address and set a Secret.

The secret is a pre-shared secure password that the FortiGate uses to authenticate to the FortiAuthenticator. c. Set Realms to local |Local users.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address.

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

Port1 interface connects to the internal network.

1. Go to Network > Interface and edit the wan1
2. Set IP/Network Mask to 20.120.123/255.255.255.0.
3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
4. Click OK.
5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.

2. Create a RADIUS user and user group .
   1. On the FortiGate, go to User& Device > RADIUS Servers to create a user to connect to the RADIUS server

(FortiAuthenticator).

1. For Name, use FAC-RADIUS.
2. Enter the IP address of the FortiAuthenticator, and enter the Secret created above.
3. Click Test Connectivity to ensure you can connect to the RADIUS server.
4. Select Test UserCredentials and enter the credentials for sslvpnuser1.

The FortiGate can now connect to the FortiAuthenticator as the RADIUS client.

1. Go to User& Device > UserGroups and click Create New to map authenticated remote users to a user group on the FortiGate.
2. For Name, use SSLVPNGroup.
3. In Remote Groups, click Add.
4. In the Remote Server dropdown list, select FAC-RADIUS.
5. Leave the Groups field blank.

3. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

4. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Set ServerCertificate to the authentication certificate.
   5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
5. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Set the Source Address to all and Source User to sslvpngroup.
   5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
   6. Set Destination Address to the internal protected subnet 168.1.0.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Enable NAT.
   9. Configure any remaining firewall and security options as desired.
   10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet.

Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root” set ip 192.168.1.99 255.255.255.0

next

end config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

2. Create a RADIUS user and user group.

config user radius edit “FAC-RADIUS” set server “172.20.120.161” set secret <FAC client secret>

next

end

config user group edit “sslvpngroup” set member “FAC-RADIUS”

next

end

3. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

4. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

next

end

5. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of web portal:

1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the sslvpnuser1
3. On the FortiGate, go to Monitor> SSL-VPN Monitor to confirm the user connection.

To see the results of tunnel connection:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
3. Add a new connection.
   • Set the connection name.
   • Set Remote Gateway to 20.120.123.
4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Log in using the sslvpnuser1 credentials and check that you are logged into the SSL VPN tunnel.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:
Index User       Auth Type      Timeout	From     HTTP in/out   HTTPS in/out
0        sslvpnuser1          1(1) SSL VPN sessions:	229      10.1.100.254 0/0      0/0
Index User       Source IP      Duration To check the tunnel login using the CLI: get vpn ssl monitor SSL VPN Login Users:	I/O Bytes       Tunnel/Dest IP
Index User       Auth Type      Timeout	From     HTTP in/out   HTTPS in/out
0        sslvpnuser1          1(1)	291      10.1.100.254 0/0      0/0

SSL VPN sessions:

Index User     Source IP    Duration     I/O Bytes    Tunnel/Dest IP 0  sslvpnuser1  10.1.100.254 9      22099/43228  10.212.134.200

SSL VPN with FortiToken Mobile Push authentication

This topic provides a sample configuration of SSL VPN that uses FortiToken Mobile Push two-factor authentication. If you enable push notifications, the user can easily accept or deny the authentication request.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. Port1 interface connects to the internal network.
   1. Go to Network > Interface and edit the wan1
   2. Set IP/Network Mask to 20.120.123/255.255.255.0.
   3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
   4. Click OK.
   5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
2. Register FortiGate for FortiCare Support.

To add or download a Mobile token on FortiGate, FortiGate must be registered for FortiCare Support. If your FortiGate is registered, skip this step. a. Go to Dashboard > Licenses.

1. Hover the pointer on FortiCare Support to check if FortiCare registered. If not, click it and select Register.
2. Add FortiToken Mobile to FortiGate.

If your FortiGate has FortiToken installed, skip this step.

1. Go to User& Device > FortiTokens and click Create New.
2. Select Mobile Token and type in Activation Code.
3. Every FortiGate has two free Mobile Tokens. Go to User& Device > FortiTokens and click Import Free Trial Tokens.

4. Enable FortiToken Mobile Push.

To use FTM-push authentication, use CLI to enable FTM-Push in the FortiGate.

1. Ensure server-ip is reachable from the Internet and enter the following CLI commands:

config system ftm-push set server-ip 172.20.120.123 set status enable

end

1. Go to Network > Interfaces.
2. Edit the wan1
3. Under Administrative Access > IPv4, select FTM.
4. Click OK.

5. Configure user and user group.
   1. Go to User& Device > UserDefinition to create a local user sslvpnuser1.
   2. Enter the user’s Email Address.
   3. Enable Two-factorAuthentication and select one Mobile token from the list,
   4. Enable Send Activation Code from Email.
   5. Click Next and click Submit.
   6. Go to User& Device > UserGroups to create a group sslvpngroup with the member sslvpnuser1.
6. Activate the Mobile token.
   1. When the user sslvpnuser1 is created, an email is sent to the user’s email address. Follow the instructions to install your FortiToken Mobile application on your device and activate your token.
7. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

8. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Set ServerCertificate to the authentication certificate.
   5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
9. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Set the Source Address to all and Source User to sslvpngroup.
   5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
   6. Set Destination Address to the internal protected subnet 168.1.0.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Enable NAT.
   9. Configure any remaining firewall and security options as desired.
   10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

2. Register FortiGate for FortiCare Support.

To add or download a Mobile token on FortiGate, FortiGate must be registered for FortiCare Support. If your FortiGate is registered, skip this step.

diagnose forticare direct-registration product-registration -a “your account@xxx.com” -p

“your password” -T “Your Country/Region” -R “Your Reseller” -e 1

3. Add FortiToken Mobile to FortiGate.
   1. If your FortiGate has FortiToken installed, skip this step. execute fortitoken-mobile import <your FTM code>
   2. Every FortiGate has two free Mobile Tokens. You can download the free token.

execute fortitoken-mobile import 0000-0000-0000-0000-0000

4. Enable FortiToken Mobile Push.
   1. To use FTM-push authentication, ensure server-ip is reachable from the Internet and enable FTM-Push in the FortiGate.

config system ftm-push set server-ip 172.20.120.123 set status enable

end

1. Enable FTM service on WAN interface.

config system interface edit “wan1” append allowaccess ftm

next

end

5. Configure user and user group.

config user local edit “sslvpnuser1” set type password set two-factor fortitoken

set fortitoken <select mobile token for the option list> set email-to <user’s email address> set passwd <user’s password>

next

end config user group edit “sslvpngroup” set member “sslvpnuser1”

next

end

6. Activate the Mobile token.
7. When the user sslvpnuser1 is created, an email is sent to the user’s email address. Follow the instructions to install your FortiToken Mobile application on your device and activate your token.
8. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

8. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

next

end

9. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of web portal:

1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the sslvpnuser1

The FortiGate pushes a login request notification through the FortiToken Mobile application.

3. Check your mobile device and select Approve.

When the authentication is approved, sslvpnuser1 is logged into the SSL VPN portal.

4. On the FortiGate, go to Monitor> SSL-VPN Monitor to confirm the user connection.

To see the results of tunnel connection:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
3. Add a new connection.
   • Set the connection name.
   • Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 20.120.123.
4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Log in using the sslvpnuser1 credentials and click FTM Push.

The FortiGate pushes a login request notification through the FortiToken Mobile application.

7. Check your mobile device and select Approve.

When the authentication is approved, sslvpnuser1 is logged into the SSL VPN tunnel.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:
Index User       Auth Type      Timeout	From     HTTP in/out   HTTPS in/out
0        sslvpnuser1          1(1) SSL VPN sessions:	229      10.1.100.254 0/0      0/0
Index User       Source IP      Duration To check the tunnel login using the CLI: get vpn ssl monitor SSL VPN Login Users:	I/O Bytes       Tunnel/Dest IP
Index User       Auth Type      Timeout	From     HTTP in/out   HTTPS in/out
0        sslvpnuser1          1(1) SSL VPN sessions:	291      10.1.100.254 0/0      0/0
Index User       Source IP      Duration	I/O Bytes       Tunnel/Dest IP
0        sslvpnuser1          10.1.100.254	9       22099/43228    10.212.134.200