Category Archives: FortiOS 5.4 Handbook

The complete handbook for FortiOS 5.4

The SSL VPN Client

The SSL VPN Client

The remote client connects to the SSL VPN tunnel in various ways, depending on the VPN configuration.

Web mode requires nothing more than a web browser.For detailed information about supported browsers, see Web-only mode on page 2243.
Tunnel mode establishes a connection to the remote protected network that any application can use. If the client computer runs Microsoft Windows, they can download the tunnel mode client from the web portal. If the client computer runs Linux or Mac OS X, the user needs to download the tunnel mode client application from the Fortinet Support web site. See the Release Notes for your FortiOS firmware for the specific operating system versions that are supported. The remote user must use the standalone tunnel client application.
The virtual desktop application creates a virtual desktop on a user’s PC and monitors the data read/write activity of the web browser running inside the virtual desktop. When the application starts, it presents a ‘virtual desktop’ to the user. The user starts the web browser from within the virtual desktop and connects to the SSL VPN web portal. The browser file/directory operation is redirected to a new location, and the data is encrypted before it is written to the local disk. When the virtual desktop application exits normally, all the data written to the disk is removed. If the session terminates abnormally (power loss, system failure, etc.), the data left behind is encrypted and unusable to the user. The next time you start the virtual desktop, the encrypted data is removed.

FortiClient

Remote users can use the FortiClient software to initiate an SSL VPN tunnel to connect to the internal network. FortiClient uses local port TCP 1024 to initiate an SSL encrypted connection to the FortiGate unit, on port TCP 443. When connecting using FortiClient, the FortiGate unit authenticates the FortiClient SSL VPN request based on the user group options. The FortiGate unit establishes a tunnel with the client and assigns a virtual IP address to the client PC. Once the tunnel has been established, the user can access the network behind the FortiGate unit.

FortiClient software is available for download at www.forticlient.com and is available for Windows, Mac OS X, Apple iOS, and Android.

Tunnel mode client configuration

The FortiClient SSL VPN tunnel client requires basic configuration by the remote user to connect to the SSL VPN tunnel. When distributing the FortiClient software, provide the following information for the remote user to enter once the client software has been started. Once entered, they can select Connect to begin an SSL VPN session.

Connection Name If you have pre-configured the connection settings, select the connection from the list and then select Connect. Otherwise, enter the settings in the fields below.

Remote Gateway Enter the IP address or FQDN of the FortiGate unit that hosts the SSL VPN.

Username Enter your username.

Client Certificate

Use this field if the SSL VPN requires a certificate for authentication.

Select the required certificate from the drop-down list. The certificate must be installed in the Internet Explorer certificate store.

Basic configuration

1 Reply

Basic configuration

Configuring SSL VPN involves a number of configurations within FortiOS that you need to complete to make it all come together. This chapter describes the components required, and how and where to configure them to set up the FortiGate unit as an SSL VPN server. The configurations and steps are high level, to show you the procedures needed, and where to locate the options in FortiOS. For real-world examples, see Setup examples on page 2283.

There are three or four key steps to configuring an SSL VPN tunnel. The first three in the points below are mandatory, while the others are optional. This chapter outlines these key steps as well as additional configurations for tighter security and monitoring.

The key steps are:

Create user accounts and user groups for the remote clients. (User accounts and groups on page 2248)
Create a web portal to define user access to network resources. (Configuring SSL VPN web portals on page 2253)
Configure the security policies. (Configuring security policies on page 1)
For tunnel-mode operation, add routing to ensure that client tunnel-mode packets reach the SSL VPN interface. (Routing in tunnel mode on page 2260)
Setup logging of SSL VPN activities. (SSL VPN logs on page 2266)

This section contains the following information:

User accounts and groups Configuring SSL VPN web portals Configuring encryption key algorithms Additional configuration options

User accounts and groups

The first step for an SSL VPN tunnel is to add the users and user groups that will access the tunnel. You may already have users defined for other authentication-based security policies.

The user group is associated with the web portal that the user sees after logging in. You can use one policy for multiple groups, or multiple policies to handle differences between the groups such as access to different services, or different schedules.

To create a user account:

In the web-based manager, go to User & Device > User Definition, and select Create New.
In the CLI, use the commands in config user local.

All users accessing the SSL tunnel must be in a firewall user group. User names can be up to 64 characters long.

To create user groups:

In the web-based manager, go to User & Device > User Groups and select Create New.
In the CLI, use the commands in config user group.

Guest group and SSO group have been removed from config user group and config vpn ssl web user-group-bookmark.

Authentication

Remote users must be authenticated before they can request services and/or access network resources through the web portal. The authentication process can use a password defined on the FortiGate unit or optionally use established external authentication mechanisms such as RADIUS or LDAP.

To authenticate users, you can use a plain text password on the local FortiGate unit, forward authentication requests to an external RADIUS, LDAP or TACACS+ server, or utilize PKI certificates.

For information about how to create RADIUS, LDAP, TACACS+ or PKI user accounts and certificates, see the Authentication Guide.

FortiOS supports LDAP password renewal notification and updates through SSL VPN. Configuration is enabled using the CLI commands:

config user ldap edit <username>

set server <domain>

set password-expiry-warning enable set password-renewal enable

end

For more information, see the Authentication Guide.

MAC host check

When a remote client attempts to log in to the portal, you can have the FortiGate unit check against the client’s MAC address to ensure that only a specific computer or device is connecting to the tunnel. This can ensure better security should a password be compromised.

MAC addresses can be tied to specific portals and can be either the entire MAC address or a subset of the address. MAC host checking is configured in the CLI using the folowing commands:

conf vpn ssl web portal edit portal

set mac-addr-check enable set mac-addr-action allow

config mac-addr-check-rule edit “rule1”

set mac-addr-list 01:01:01:01:01:01 08:00:27:d4:06:5d set mac-addr-mask 48

end

IP addresses for users

After the FortiGate unit authenticates a request for a tunnel-mode connection, the FortiGate unit assigns the SSL VPN client an IP address for the session. The address is assigned from an IP Pool, which is a firewall address defining an IP address range.

Take care to prevent overlapping IP addresses. Do not assign to clients any IP addresses that are already in use on the private network. As a precaution, consider assigning IP addresses from a network that is not commonly used (for example, 10.254.254.0/24).

To set tunnel-mode client IP address range – web-based manager:

1. Go to Policy & Objects > Addresses and select Create New.

2. Enter an Name, for example, SSL_VPN_tunnel_range.

3. Select a Type of IP Range.

4. In the Subnet/IP Range field, enter the starting and ending IP addresses that you want to assign to SSL VPN clients, for example 10.254.254.[80-100].

5. In Interface, select Any.

6. Select OK.

To set tunnel-mode client IP address range – CLI:

If your SSL VPN tunnel range is for example 10.254.254.80 – 10.254.254.100, you could enter

config firewall address edit SSL_tunnel_users

set type iprange

set end-ip 10.254.254.100 set start-ip 10.254.254.80

end

DHCP relay of IP address

The FortiGate can get an IP address via DHCP server for SSL VPN services, however it is only configurable in the CLI Console by editing the ssl.root interface.

To enable DHCP relay service and relay IP address – CLI:

config system interface edit ssl.root

set dhcp-relay-service [enable|disable]

set dhcp-relay-ip next

end

Authentication of remote users

When remote users connect to the SSL VPN tunnel, they must perform authentication before being able to use the internal network resources. This can be as simple as assigning users with their own passwords, connecting to an LDAP server or using more secure options. FortiOS provides a number of options for authentication as well as security option for those connected users.

The web portal can include bookmarks to connect to internal network resources. A web (HTTP/HTTPS) bookmark can include login credentials so that the FortiGate unit automatically logs the user into the website. This means that the user logs into the SSL VPN and then does not have to enter any more credentials to visit preconfigured web sites.

Both the administrator and the end user can configure bookmarks, including SSO bookmarks. To add bookmarks as a web portal user, see Using the Bookmarks widget on page 2276.

Setting the client authentication timeout

The client authentication timeout controls how long an authenticated user will remain connected. When this time expires, the system forces the remote client to authenticate again. As with the idle timeout, a shorter period of time is more secure. The default value is 28800 seconds (8 hours). You can only modify this timeout value in the CLI.

For example, to change the authentication timeout to 18 000 seconds, enter the following commands in the CLI:

config vpn ssl settings set auth-timeout 18000

end

You can also set the idle timeout for the client, to define how long the user does not access the remote resources before they are logged out.

Allow one-time login per user

You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again.

To allow one-time login per user – web-based manager:

Go to VPN > SSL-VPN Portals, select a portal, and enable Limit Users to One SSL-VPN Connection at a Time. It is disabled by default.

To allow one-time login per user – CLI:

config vpn ssl web portal edit <portal_name>

set limit-user-logins enable

end

Strong authentication with security certificates

The FortiGate unit supports strong (two-factor) authentication through X.509 security certificates (version 1 or 3). The FortiGate unit can require clients to authenticate using a certificate, and the client can require the FortiGate unit to authenticate using a certificate.

For information about obtaining and installing certificates, see the Authentication Guide.

You can select the Require Client Certificate option so that clients must authenticate using certificates. The client browser must have a local certificate installed, and the FortiGate unit must have the corresponding CA certificate installed.

When the remote client initiates a connection, the FortiGate unit prompts the client browser for its client-side certificate as part of the authentication process.

To require client authentication by security certificates – web-based manager:

1. Go to VPN > SSL-VPN Settings.

2. Select Require Client Certificate.

3. Select Apply.

To require client authentication by security certificates – CLI:

config vpn ssl settings

set reqclientcert enable end

If your SSL VPN clients require strong authentication, the FortiGate unit must offer a CA certificate that the client browser has installed.

In the FortiGate unit SSL VPN settings, you can select which certificate the FortiGate offers to authenticate itself. By default, the FortiGate unit offers its factory installed (Fortinet_CA_SSLProxy) certificate from Fortinet to remote clients when they connect. If you leave the default setting, a warning appears that recommends you purchase a certificate for your domain and upload it for use.

To enable FortiGate unit authentication by certificate – web-based manager:

1. Go to VPN > SSL-VPN Settings.

2. From the Server Certificate list, select the certificate that the FortiGate unit uses to identify itself to SSL VPN clients.

3. Select Apply.

To enable FortiGate unit authentication by certificate – CLI:

For example, to use the example_cert certificate

config vpn ssl settings

set servercert example_cert end

FortiOS will check the server certificate to verify that the certificate is valid. Only valid server certificates should be used.

NSA Suite B cryptography support

FortiOS supports the use of ECDSA Local Certificates for SSL VPN Suite B. The National Security Agency (NSA) developed Suite B algorithms in 2005 to serve as a cryptographic base for both classified and unclassified information at an interoperable level.

FortiOS allows you to import, generate, and use ECDSA certificates defined by the Suite B cryptography set. To generate ECDSA certificates, use the following command in the CLI:

exec vpn certificate local generate ec <certificate-name_str> <elliptic-curve-name>

<subject_str> [<optional_information>]

Configuring SSL VPN web portals

The SSL VPN portal enables remote users to access internal network resources through a secure channel using a web browser. FortiGate administrators can configure login privileges for system users as well as the network resources that are available to the users.

FortiOS supports LDAP password renewal notification and updates through SSL VPN. Configuration is enabled using the CLI commands:

config user ldap edit <username>

set server <domain>

set password-expiry-warning enable set password-renewal enable

end

For more information, see the Authentication Guide.

This step in the configuration of the SSL VPN tunnel sets up the infrastructure; the addressing, encryption, and certificates needed to make the initial connection to the FortiGate unit. This step is also where you configure what the remote user sees with a successful connection. The portal view defines the resources available to the remote users and the functionality they have on the network.

SSL connection configuration

To configure the basic SSL VPN settings for encryption and login options, go to VPN > SSL-VPN Settings.

Listen on Interface(s) Define the interface which the FortiGate will use to listen for SSL VPN tun- nel requests. This is generally your external interface.

Listen on Port Enter the port number for HTTPS access.

Redirect port 80 to this login port Enable to redirect the admin HTTP port to the admin HTTPS port.

There are two likely scenarios for this:

SSL VPN is not in use, in which case the admin GUI runs on port 443 or 10443, and port 80 is redirected.
SSL VPN runs on port 443, in which case port 80 is redirected to 443 and the admin port runs on 10443.

If the administrator chooses to run SSL VPN on port 80, the redirect option is invalid.

This can also be configured in the CLI as shown below (note that HTTPS-redirect is disabled by default):

Syntax:

config vpn ssl settings

set https-redirect [enable | disable]

end

Restrict Access

Restrict accessibility to either Allow access from any host or to Limit access to specific hosts as desired. If selecting the latter, you must spe- cify the hosts.

Idle Logout Type the period of time (in seconds) that the connection can remain inact- ive before the user must log in again. The range is from 10 to 28800 seconds. Setting the value to 0 will disable the idle connection timeout. This setting applies to the SSL VPN session. The interface does not time out when web application sessions or tunnels are up.

Server Certificate

Select the signed server certificate to use for authentication. If you leave the default setting (Fortinet_CA_SSLProxy), the FortiGate unit offers its built-in certificate from Fortinet to remote clients when they connect. A warning appears that recommends you purchase a certificate for your domain and upload it for use.

Require Client Certificate Select to use group certificates for authenticating remote clients. When the remote client initiates a connection, the FortiGate unit prompts the client for its client-side certificate as part of the authentication process.

For information on using PKI to provide client certificate authentication, see the Authentication Guide.

Address Range

Select Automatically assign addresses or Specify custom IP ranges. The latter will allow you to select the range or subnet firewall addresses that represent IP address ranges reserved for tunnel-mode SSL VPN clients.

DNS Server If you select Specify, you may enter up to two DNS servers (IPv4 or IPv6) to be provided for the use of clients.

Specify WINS Servers Enable to access options for entering up to two WINS servers (IPv4 or IPv6)

to be provided for the use of clients.

Allow Endpoint Regis- tration

Select so that FortiClient registers with the FortiGate unit when con- necting. If you configured a registration key by going to System > Config > Advanced, the remote user is prompted to enter the key. This only occurs on the first connection to the FortiGate unit.

Portal configuration

The portal configuration determines what the remote user sees when they log in to the portal. Both the system administrator and the user have the ability to customize the SSL VPN portal.

To view the portals settings page, go to VPN > SSL-VPN Portals. There are three pre-defined default portal configurations available:

full–access
ltunnel-access
lweb-access

Each portal type includes similar configuration options. Select between the different portals by double-clicking one of the default portals in the list. You can also create a custom portal by selecting the Create New option at the top.

Portal Setting Description

Name The name for the portal.

Limit Users to One SSL-VPN Con- nection at a Time

Tunnel Mode These settings determine how tunnel mode clients are assigned IPv4 addresses.

Enable Split Tunneling Select so that the VPN carries only the traffic for the networks behind the FortiGate unit. The user’s other traffic follows its normal route.

If you enable split tunneling, you are required to set the Routing Address, which is the address that your corporate network is using. Traffic intended for the Routing Address will not be split from the tunnel.

Source IP Pools Select an IP Pool for users to acquire an IP address when con- necting to the portal. There is always a default pool available if you do not create your own.

Portal Setting Description

Tunnel Mode Client

Options

These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a check box for the corresponding option appears on the VPN login screen in FortiClient, and is not enabled by default.

Allow client to save password – When enabled, if the user selects this option, their password is stored on the user’s computer and will automatically populate each time they connect to the VPN.
Allow client to connect automatically – When enabled, if the user selects this option, when the FortiClient application is launched, for example after a reboot or system startup, FortiClient will automatically attempt to connect to the VPN tunnel.
Allow client to keep connections alive – When enabled, if the user selects this option, the FortiClient connection will not shut down. When not selected, during periods of inactivity, FortiClient will attempt to stay connected every three minutes for a maximum of 10 minutes.

Enable Web Mode Select to enable web mode access.

Portal Message This is a text header that appears on the top of the web portal.

Theme Select a color styling specifically for the web portal.

Show Session Information

The Show Session Information widget displays the login name of the user, the amount of time the user has been logged in and the inbound and outbound traffic statistics.

Show Connection Launcher Displays the Connection Launcher widget in the web portal.

Show Login History Select to include user login history on the web portal.

User Bookmarks Enable to allow users to add their own bookmarks in the web portal.

Predefined Bookmarks

Select to include bookmarks on the web portal. Bookmarks are used as links to internal network resources. When a bookmark is selected from a bookmark list, a pop-up window appears with the web page. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML file- browser.

Options to allow firewall address to be used in routing table for SSL VPN

If destination Named Address is set in Network > Static Routes and Address Range is set to Automatically assign addresses in VPN > SSL-VPN Settings, SSL VPN should refresh the routing table automatically.

If your network configuration does not contain a default SSL VPN portal, you might receive the error message “Input value is invalid” when you attempt to access VPN > SSL-VPN Portals.

To enable a default portal – CLI:

config vpn ssl settings

set default-portal <full-access | tunnel-access |

web-access>

end

Adding bookmarks

A web bookmark can include login credentials to automatically log the SSL VPN user into the website. When the administrator configures bookmarks, the website credentials must be the same as the user’s SSL VPN credentials. Users configuring their own bookmarks can specify alternative credentials for the website.

To add a bookmark – web-based manager:

1. On the VPN > SSL-VPN Portals page, ensure Enable User Bookmarks is enabled.

2. Select Create New and enter the following information:

Category Select a category, or group, to include the bookmark. If this is the first book- mark added, you will be prompted to add a category. Otherwise, select Create from the drop-down list.

Name Enter a name for the bookmark.

Type Select the type of link from the drop-down list. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML file-browser.

URL Enter the IP address source.

Description Enter a brief description of the link.

Single Sign-On Enable if you wish to use Single Sign-On (SSO) for any links that require authentication.

When including a link using SSO, be sure to use the entire URL. For example, http://10.10.1.0/login, rather than just the IP address.

3. Select OK.

For more configuration options, see Configuring SSL VPN web portals on page 2253.

Personal bookmarks

The administrator has be ability to view bookmarks the remote client has added to their SSL VPN login in the bookmarks widget. This enables the administrator to monitor and, if needed, remove unwanted bookmarks that do not meet with corporate policy.

To view and maintain remote client bookmarks, go to VPN > SSL-VPN Personal Bookmarks.

For more information about available bookmark applications, see Applications available in the web portal on page 2275

To enable personal bookmarks:

1. Go to System > Feature Select.

2. Enable SSL–VPN Personal Bookmark Management.

3. Select Apply.

SSL VPN Realms

You can go to VPN > SSL-VPN Realms and create custom login pages for your SSL VPN users. You can use this feature to customize the SSL VPN login page for your users and also to create multiple SSL VPN logins for different user groups.

In order to create a custom login page using the web-based manager, this feature must be enabled using Feature Select.

Before you begin, copy the default login page text to a separate text file for safe-keep- ing. Afterward, if needed, you can restore the text to the original version.

To configure SSL VPN Realms – web-based manager:

1. Configure a custom SSL VPN login by going to VPN > SSL-VPN Realms and selecting Create New. Users access different portals depending on the URL they enter.

2. The first option in the custom login page is to enter the path of the custom URL.

This path is appended to the address of the FortiGate unit interface to which SSL VPN users connect. The actual path for the custom login page appears beside the URL path field.

3. You can also limit the number of users that can access the custom login at any given time.

4. You can use HTML code to customize the appearance of the login page.

5. After adding the custom login, you must associate it with the users that will access the custom login. Do this by going to VPN > SSL-VPN Settings and adding a rule to the Authentication/Portal Mapping section.

6. Under Authentication/Portal Mapping, click Create New and select the user group(s) and the associated Realm.

To configure SSL VPN Realms – CLI:

config vpn ssl web realm edit <url-path>

set login-page <content_str> set max-concurrent-user <int> set virtual-host <hostname_str>

end

Where the following variables are set:

Variable Description Default

edit <url-path> Enter the URL path to access the SSL-VPN login page.

Do not include “http://”.

No default.

max-concurrent-user <int> Enter the maximum number of concurrent users allowed. Range 0-65 535. 0 means unlimited.

virtual-host <hostname_str> Enter the virtual host name for this realm. Optional.

Maximum length 255 characters.

No default.

Configuring encryption key algorithms

The FortiGate unit supports a range of cryptographic cipher suites to match the capabilities of various web browsers. The web browser and the FortiGate unit negotiate a cipher suite before any information (for example, a user name and password) is transmitted over the SSL link. You can only configure encryption key algorithms for SSL VPN in the CLI.

To configure encryption key algorithms – CLI:

Use the following CLI command,

config vpn ssl settings

set algorithm <cipher_suite>

end

where one of the following variables replaces <cipher_suite>:

Variable Description

low Use any cipher suite; AES, 3DES, RC4, or DES.

medium Use a 128-bit or greater cipher suite; AES, 3DES, or RC4.

high Use a ciper suite grather than 128 bits; AES or 3DES.

Note that the algorithm <cipher_suite> syntax is only available when the sslvpn-enable attribute is set to enable.

Additional configuration options

Beyond the basics of setting up the SSL VPN, you can configure a number of other options that can help to ensure your internal network is secure and can limit the possibility of attacks and viruses entering the network from an outside source.

Routing in tunnel mode

If you are creating a SSL VPN connection in tunnel mode, you need to add a static route so that replies from the protected network can reach the remote SSL VPN client.

To add the tunnel mode route – web-based manager:

1. Go to Network > Static Routes and select Create New.

2. Enter the Destination IP/Mask of the tunnel IP address that you assigned to the users of the web portal.

3. Select the SSL VPN virtual interface for the Device.

4. Select OK.

To add the tunnel mode route – CLI:

If you assigned 10.11.254.0/24 as the tunnel IP range, you would enter:

config router static edit <id>

set device ssl.root

set dst 10.11.254.0/24

end

DTLS tunneling to improve upload/download speed

The Datagram Transport Layer Security (DTLS) protocol is supported for SSL VPN connections. DTLS tunneling implementation avoids TCP over TCP issues and can improve throughput. DTLS support can be enabled in the CLI as described below:

To configure DTLS tunneling – CLI:

config vpn ssl settings

set dtls-tunnel [enable | disable] (default: enabled)

end

Changing the port number for web portal connections

You can specify a different TCP port number for users to access the web portal login page through the HTTPS link. By default, the port number is 443 and users can access the web portal login page using the following default URL:

https://:443/remote/login

where <FortiGate_IP_address> is the IP address of the FortiGate interface that accepts connections from remote users.

To change the SSL VPN port – web-based manager:

1. If Current VDOM appears at the bottom left of the screen, select Global from the list of VDOMs.

2. Go to VPN > SSL-VPN Settings.

3. Type an unused port number in the Listen on Port field and select Apply.

To change the SSL VPN port – CLI:

This is a global setting. For example, to set the SSL VPN port to 10443, enter the following:

config vpn ssl settings set port 10443

end

HTTP to HTTPS redirect support

The admin HTTP port can be redirected to the admin HTTPS port. This is enabled in VPN > SSL-VPN Settings

using the option Redirect port 80 to this login port. There are two likely scenarios for this:

SSL VPN is not in use, in which case the admin GUI runs on port 443 or 10443, and port 80 is redirected.
SSL VPN runs on port 443, in which case port 80 is redirected to 443 and the admin port runs on 10443. If the administrator chooses to run SSL VPN on port 80, the redirect option is invalid.

This can also be configured in the CLI as described below:

To redirect HTTP to HTTPS port – CLI:

config vpn ssl settings

set https-redirect [enable | disable] (default: disabled)

end

SSL offloading

To configure SSL offloading, which allows or denies client renegotiation, you must use the CLI. This helps to resolve the issues that affect all SSL and TLS servers that support renegotiation, identified by the Common Vulnerabilities and Exposures system in CVE-2009-3555. The SSL offloading renegotiation feature is considered a workaround until the IETF permanently resolves the issue.

The CLI command is ssl-client-renegotiation and is found under the config firewall vip syntax.

Host check

When you enable AV, FW, or AV-FW host checking in the web portal Security Control settings, each client is checked for security software that is recognized by the Windows Security Center. As an alternative, you can create a custom host check that looks for security software selected from the Host Check list. For more information, see Additional configuration options on page 2259.

The Host Check list includes default entries for many security software products.

Host integrity checking is only possible with client computers running Microsoft Win- dows platforms.

To configure host checking – CLI:

To configure the full-access portal to check for AV and firewall software on client Windows computers, you would enter the following:

config vpn ssl web portal edit full-access

set host-check av-fw

end

To configure the full-access portal to perform a custom host check for FortiClient Host Security AV and firewall software, you would enter the following:

config vpn ssl web portal edit full-access

set host-check custom

set host-check-policy FortiClient-AV FortiClient-FW

end

Replacing the host check error message

You can add your own host security check error message using either the web-based manager or the CLI. The default message reads: “Your PC does not meet the host checking requirements set by the firewall. Please check that your OS version or antivirus and firewall applications are installed and running properly or you have the right network interface.”

To replace the host check error message – web-based manager:

1. Navigate to System > Replacement Messages and select Extended View in the upper right corner.

2. Scroll down to SSL VPN and select Hostcheck Error Message.

3. Edit the text in the right-hand column below and select Save.

If you are unhappy with the new message, you can restore the message to its default by selecting Restore Default instead of Save.

To replace the host check error message – CLI:

Configure the host check error message using the following command.

config system replacemsg sslvpn hostcheck-error

Creating a custom host check list

You can add your own software requirements to the host check list using the CLI. Host integrity checking is only possible with client computers running Microsoft Windows platforms. Enter the following commands:

config vpn ssl web host-check-software edit <software_name>

set guid <guid_value>

set type <av | fw>

set version <version_number>

end

If known, enter the Globally Unique Identifier (GUID) for the host check application. Windows uses GUIDs to identify applications in the Windows Registry. The GUID can be found in the Windows registry in the HKEY_ CLASSES_ROOT section.

To obtain the exact versioning, in Windows, right-click on the .EXE file of the application and select Properties, then select the Version tab.

Host Check is applicable for both SSLVPN Web Mode and SSLVPN Tunnel mode.

Windows OS check

The Windows patch check enables you to define the minimum Windows version and patch level allowed when connecting to the SSL VPN portal. When the user attempts to connect to the web portal, FortiOS performs a query on the version of Windows the user has installed. If it does not match the minimum requirement, the connection is denied. The Windows patch check is configured in the CLI.

The following example shows you how to add an OS check to the ‘g1portal’ web portal. This OS check accepts all Windows XP users and Windows 2000 users running patch level 3.

To specify the acceptable patch level, you set the latest-patch-level and the tolerance. The lowest acceptable patch level is latest-patch-level minus tolerance. In this case, latest-patch-level is 3 and tolerance is 1, so 2 is the lowest acceptable patch level.

config vpn ssl web portal edit g1portal

set os-check enable

config os-check-list windows-2000 set action check-up-to-date

set latest-patch-level 3 set tolerance 1

end

config os-check-list windows-xp set action allow

end end

Host check for Windows firewall

The Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, but you can use a registry value to detect the firewall status.

If Windows firewall is on, the following registry value will be set to 1:

KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ FirewallPolicy\StandardProfile
ValueName: EnableFirewall

In FortiOS, use the registry-value-check feature to define the Windows Firewall software by entering the following in the CLI:

config vpn ssl web host-check-software edit “Microsoft-Windows-Firewall”

config check-item-list edit 1

set target “HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\Firew allPolicy\\StandardProfile:EnableFirewall==1”

set type registry next

edit 2

set target “HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\Firew allPolicy\\PublicProfile:EnableFirewall==1”

set type registry next

edit 3

set target “HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\Firew allPolicy\\DomainProfile:EnableFirewall==1”

set type registry next

end

set type fw next

set host-check custom

set host-check-policy Microsoft-Windows-Firewall

Configuring virtual desktop

Available for 32-bit Windows XP, Windows Vista, and Windows 7 client PCs, the virtual desktop feature completely isolates the SSL VPN session from the client computer’s desktop environment. All data is encrypted, including cached user credentials, browser history, cookies, temporary files, and user files created during the session. When the SSL VPN session ends normally, the files are deleted. If the session ends due to a malfunction, files might remain, but they are encrypted so that the information is protected.

When the user starts an SSL VPN session that has virtual desktop enabled, the virtual desktop replaces the user’s normal desktop. When the virtual desktop exits, the user’s normal desktop is restored.

Virtual desktop requires the Fortinet cache cleaner plugin. If the plugin is not present, it automatically downloads to the client computer.

To enable virtual desktop :

To enable virtual desktop on the full-access portal and apply the application control list ‘List1’, for example, you would enter:

config vpn ssl web portal edit full-access

set virtual-desktop enable

set virtual-desktop-app-list List1 end

Configuring virtual desktop application control

You can control which applications users can run on their virtual desktop. To do this, you create an Application Control List of either allowed or blocked applications. When you configure the web portal, you select the list to use.

Configure the application control list in the CLI.

To create an Application Control List – CLI:

If you want to add ‘BannedApp’ to ‘List1’, a list of blocked applications, you would enter:

config vpn ssl web virtual-desktop-app-list edit “List1”

set action block config apps

edit “BannedApp”

set md5s “06321103A343B04DF9283B80D1E00F6B” end

end

Configuring client OS Check

The SSLVPN client OS Check feature can determine if clients are running the Windows 2000, Windows XP, Windows Vista or Windows 7 operating system. You can configure the OS Check to do any of the following:

Allow the client access.
Allow the client access only if the operating system has been updated to a specified patch (service pack) version.
Deny the client access.

The OS Check has no effect on clients running other operating systems.

To configure OS Check:

OS Check is configurable only in the CLI.

config vpn ssl web portal edit <portal_name>

set os-check enable

config os-check-list {windows-2000 | windows-xp | windows-vista | windows-7}

set action {allow | check-up-to-date | deny} set latest-patch-level {disable | 0 – 255} set tolerance {tolerance_num}

end end

Adding WINS and DNS services for clients

You can specify the WINS or DNS servers that are made available to SSL-VPN clients.

DNS servers provide the IP addresses that browsers need to access web sites. For Internet sites, you can specify the DNS server that your FortiGate unit uses. If SSL VPN users will access intranet sites using URLs, you need to provide them access to the intranet’s DNS server. You specify a primary and a secondary DNS server.

A WINS server provides IP addresses for named servers in a Windows domain. If SSL VPN users will access a Windows network, you need to provide them access to the domain WINS server. You specify a primary and a secondary WINS server.

To specify WINS and DNS services for clients – web-based manager:

1. Go to VPN > SSL-VPN Settings.

2. Next to DNS Server select Specify.

3. Enter the IP addresses of DNS servers in the DNS Server fields as needed. Fields are available for both IPv4 and IPv6 addresses.

4. Select Specify WINS Servers, and enter the IP addresses of WINS servers in the WINS Server fields as needed. Fields are available for both IPv4 and IPv6 addresses.

5. Select Apply.

To specify WINS and DNS services for clients – CLI:

config vpn ssl settings

set dns-server1 <address_ipv4> set dns-server2 <address_ipv4> set wins-server1 <address_ipv4> set wins-server2 <address_ipv4>

end

Setting the idle timeout setting

The idle timeout setting controls how long the connection can remain idle before the system forces the remote user to log in again. For security, keep the default value of 5000 seconds or less. Set the timeout value to 0 to disable idle timeouts.

To set the idle timeout – web-based manager:

1. Go to VPN > SSL-VPN Settings and enable Idle Logout.

2. In the Inactive For field, enter the timeout value.

The valid range is from 10 to 28800 seconds.

3. Select Apply.

To set the idle timeout – CLI:

config vpn ssl settings

set idle-timeout <seconds_int>

end

SSL VPN logs

Logging is available for SSL VPN traffic so you can monitor users connected to the FortiGate unit and their activity. For more information on configuring logs on the FortiGate unit, see the Logging and Reporting Guide.

To enable logging of SSL VPN events – web-based manager:

1. Go to Log & Report > Log Settings.

2. Enable Event Logging, and select VPN activity event.

3. Select Apply.

To view the SSL VPN log data, in the web-based manager, go to Log & Report and select either the Event Log or Traffic Log.

In event log entries, look for the sub-types “sslvpn-session” and “sslvpn-user”.

For information about how to interpret log messages, see the FortiGate Log Message Reference.

Monitoring active SSL VPN sessions

You can go to User & Device > Monitor to view a list of active SSL VPN sessions. The list displays the user name of the remote user, the IP address of the remote client, and the time the connection was made. You can also see which services are being provided, and delete an active web session from the FortiGate unit.

To monitor SSL VPNs – web-based manager:

To view the list of active SSL VPN sessions, go to Monitor > SSL-VPN Monitor.

When a tunnel-mode user is connected, the Description field displays the IP address that the FortiGate unit assigned to the remote host.

If required, you can end a session/connection by selecting its checkbox and then clicking the Delete icon.

Importing and using a CA-signed SSL certificate

Use the following set of instructions to import a CA-signed SSL certificate and configure an SSL VPN using that certificate.

Import the signed certificate into your FortiGate device

1. Unzip the file downloaded from the CA.

There should be two .CRT files: a CA certificate with bundle in the file name, and a local certificate.

2. Log in to your FortiGate unit and browse to System > Certificates.

3. Select Create New > Local Certificate to import the local certificate.

The status of the certificate will change from PENDING to OK.

4. Import the CA certificate by selecting Import > CA Certificate.

It will be listed in the CA Certificates section of the certificates list. You can now configure SSL VPN using the signed certificate.

Configure your FortiGate device to use the signed certificate

1. Log in to your FortiGate unit and browse to VPN > SSL-VPN Settings.

2. In the Connection Settings section, locate the Server Certificate field.

3. Select the new certificate from the drop-down menu.

4. Select Apply to configure SSL VPN to use the new certificate.

Implement post-authentication CSRF protection in SSL VPN web mode

This attribute can enable/disable verification of a referrer in the HTTP request header in order to prevent a Cross- Site Request Forgery attack.

Syntax:

config vpn ssl settings

set check-referer [enable|disable]

end

DTLS support

The Datagram Transport Layer Security (DTLS) protocol is now supported for SSL VPN connections. DTLS allows datagram-based applications to communicate in a way that prevents eavesdropping, tampering, or message forgery. It is similar to the Transport Layer Security (TLS) protocol. DTLS support can be enabled in the CLI as described below.

Syntax

config vpn ssl settings

set dtls-tunnel [enable | disable] (default: enabled)

end

Allow firewall address to be used in routing table for SSL VPN

If destination Named Address is set in Network > Static Routes and Address Range is set to Automatically assign addresses is enabled in VPN > SSL-VPN Settings, SSL VPN should refresh the routing table automatically.

To view the routes in the routing table, go to Monitor > Routing Monitor.

Introduction to SSL VPN

1 Reply

Introduction to SSL VPN

As organizations have grown and become more complex, secure remote access to network resources has become critical for day-to-day operations. In addition, businesses are expected to provide clients with efficient, convenient services including knowledge bases and customer portals. Employees traveling across the country or around the world require timely and comprehensive access to network resources. As a result of the growing need for providing remote/mobile clients with easy, cost-effective and secure access to a multitude of resources, the concept of a Virtual Private Network (VPN) was developed.

SSL VPNs establish connectivity using SSL, which functions at Levels 4 – 5 (Transport and Session layers). Information is encapsulated at Levels 6 – 7 (Presentation and Application layers), and SSL VPNs communicate at the highest levels in the OSI model. SSL is not strictly a Virtual Private Network (VPN) technology that allows clients to connect to remote networks in a secure way. A VPN is a secure logical network created from physically separate networks. VPNs use encryption and other security methods to ensure that only authorized users can access the network. VPNs also ensure that the data transmitted between computers cannot be intercepted by unauthorized users. When data is encoded and transmitted over the Internet, the data is said to be sent through a “VPN tunnel”. A VPN tunnel is a non-application oriented tunnel that allows the users and networks to exchange a wide range of traffic regardless of application or protocol.

The advantages of a VPN over an actual physical private network are two-fold. Rather than utilizing expensive leased lines or other infrastructure, you use the relatively inexpensive, high-bandwidth Internet. Perhaps more important though is the universal availability of the Internet. In most areas, access to the Internet is readily obtainable without any special arrangements or long wait times.

SSL (Secure Sockets Layer) as HTTPS is supported by most web browsers for exchanging sensitive information securely between a web server and a client. SSL establishes an encrypted link, ensuring that all data passed between the web server and the browser remains private and secure. SSL protection is initiated automatically when a user (client) connects to a web server that is SSL-enabled. Once the successful connection is established, the browser encrypts all the information before it leaves the computer. When the information reaches its destination, it is decrypted using a secret (private) key. Any data sent back is first encrypted, and is decrypted when it reaches the client.

FortiOS supports the SSL and TLS versions defined below:

SSL and TLS version support table

Version RFC

SSL 2.0 RFC 6176

SSL 3.0 RFC 6101

TLS 1.0 RFC 2246

TLS 1.1 RFC 4346

TLS 1.2 RFC 5246

SSL VPN modes of operation

When a remote client connects to the FortiGate unit, the FortiGate unit authenticates the user based on username, password, and authentication domain. A successful login determines the access rights of remote users according to user group. The user group settings specify whether the connection will operate in web-only mode or tunnel mode.

Web–only mode

Web-only mode provides remote users with a fast and efficient way to access server applications from any thin client computer equipped with a web browser. Web-only mode offers true clientless network access using any web browser that has built-in SSL encryption and the Sun Java Runtime Environment (note that there is no minimum Java/JRE version requirement—any version of Java/JRE currently supported by the supplier of the Java/JRE for the operating system should work).

Support for SSL VPN web-only mode is built into FortiOS. The feature comprises of an SSL daemon running on the FortiGate unit, and a web portal, which provides users with access to network services and resources including HTTP/HTTPS, Telnet, FTP, SMB/CIFS, VNC, RDP, and SSH.

In web-only mode, the FortiGate unit acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group. After successful authentication, the FortiGate unit redirects the web browser to the web portal home page and the user can access the server applications behind the FortiGate unit.

When the FortiGate unit provides services in web-only mode, a secure connection between the remote client and the FortiGate unit is established through the SSL VPN security in the FortiGate unit and the SSL security in the web browser. After the connection has been established, the FortiGate unit provides access to selected services and network resources through a web portal.

FortiGate SSL VPN web portals have a 1- or 2-column page layout and portal functionality is provided through small applets called widgets. Widget windows can be moved or minimized. The controls within each widget depend on its function. There are predefined web portals and the administrator can create additional portals.

Configuring the FortiGate unit involves selecting the appropriate web portal configuration in the user group settings. These configuration settings determine which server applications can be accessed. SSL encryption is used to ensure traffic confidentiality.

The following table lists the operating systems and web browsers supported by SSL VPN web-only mode.

VPN Web-only Mode, supported operating systems and web browsers

Operating System Web Browser

Microsoft Windows 7 32-bit SP1 • Microsoft Internet Explorer versions 9, 10 and 11

Mozilla Firefox version 33

Microsoft Windows 7 64-bit SP1 • Microsoft Internet Explorer versions 9, 10 and 11

Mozilla Firefox version 33

Linux CentOS version 5.6 and

Ubuntu version 12.0.4

Mozilla Firefox version 5.6

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

Tunnel mode

In Tunnel mode, remote clients connect to a FortiGate unit that acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group.

The SSL VPN client encrypts all traffic from the remote client computer and sends it to the FortiGate unit through an SSL VPN tunnel over the HTTPS link between the user and the FortiGate unit. Another option is split tunneling, which ensures that only the traffic for the private network is sent to the SSL VPN gateway. Internet traffic is sent through the usual unencrypted route. This conserves bandwidth and alleviates bottlenecks.

SSL VPN Tunnel client standalone installer (build 2300) supported operating systems

Operating System Release

Microsoft Windows • 8.1 (32-bit & 64-bit), 8 (32-bit & 64-bit), 7 (32-bit & 64-bit), and XP SP3 in .exe and .msi formats

Linux • CentOS and Ubuntu in .tar.gz format

Virtual Desktop • In .jar format for Microsoft Windows 7 SP1 (32-bit)

When the user initiates a VPN connection with the FortiGate unit through the SSL VPN client, the FortiGate unit establishes a tunnel with the client and assigns the client a virtual IP address from a range of reserved addresses. The client uses the assigned IP address as its source address for the duration of the connection. After the tunnel has been established, the user can access the network behind the FortiGate unit.

Configuring the FortiGate unit to establish a tunnel with remote clients involves enabling the feature through SSL VPN configuration settings and selecting the appropriate web portal configuration for tunnel-mode access in the user group settings. The security policy and protection profiles on the FortiGate unit ensure that inbound traffic is screened and processed securely.

The user account used to install the SSL VPN client on the remote computer must have administrator privileges.

If you are using Windows Vista, you must disable UAC (User Account Control) before installing the SSL VPN tunnel client. IE7 in Windows Vista runs in Protected Mode by default. To install SSL VPN client ActiveX, you need to launch IE7 by using ‘Run as administrator’ (right-click the IE7 icon and select ‘Run as administrator’).

For information about client operating system requirements, see the Release Notes for your FortiGate firmware. For information on configuring tunnel mode, see Tunnel mode client configuration on page 2269.

Port forwarding mode

While tunnel mode provides a Layer 3 tunnel that users can run any application over, the user needs to install the tunnel client, and have the required administrative rights to do so. In some situations, this may not be desirable, yet the simple web mode does not provide enough flexibility for application support (for example, if you wish to use an email client that communicates with a POP3 server). The port forward mode, or proxy mode, provides this middle ground between web mode and tunnel mode.

SSL VPN port forwarding listens on local ports on the user’s computer. When it receives data from a client application, the port forward module encrypts and sends the data to the FortiGate unit, which then forwards the traffic to the application server.

The port forward module is implemented with a Java applet, which is downloaded and runs on the user’s computer. The applet provides the up-to-date status information such as addressing and bytes sent and received.

On the user end, the user logs into the FortiGate SSL VPN portal, and selects a port forward bookmark configured for a specific application. The bookmark defines the server address and port as well as which port to listen to on the user’s computer.

The user must configure the application on the PC to point to the local proxy instead of the application server. For information on this configuration change, see the applic- ation documentation.

This mode only supports client/server applications that are using a static TCP port. It will not support client/server applications using dynamic ports or traffic over UDP.

Application support

With Citrix application servers, the server downloads an ICA configuration file to the user’s PC. The client application uses this information to connect to the Citrix server. The FortiGate unit will read this file and append a SOCKS entry to set the SOCKS proxy to ‘localhost’. The Citrix client will then be able to connect to the SSL VPN port forward module to provide the connection. When configuring the port forwarding module, a selection is available for Citrix servers.

For Windows Remote Desktop Connections, when selecting the RDP option, the tunnel will launch the RDP client and connect to the local loopback address after the port forward module has been initiated.

Antivirus and firewall host compatibility

The following tables list the antivirus and firewall client software packages that are supported in FortiOS.

Supported Windows XP antivirus and firewall software

Product supported

Antivirus

Firewall

Symantec Endpoint Protection V11

•

Kaspersky Antivirus 2009

•

McAfee Security Center v8.1

•

Trend Micro Internet Security Pro

•

F-Secure Internet Security 2009

•

Supported Windows 7 32-bit and 64-bit antivirus and firewall software

Product supported

Antivirus

Firewall

CA Internet Security 2011

•

AVG Internet Security 2011

F-Secure Internet Security 2011

•

Kaspersky Internet Security 2011

•

McAfee Internet Security 2011

•

Norton 360TM Version 4.0

•

NortonTM Internet Security 2011

•

Panda Internet Security 2011

•

Sophos Security Suite

•

Trend Micro Titanium Internet Security

•

ZoneAlarm Security Suite

•

Symantec Endpoint Protection Small Business Edition 12.0

•

Traveling and security

Because SSL VPN provides a means for “on-the-go” users to dial in to the network while away from the office, you need to ensure that wherever and however they choose to dial in is secure, and not potentially compromising the corporate network.

Host check

To reinforce security, you can enable a host integrity checker to scan the remote client. The integrity checker probes the remote client computer to verify that it is safe before access is granted. Security attributes recorded on the client computer (for example, in the Windows registry, in specific files, or held in memory due to running processes) are examined and uploaded to the FortiGate unit. For more information, see Host check on page 2261.

Host Check is applicable for both SSL VPN Web Mode and SSL VPN Tunnel mode.

SSL VPN and IPv6

FortiOS supports SSL VPN with IPv6 addressing, and is available for all the java applets (Telnet, VNC, RDP, and so on). IPv6 configurations for security policies and addressing include:

Policy matching for IPv6 addresses
Support for DNS resolving in SSL VPN
Support IPv6 for ping
FTP applications
SMB

In essentially any of the following instructions, replace IPv4 with IPv6 to achieve the same desired results, but for IPv6 addresses and configurations.

What’s new in FortiOS 5.4

2 Replies

What‘s new in FortiOS 5.4

Significant SSL VPN web portal improvements (287328, 292726, 299319)

Significant updates and improvements have been made to the SSL VPN web portal in preparation for future browser updates, and in order to support all browsers:

SSL VPN web portal redesigned.
SSL VPN tunnel mode widget no longer works in the web portal.The tunnel mode widget used a deprecated NPAPI plugin mechanism to send the tunnel client to the browser for local system execution—this is a popular exploitation vector. FortiClient is now required for tunnel mode SSL VPN.
SSL VPN Web mode RDP Native java applet removed.
Removed unnecessary options from RDP bookmark and changed to HTML5 RDP.
Cache cleaning function has been removed.

Implement post-authentication CSRF protection in SSL VPN web mode (287180)

This attribute can enable/disable verification of a referer in the HTTP request header in order to prevent a Cross- Site Request Forgery attack.

Syntax:

config vpn ssl settings

set check-referer [enable|disable]

end

Group–based SSL VPN bookmarks (292125)

This CLI-only feature allows administrators to add bookmarks for groups of users. SSL VPN will only output the matched group-name entry to the client.

Syntax:

config vpn ssl web portal edit “portal-name”

set user-group-bookmark enable*/disable next

end

config vpn ssl web user-group-bookmark edit “group-name”

config bookmark edit “bookmark1”

…. next

end next

end

DTLS support (227138)

The Datagram Transport Layer Security (DTLS) protocol is supported for SSL VPN connections. DTLS support can be enabled in the CLI as described below.

Syntax

config vpn ssl settings

set dtls-tunnel [enable | disable] (default: enabled)

end

Added options to allow firewall addresses to be used in routing table for SSL VPN (265430)

HTTP to HTTPS redirect support (278728)

The admin HTTP port can now be redirected to the admin HTTPS port. This is enabled in VPN > SSL- VPN Settings using the option Redirect port 80 to this login port.

There are two likely scenarios for this:

SSL VPN is not in use, in which case the admin GUI runs on port 443 or 10443, and port 80 is redirected.
SSL VPN runs on port 443, in which case port 80 is redirected to 443 and the admin port runs on 10443. If the administrator chooses to run SSL VPN on port 80, the redirect option is invalid.

This can also be configured in the CLI as described below.

Syntax:

config vpn ssl settings

set https-redirect [enable | disable] (default: disabled)

end

Removed guest group and SSO group (303041)

Guest group and SSO group have been removed from config user group and config vpn ssl web user-group-bookmark.

CLI changes (299319)

Removed the following obsolete/unnecessary portal options from the CLI:

config vpn ssl web portal edit <name>

set auto-prompt-mobile-user-download REMOVED

set display-forticlient-download REMOVED

set display-history-limit REMOVED

set page-layout REMOVED

set cache-cleaner REMOVED

end end

Removed the following unnecessary RDP bookmark options from the CLI in preparation for HTML5 RDP:

config vpn ssl web <user-bookmark|user-group-bookmark>

edit <group/user name>

config bookmarks edit <bookmark>

set full-screen-mode REMOVED

set screen-height REMOVED

set screen-width REMOVED

set keyboard-layout REMOVED

end end

Chapter 23 – SSL VPN

Leave a reply

Chapter 23 – SSL VPN

The following chapters are included in this document:

Introduction to SSL VPN provides useful general information about VPN and SSL, how the FortiGate unit implements them, and gives guidance on how to choose between SSL and IPsec.

Basic configuration explains how to configure the FortiGate unit and the web portal. Along with these configuration details, this chapter also explains how to grant unique access permissions, how to configure the SSL encryption key algorithm, and describes the SSL VPN OS Patch Check feature that allows a client with a specific OS patch to access SSL VPN services.

The SSL VPN client provides an overview of the FortiClient software required for tunnel mode, where to obtain the software, how to install it, and the configuration information required for remote users to connect to the internal network.

The SSL VPN web portal provides an overview of the SSL VPN web portal, with explanations of how to use and configure the web portal features.

Setup examples explores several configuration scenarios with step-by-step instructions. While the information provided is enough to set up the described SSL VPN configurations, these scenarios are not the only possible SSL VPN setups.

Troubleshooting provides some general maintenance and troubleshooting procedures for SSL VPNs.

External Security Devices to The Gate

Leave a reply

FortiWeb

To be able to offload HTTP inspection to a FortiWeb device you should:

1. Go to System > External Security Devices, enable HTTP Service, select FortiWeb and add the IP address of your FortiCache device.

2. Go to Policy & Objects > IPv4 Policy, add or edit a firewall policy and select Web Application Firewall. When you add Web Application Firewall to a firewall policy, web traffic accepted by the policy is offloaded to the FortiWeb device for processing.

Enabling FortiWeb on the External Security Devices page adds the following configuration to the CLI:

config system wccp set service-id 51

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiWeb)

set group address 0.0.0.0

set server-list 5.5.5.25 255.255.255.255 (the IP address of the FortiWeb)

set authentication disable set forward-method GRE

set return-method GRE

set assignment-method HASH

end

FortiCache

To be able to offload Web Caching to a FortiCache device you should:

1. Go to System > External Security Devices, enable HTTP Service, select FortiCache and add the IP address of your FortiCache device.

2. Go to Policy & Objects > IPv4 Policy, add or edit a firewall policy and select Web Cache.

When you add web caching to a firewall policy, web traffic accepted by the policy is offloaded to the FortiCache device for processing.

Enabling FortiCache on the External Security Devices page adds the following configuration to the CLI:

config system wccp set service-id 51

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiCache)

set group address 0.0.0.0

set server-list 5.5.5.45 255.255.255.255 (the IP address of the FortiCache)

set authentication disable set forward-method GRE

set return-method GRE

set assignment-method HASH

end

FortiMail

To be able to offload Anti-Spam processing to a FortiMail device you should:

1. Go to System > Feature Select and turn on Anti–Spam Filter.

2. Go to System > External Security Devices, enable SMTP Service – FortiMail and add the IP address of your FortiMail device.

3. Go to Security Profiles > Anti-Spam and edit an Anti-Spam profile and set Inspection Device to External.

4. Go to Policy & Objects > IPv4 Policy, add or edit a Firewall policy, enable Anti–Spam and select the profile for which you set Inspection Device to External.

When you add this Anti-Spam profile to a firewall policy, email traffic accepted by the policy is offloaded to the FortiMail device for processing.

If your FortiGate or VDOM inspection mode is set to flow-based you must use the CLI to set an Anti-Spam profile to external mode and add the Anti-Spam profile to a fire- wall policy.

Enabling FortiMail on the External Security Devices page adds the following configuration to the CLI:

config system wccp set service-id 52

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiMail)

set group address 0.0.0.0

set server-list 5.5.5.65 255.255.255.255 (the IP address of the FortiMail)

set authentication disable set forward-method GRE

set return-method GRE

set assignment-method HASH

end

Selecting External in the Anti-Spam profile adds the following configuration to the CLI:

config spamfilter profile

edit default

set external enable end

Web Application Firewall

Go to Security Profiles > Web Application Firewall. From here you can customize the default Web Application Firewall profile, or create new profiles, to protect against a variety of web-based threats. Web Application Firewall profiles can be created with a variety of options (Signatures and Constraints), similar to other security profiles.

You can set the Web Application Firewall to use an External Security Device, such as FortiWeb, by setting Inspection Device to External.

Selecting External in the Web Application Firewall profile adds the following configuration to the CLI:

config waf profile edit default

set external enable end

You must add the Web Application Firewall profile to a firewall policy in order for that traffic to be offloaded to the External Security Device for processing.

If your FortiGate or VDOM Inspection mode is set to flow-based you must use the CLI to set a Web Application Firewall profile to external mode and add the Web Applic- ation Firewall profile to a firewall policy.

For more information on this configuration and others, see the FortiWeb Administration Guide.

CPU allocation and tuning commands to survive reboot

CPU affinity, whereby a process will execute on a specific CPU, can be changed so it survives a reboot.

CLI Syntax:

config system global set av-affinity set ips-affinity

set miglog-affinity end

av–affinity: Affinity setting for AV scanning (64-bit hexadecimal value in the format of xxxxxxxx_xxxxxxxx).

ips–affinity: Affinity setting for IPS (64-bit hexadecimal value in the format of xxxxxxxx_xxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons). This option is only available if the FortiGate includes NP6 processors and support NTurbo.

miglog–affinity: Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxx_xxxxxxxx).

Adding External Security Devices

Leave a reply

Adding External Security Devices

External Security Devices can be configured as means to offload processes to other devices, such as a FortiWeb, FortiCache, or FortiMail. Example processes could include HTTP inspection, web caching, and anti-spam.

To configure such a device, go to System > External Security Devices.

Other Security Profiles considerations

Leave a reply

Other Security Profiles considerations

The following topics are included in this section:

Security Profiles and Virtual domains (VDOMs)
Conserve mode
SSL content scanning and inspection
Using wildcards and Perl regular expressions
Adding External Security Devices
CPU allocation and tuning commands to survive reboot

Security Profiles and Virtual domains (VDOMs)

If you enable virtual domains (VDOMs) on your FortiGate unit, all Security Profiles configuration is limited to the VDOM in which you configure it.

While configuration is not shared, the various databases used by Security Profiles features are shared. The FortiGuard antivirus and IPS databases and database updates are shared. The FortiGuard web filter and spam filter features contact the FortiGuard distribution network and access the same information when checking email for spam and web site categories and classification.

Conserve mode

FortiGate units perform all Security Profiles processing in physical RAM. Since each model has a limited amount of memory, conserve mode is activated when the remaining free memory is nearly exhausted or the AV proxy has reached the maximum number of sessions it can service. While conserve mode is active, the AV proxy does not accept new sessions.

A warning will appear in the top bar of the FortiGate, regardless of which page in the FortiGate GUI you are on.

The AV proxy

Most content inspection the FortiGate unit performs requires that the files, email messages, URLs, and web pages be buffered and examined as a whole. The AV proxy performs this function, and because it may be buffering many files at the same time, it uses a significant amount of memory. Conserve mode is designed to prevent all the component features of the FortiGate unit from trying to use more memory than it has. Because the AV proxy uses so much memory, conserve mode effectively disables it in most circumstances. As a result, the content inspection features that use the AV proxy are also disabled in conserve mode.

All of the Security Profiles features use the AV proxy with the exception of IPS, application control, DoS as well as flow-based antivirus, DLP, and web filter scanning. These features continue to operate normally when the FortiGate unit enters conserve mode.

Entering and exiting conserve mode

A FortiGate unit will enter conserve mode because it is nearly out of physical memory, or because the AV proxy has reached the maximum number of sessions it can service. The memory threshold that triggers conserve mode varies by model, but it is about 20% free memory. When memory use rises to the point where less than 20% of the physical memory is free, the FortiGate unit enters conserve mode.

The FortiGate unit will leave conserve mode only when the available physical memory exceeds about 30%. When exiting conserve mode, all new sessions configured to be scanned with features requiring the AV proxy will be scanned as normal, with the exception of a unit configured with the one-shot option.

Conserve mode effects

What happens when the FortiGate unit enters conserve mode depends on how you have av-failopen configured. There are four options:

off

The off setting forces the FortiGate unit to stop all traffic that is configured for content inspection by Security Profiles features that use the AV proxy. New sessions are not allowed but current sessions continue to be processed normally unless they request more memory. Sessions requesting more memory are terminated.

For example, if a security policy is configured to use antivirus scanning, the traffic it permits is blocked while in conserve mode. A policy with IPS scanning enabled continues as normal. A policy with both IPS and antivirus scanning is blocked because antivirus scanning requires the AV proxy.

Use the off setting when security is more important than a loss of access while the problem is rectified.

pass

The pass setting allows traffic to bypass the AV proxy and continue to its destination. Since the traffic is bypassing the proxy, no Security Profiles scanning that requires the AV proxy is performed. Security Profiles scanning that does not require the AV proxy continues normally.

Use the pass setting when access is more important than security while the problem is rectified. Pass is the default setting.

one–shot

The one-shot setting is similar to pass in that traffic is allowed when conserve mode is active. The difference is that a system configured for one-shot will force new sessions to bypass the AV proxy even after it leaves conserve mode. The FortiGate unit resumes use of the AV proxy only when the av-failopen setting is changed or the unit is restarted.

idledrop

The idledrop setting will recover memory and session space by terminating all the sessions associated with the host that has the most sessions open. The FortiGate may force this session termination a number of times, until enough memory is available to allow it to leave conserve mode.

The idledrop setting is primarily designed for situations in which malware may continue to open sessions until the AV proxy cannot accept more new sessions, triggering conserve mode. If your FortiGate unit is operating near capacity, this setting could cause the termination of valid sessions. Use this option with caution.

Configuring the av-failopen command

You can configure the av-failopen command using the CLI.

config system global

set av-failopen {off | pass | one-shot | idledrop}

end

The default setting is pass.

SSL content scanning and inspection

If your FortiGate model supports SSL content scanning and inspection, you can apply antivirus scanning, web filtering, FortiGuard Web Filtering, and email filtering to encrypted traffic. You can also apply DLP and DLP archiving to HTTPS, IMAPS, POP3S, and SMTPS traffic. To perform SSL content scanning and inspection, the FortiGate unit does the following:

intercepts and decrypts HTTPS, IMAPS, POP3S, SMTPS, and FTPS sessions between clients and servers (FortiGate SSL acceleration speeds up decryption)
applies content inspection to decrypted content, including:
HTTPS, IMAPS, POP3S, and SMTPS Antivirus, DLP, and DLP archiving
HTTPS web filtering and FortiGuard web filtering
IMAPS, POP3S, and SMTPS email filtering
encrypts the sessions and forwards them to their destinations.

FortiGate SSL content scanning and inspection packet flow

Setting up certificates to avoid client warnings

To use SSL content scanning and inspection, you need to set up and use a certificate that supports it. FortiGate SSL content scanning and inspection intercepts the SSL keys that are passed between clients and servers during SSL session handshakes and then substitutes spoofed keys. Two encrypted SSL sessions are set up, one between the client and the FortiGate unit, and a second one between the FortiGate unit and the server. Inside the FortiGate unit the packets are decrypted.

While the SSL sessions are being set up, the client and server communicate in clear text to exchange SSL session keys. The session keys are based on the client and server certificates. The FortiGate SSL decrypt/encrypt process intercepts these keys and uses a built-in signing CA certificate named Fortinet_CA_SSLProxy to create keys to send to the client and the server. This signing CA certificate is used only by the SSL decrypt/encrypt process. The SSL decrypt/encrypt process then sets up encrypted SSL sessions with the client and server and uses these keys to decrypt the SSL traffic to apply content scanning and inspection.

You may use a different user-configurable CA to sign the SSL server certificate if CA verification fails. This will propogate the security alert back to the client even after deep-inspection.

Some client programs (for example, web browsers) can detect this key replacement and will display a security warning message. The traffic is still encrypted and secure, but the security warning indicates that a key substitution has occurred.

You can stop these security warnings by importing the signing CA certificate used by the server into the FortiGate unit SSL content scanning and inspection configuration. Then the FortiGate unit creates keys that appear to come from the server and not the FortiGate unit.

You can add one signing CA certificate for SSL content scanning and inspection. The CA certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported for SSL content scanning and encryption.

You can replace the default signing CA certificate, Fortinet_CA_SSLProxy, with another signing CA certificate. To do this, you need the signing CA certificate file, the CA certificate key file, and the CA certificate password.

To add a signing CA certificate for SSL content scanning and inspection

1. Obtain a copy of the signing CA certificate file, the CA certificate key file, and the password for the CA certificate.

2. Go to System > Certificates and select Import.

3. Set Type to Certificate.

4. For Certificate file, use the Browse button to select the signing CA certificate file.

5. For Key file, use the Browse button to select the CA certificate key file.

6. Enter the CA certificate Password.

7. Select OK.

The CA certificate is added to the Local Certificates list. In this example the signing CA certificate name is Example_CA. This name comes from the certificate file and key file name. If you want the certificate to have a different name, change these file names.

8. Add the imported signing CA certificate to the SSL content scanning and inspection configuration. Use the following CLI command if the certificate name is Example_CA.

config firewall ssl setting set caname Example_CA

end

The Example_CA signing CA certificate will now be used by SSL content scanning and inspection for establishing encrypted SSL sessions.

Exceptions

Periodically, you will come across situations where SSL and certificates will interfer with the smooth operation of an application or website. For instance, there is a popular application called Dropbox that does not work when deep SSL inspection is enabled. The reason for this is that the trusted certificate authority that is recognized by Dropbox is imbedded in the software and Dropbox cannot be reconfigured to recognize the FortiGate certificates that are used when deep SSL inspection is implemented.

One way to by-pass the deep inspection for Dropbox is to add dropbox.com to a local category in Web Filter and add that local category to the ftgd-wf-ssl-exempt list in the Web Filter profile. This way any connections with dropbox.com will be exempt from deep SSL inspection.

Whenever an exception is found, the reason that it causes an issue will have to be determined in order to figure out a way to accommodate that application or website.

Configuring packet logging options

You can use a number of CLI commands to further configure packet logging.

Limiting memory use

When logging to memory, you can define the maximum amount of memory used to store logged packets.

config ips settings

set packet-log-memory 256 end

The acceptable range is from 64 to 8192 kilobytes. This command affects only logging to memory.

Limiting disk use

When logging to the FortiGate unit internal hard disk, you can define the maximum amount of space used to store logged packets.

config ips settings

set ips-packet-quota 256 end

The acceptable range is from 0 to 4294967295 megabytes. This command affects only logging to disk.

Configuring how many packets are captured

Since the packet containing the signature is sometimes not sufficient to troubleshoot a problem, you can specify how many packets are captured before and after the packet containing the IPS signature match.

config ips settings packet-log-history packet-log-post-attack

end

The packet-log-history command specifies how many packets are captured before and including the one in which the IPS signature is detected. If the value is more than 1, the packet containing the signature is saved in the packet log, as well as those preceding it, with the total number of logged packets equalling the packet-

log-history setting. For example, if packet-log-history is set to 7, the FortiGate unit will save the

packet containing the IPS signature match and the six before it.

The acceptable range for packet-log-history is from 1 to 255. The default is 1.

Setting packet-log-history to a value larger than 1 can affect the performance of the FortiGate unit because network traffic must be buffered. The performance pen- alty depends on the model, the setting, and the traffic load.

The packet-log-post-attack command specifies how many packets are logged after the one in which the IPS signature is detected. For example, if packet-log-post-attack is set to 10, the FortiGate unit will save the ten packets following the one containing the IPS signature match.

The acceptable range for packet-log-post-attack is from 0 to 255. The default is 0.

Using wildcards and Perl regular expressions

Many Security Profiles feature list entries can include wildcards or Perl regular expressions.

For more information about using Perl regular expressions, see http://perldoc.perl.org/perlretut.html.

Regular expression vs. wildcard match pattern

A wildcard character is a special character that represents one or more other characters. The most commonly used wildcard characters are the asterisk (*), which typically represents zero or more characters in a string of characters, and the question mark (?), which typically represents any one character.

In Perl regular expressions, the ‘.’ character refers to any single character. It is similar to the ‘?’ character in wildcard match pattern. As a result:

example.com not only matches example.com but also examplea.com, exampleb.com, examplec.com, and so on.

To add a question mark (?) character to a regular expression from the FortiGate CLI, enter Ctrl+V followed by ?. To add a single backslash character (\) to a regular expres- sion from the CLI you must add precede it with another backslash character. For example, example\\.com.

To match a special character such as ‘.’ and ‘*’ use the escape character ‘\’. For example:

To match example.com, the regular expression should be: example\.com

In Perl regular expressions, ‘*’ means match 0 or more times of the character before it, not 0 or more times of any character. For example:

exam*.com matches exammmm.com but does not match example.com

To match any character 0 or more times, use ‘.*’ where ‘.’ means any character and the ‘*’ means 0 or more times. For example, the wildcard match pattern exam*.com should therefore be exam.*\.com.

Word boundary

In Perl regular expressions, the pattern does not have an implicit word boundary. For example, the regular expression “test” not only matches the word “test” but also any word that contains “test” such as “atest”, “mytest”, “testimony”, “atestb”. The notation “\b” specifies the word boundary. To match exactly the word “test”, the expression should be \btest\b.

Case sensitivity

Regular expression pattern matching is case sensitive in the web and Email Filter filters. To make a word or phrase case insensitive, use the regular expression /i. For example, /bad language/i will block all instances of “bad language”, regardless of case.

Perl regular expression formats

The following table lists and describes some example Perl regular expressions.

Perl regular expression formats

Expression Matches

abc “abc” (the exact character sequence, but anywhere in the string)

^abc “abc” at the beginning of the string

abc$ “abc” at the end of the string

a|b Either “a” or “b”

^abc|abc$ The string “abc” at the beginning or at the end of the string

ab{2,4}c “a” followed by two, three or four “b”s followed by a “c”

ab{2,}c “a” followed by at least two “b”s followed by a “c”

ab*c “a” followed by any number (zero or more) of “b”s followed by a “c”

ab+c “a” followed by one or more b’s followed by a c

ab?c “a” followed by an optional “b” followed by a” c”; that is, either “abc” or ”ac”

a.c “a” followed by any single character (not newline) followed by a” c “

a\.c “a.c” exactly

[abc] Any one of “a”, “b” and “c”

[Aa]bc Either of “Abc” and “abc”

[abc]+ Any (nonempty) string of “a”s, “b”s and “c”s (such as “a”, “abba”, ”acbabcacaa”)

[^abc]+ Any (nonempty) string which does not contain any of “a”, “b”, and “c” (such as “defg”)

\d\d Any two decimal digits, such as 42; same as \d{2}

Expression Matches

/i Makes the pattern case insensitive. For example, /bad language/i blocks any instance of bad language regardless of case.

\w+ A “word”: A nonempty sequence of alphanumeric characters and low lines (under- scores), such as foo and 12bar8 and foo_1

100\s*mk The strings “100” and “mk” optionally separated by any amount of white space (spaces, tabs, newlines)

abc\b “abc” when followed by a word boundary (for example, in “abc!” but not in “abcd”)

perl\B “perl” when not followed by a word boundary (for example, in “perlert” but not in “perl stuff”)

\x Tells the regular expression parser to ignore white space that is neither preceded by a backslash character nor within a character class. Use this to break up a regular expres- sion into (slightly) more readable parts.

Used to add regular expressions within other text. If the first character in a pattern is forward slash ‘/’, the ‘/’ is treated as the delimiter. The pattern must contain a second

/x ‘/’. The pattern between ‘/’ will be taken as a regular expressions, and anything after the second ‘/’ will be parsed as a list of regular expression options (‘i’, ‘x’, etc). An error occurs if the second ‘/’ is missing. In regular expressions, the leading and trailing space is treated as part of the regular expression.

Examples of regular expressions

Block any word in a phrase

/block|any|word/

Block purposely misspelled words

Spammers often insert other characters between the letters of a word to fool spam blocking software.

/^.*v.*i.*a.*g.*r.*o.*$/i

/cr[eéèêë][\+\-\*=<>\.\,;!\?%&§@\^°\$£€\{\}()\[\]\|\\_01]dit/i

Block common spam phrases

The following phrases are some examples of common phrases found in spam messages.

/try it for free/i

/student loans/i

/you’re already approved/i

/special[\+\-\*=<>\.\,;!\?%&~#§@\^°\$£€\{\}()\[\]\|\\_1]offer/i

Fortinet GURU

FortiGate Guides and MORE!

Category Archives: FortiOS 5.4 Handbook

The SSL VPN Client

Basic configuration

Introduction to SSL VPN

What’s new in FortiOS 5.4

Chapter 23 – SSL VPN

External Security Devices to The Gate

Adding External Security Devices

Other Security Profiles considerations