FortiGate I

SSL VPN

FortiGate 5.4.1
© Copyright Fortinet Inc. All rights reserved. Last Modified: 7/23/19
1
Objectives
• Describe the differences between SSL VPN and IPsec VPN
• Describe the differences between SSL VPN modes
• Configure SSL VPN options such as bookmarks and realms
• Configure firewall policies and authentication
for SSL VPN
• Strengthen security for SSL VPN access
o Two-factor authentication
o Client enforcement

• Monitor SSL VPN connected users

2
What is SSL VPN?
How is it different from IPsec?
What are Virtual Private Networks?
• Securely connect remote LANs/devices
o Employees that travel
o Branch offices to servers at central office

• Safely transmit private data across the Internet

o Tamper-proof
• Attackers can’t change message/file
o Encrypt
• Unauthorized users can’t eavesdrop
o Authenticate
• Only known users can access
the private network

4
Comparison Between SSL VPN and IPsec VPN
IPsec VPN SSL VPN
•IPsec tunnel (ESP layer) •HTTPS tunnel (SSL/TLS layer)

•Can be between: •Can be between:

• FortiClient+ FortiGate
oBrowser/FortiClient + FortiGate
• FortiGate + FortiGate
• FortiGate + compatible third-
party IPsec VPN gateway
• FortiGate + compatible third-
party IPsec VPN clients •Log in through:
oHTTPS web page on
•Log in through IPsec client FortiGate, or
oUse fortissl
• Site-to-site
doesn’t require
IPsec client virtual adapter (FortiClient)

5
Comparison Between SSL VPN and IPsec VPN (cont.)

IPsec VPN SSL VPN

•Industry standard •Vendor-specific
•Flexible •Simpler setup
• Mesh and star topologies oOnlyclient to FortiGate
• For clients or peer gateways oNo user-configured settings

• Extensible cryptography oTechnical support less requested

•Installation required •Can be zero-install

•Better for: oOK for Internet cafés, libraries
• Office-to-office traffic •Better for users
• Data centers

6
Modes of SSL VPN
Comparing SSL VPN Access Modes

Web-Only Port Forward Tunnel

• Requires only • Requires Java applet • Requires FortiClient

web browser • Acts as a local proxy that • fortissl virtual adapter
• Reverse proxy rewriting intercepts specific TCP • Install requires
of HTTP, HTTPS, FTP, port traffic and encrypts it Administrator/root
SAMBA (CIFS) • Installed without privilege
Administrator/root • Accessed through
• Java applets for VNC,
privileges
TELNET, SSH standalone client
• Configured through
bookmarks on web portal
• Client applications must
point to the Java applet

8
SSL VPN: Web-only Mode
1. Remote user
connects to the
SSL VPN portal
(HTTPS web page
on FortiGate) User’s
User’ssource
sourceIPIPisis
internal
internalinterface
interfaceIP
IP
2. Authentication
3. Access resources
through browser
bookmarks or quick
connection tool
widget

9
SSL VPN: Tunnel Mode
1. Remote user connects
to the SSL VPN
gateway through SSL
VPN client
2. Authentication User
User traffic
trafficsource
sourceIP
IP
3. Tunnel created by virtual address
addressisisassigned
assignedbyby
FortiGate,
FortiGate,like
likeIPsec
IPsec
adapter
4. Access resources
through encrypted
tunnel (SSL/TLS)

10
Tunnel Mode Split Tunneling
• Disabled:
o All
traffic routed through SSL VPN tunnel to a remote FortiGate, then to the
destination (including Internet traffic)
• Enabled:
o Only LAN traffic routed through the
remote FortiGate
o Internet traffic uses the
local gateway

Split tunneling Split tunneling

enabled disabled

11
Ways of Connecting to SSL VPN
• Web-only mode through browser
o Web portal displays status of SSL VPN
o SSL VPN stays up only while SSL VPN portal page is open

• Tunnel mode through FortiClient

o Tunnel is up only while SSL VPN client is connected
o Adds virtual network adapter called fortissl
• FortiGate assigns a virtual IP address to the client from a pool of reserved
addresses

12
SSL VPN: Port Forward
• Extension of web-only mode that simulates tunnel mode
o If no administrative access to install the virtual tunnel adapter
• Port forward uses a Java applet to extend the amount of
applications supported by web-only mode
o Applet listens to local ports on the user's computer
o Encrypts and forwards all traffic to FortiGate (similar to tunnel mode)
o Specific bookmarks for the user are created that act as tunnels

• User must configure their applications to point to local proxy

13
How to Configure SSL VPN
How to Configure SSL VPN
1. Set up user accounts and groups
2. Configure portal
3. Configure SSL VPN settings
4. Create a firewall policy to accept and decrypt packets
• Generally used to allows access to internal network
5. (Optional) Create a firewall policy to route traffic to the
Internet
• Useful when split tunneling is disabled to route all the client’s traffic through
FortiGate to Internet – FortiGate can be used to apply security profiles

15
Step 1: Configure User Accounts and Groups
Many SSL VPN authentication methods: Two-factor
• Local Password Authentication User name with
• Remote Password Authentication (or password
(one factor)
server-based authentication):
o LDAP
o RADIUS +
o TACACS+

Token code
• Two-factor authentication (two factor)
o Better security than just passwords

16
Step 2: Configure the Portal(s)
• Define user access to:
• Tunnel
• Web portal Tunnel mode
• Bookmarks
• Concurrent SSL VPN
connections

Web mode

Bookmarks

17
SSL VPN Web Mode Portal Example

18
Step 3: Connection Settings
Interface that provides an SSL
VPN login portal

Port number

Idle Timeout

During SSL / TLS handshake,

FortiGate shows its certificate
to prove its identity to clients.
To avoid browser security
warnings, either use a
certificate issued by a public
Certificate Authority (CA), or
install your certificate on all
clients.

19
SSL VPN login and Administrator login
• By default, the administrator GUI and SSL
VPN portal both use the same HTTPS port
• OK if services are enabled on different NICs
Example:
o Administrator access through HTTPS port 443
on management LAN (port4)
o SSL VPN access through HTTPS port 443 on
port1

• If both features use the same port and are

enabled on same interface, only the SSL
VPN portal appears

20
Step 3: Tunnel Mode Client Settings

IPs assigned
to clients’ virtual adapters
while joined to VPN

If internal domain names

must be resolved by
internal DNS

21
Step 3: Authentication Portal Mapping
• Can specify different portals for each user/group
• Predefined All Other Users/Groups cannot be deleted
o Can change its portal

22
Step 4: Firewall Policies to/from SSL VPN interface

• Listens for connections to SSL

VPN portal
• ssl.root policy enables portal
with user authentication
• Incoming Interface is the SSL
VPN’s virtual interface
o Example: ssl.root for root
VDOM
• Passes decrypted traffic to
Outgoing Interface

23
Example: Access to other Internal Resources
• All traffic generated by edit 11 edit 12
set srcintf "ssl.root" set srcintf "ssl.root"
user exits through set dstintf "dmz" set dstintf “internal"
ssl.<vdom_name> set srcaddr “all" set srcaddr “all"
set dstaddr "Mail_Server" set dstaddr "Database"
interface set action accept set action accept
• Both web and tunnel set schedule "always" set schedule "always"
set service "ALL" set service "ALL"
mode set groups "Accountants" set groups "Teachers"
set nat enable set nat enable
next next

wan1 internal
database

DMZ

email

24
Step 5: Firewall Policy to Access Internet
• ssl.root to egress interface firewall policy allows access to
the Internet
o Required when split tunneling
is disabled

25
Realms and Bookmarks
How to Show Realms / Personal Bookmarks
• Hidden by default
• To show, go to
System > Feature
Select

27
Realms
• By default, same portal
for all users
https://10.0.1.254/
• Can make URLs for
specialized portals
(realms)
https://10.0.1.254/sales
https://10.0.1.254/hr

28
What is an SSL VPN Bookmark?
• Not the same as your browser’s bookmarks
• Inside SSL VPN web portal
• Settings for applications that are passing through the VPN
tunnel

29
 How to Configure User Bookmarks

• Also configure settings required by apptype

o Example: web requires that you configure url, ftp requires folder…
• Only two types use port forwarding bookmarks:
o citrix
o portforward

config vpn ssl web user-bookmark

edit <user_name>
config bookmarks
edit <bookmark_name>
set apptype {citrix | ftp | portforward | rdp | smb | ssh | telnet | vnc | web}
set description <text_string>
set sso {auto|disable}
next
end

30
Personal Bookmarks
• If enabled in each portal, users
can create their own
bookmarks
• Administrators can:
o Through GUI, view / delete IfIf menu
menu option
option does
does not
not appear
appear in
in
users’ bookmarks GUI, enable it under System
GUI, enable it under System > >
Feature
Feature Select
Select
o Via CLI, create users’ bookmarks

31
Portal Bookmarks
• Administrators can add
bookmarks to portals

32
Hardening SSL VPN Access
Better SSL VPN Security
• Client integrity check
• Restrict addresses where clients can connect from
• Require client certificates
• Two-factor authentication
• FortiClient

34
Securing Access: Client Integrity Checking
• SSL VPN gateway checks client
o Requires Microsoft Windows
• Detects client security applications recognized by the Windows
Security Center (antivirus and firewall)
• Checks status of applications through Globally Unique
Identifiers (GUID) (Custom Host Checks)
• Determines the state of the applications (active/inactive, current
version number, and signature updates)

35
Client Integrity Check: Configuration
• External vendor software ensures client integrity
• Checks if required software is installed on client
• If not, FortiGate rejects SSL VPN connection attempt
• CLI-only configuration:
config vpn ssl web portal
edit <portal_name>
set host-check {none|av|fw|av-fw|custom}
set host-check-interval <seconds>
end
config vpn ssl web host-check-software
show

36
Securing Access: Restricting Host IPs
• Default set to specific config vpn ssl setting
set source-address-negate
hosts but empty [enable|disable]
set source-address6-
negate [enable|disable]
• To allow only specific end
hosts, specify IPs

• To exclude specific
hosts, inverse the IP list
through the CLI

37
Monitoring SSL VPN Users
Monitoring SSL VPN Sessions
• Monitor > SSL-VPN Monitor
Right click to terminate active SSL
VPN session

Web-only user
Tunnel mode shows SSL VPN IP
address assigned during the session

39
SSL VPN Authentication Session vs. Idle Timeout

• Firewall policy authentication session is associated with SSL VPN

tunnel session

• Forces expiration of firewall policy authentication session when

associated SSL VPN tunnel session has ended
o Prevents reuse of authenticated SSL VPN firewall policies (not yet expired) by
a different user after the initial user terminates the SSL VPN tunnel session

• SSL VPN authentication is not subject to the firewall authentication

timeout setting
o Separate idle setting for SSL VPN

40
Review
 The differences between SSL VPN and IPsec VPN
 Methods of connecting to SSL VPN tunnels
 Web-only mode vs. tunnel mode (including split-tunneling) vs. port
forwarding
 Configuring SSL VPN
 Portals, bookmarks, and realms
 Securing SSL VPN clients
 Two-factor authentication
 Restricting host connection access
 Client integrity checks
 Monitoring SSL VPN users
41