EN 
 
www.SAMURAJ-cz.com 
30.11.2025 Ondřej WELCOME IN MY WORLD
 
 
Petr Bouška
SAMURAJ-cz.com
IT Manager OKsystem
Veeam Vanguard
View profile

This website is originally written in the Czech language. Most content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
FortiGate konfigurace SSL VPN

FortiGate SSL VPN configuration

Edited 07.05.2020 20:34 | created | Petr Bouška - Samuraj |
After a few introductory articles that covered user authentication, there is an extensive piece on SSL VPN configuration. I tried to make the description very comprehensive, as I find the official documentation insufficient. A few simple steps are all you need to create a basic VPN connection (examples are in the official documentation). This article should also show all the special options we can set up. It focuses on the links between the different parts of the configuration. And it tries to take a global view that goes into describing the details.
displayed: 33 940x (23 092 CZ, 10 848 EN) | Comments [1]

Note: The description in the article is based on FortiGate FG-300E with FortiOS version 6.2.3. Which is configured as an FGCP cluster and uses VDOM.

Contents

This article is quite extensive, so below is a list of chapters. At least the main ones have a direct link.

Initial assessment and comparison with Cisco ASA

I previously dealt with VPN on Cisco ASA. On FortiGate, I tried to find the same features as this 10-year-old device had. At first, it looked very bleak. I read through the documentation, which is (as I constantly mention) very poor and fragmented (it's certainly not enough to just open the official documentation for your FortiOS version). I searched the internet and forums with keywords for what I wanted to set up. Mostly in vain. In the end, I managed to do everything.

The configuration method (building blocks) of FortiGate VPN cannot be compared to Cisco VPN. Nevertheless, very simplified. On Cisco, we can use Connection Profile for different ways of connecting one user. On FortiGate, we use Realm. On Cisco, we use Group Policy for connection policies of a group of users. FortiGate has Portal. Cisco uses AnyConnect Client Profile for client settings. FortiGate somehow handles this in Portal. Cisco has an interesting feature called Dynamic Access Policy. There's probably nothing similar on FortiGate. Generally, the same features are set in different places (in different objects). And the pairing (linking) of objects is done completely differently.

Thanks to Realm, I managed to create different profiles that the user chooses when connecting (according to URL). This can distinguish, for example, connection from a company and non-company device. It turned out that a computer certificate can also be required for connection (this can be defined better than with Cisco in the end). We just need to specially modify the FortiClient configuration. Various parameters on the client can be detected (Host Check), such as registry, file, OS, AntiVirus. However, we must have the correct OS (which is basically just Windows) and the correct version of FortiClient. Cisco ASA is generations ahead in this. I can easily check a huge number of parameters and find out, for example, that it's an Android device (Cisco could do this many years ago and FortiGate can't even do it today).

What's really bad about FortiGate is monitoring of connected users (established SSL VPN Sessions). Cisco shows many details about all used protocols (TLS/DTLS), encryption algorithms, client details, used profile (policy), packet transfer, etc.

And another very bad thing is the client for connecting to SSL VPN. The installation of Cisco AnyConnect Secure Mobility Client 3.1.14018 for Windows is 5 MB (the folder in Program Files is 10 MB). It's not perfect, but it generally works reliably and, most importantly, quickly. The installation of FortiClient 6.0.9.0277 for Windows is 95 MB. It contains other components, but when I install only the VPN client, the folder in Program Files is 290 MB. The same goes for FortiClient VPN 6.2.6, which should only have the VPN function. But the main thing is that the client works poorly and slowly. When connecting, it often stops for tens of seconds (usually at 98%) and sometimes gets stuck completely. Most people find it helps to completely close it and restart. Colleagues report that the Linux version is completely non-functional (they have to use the OpenFortiVPN alternative).

Remote Access SSL (Secure Sockets Layer) VPN (Virtual Private Network)

Documentation SSL VPN 6.2.3, SSL VPN 6.0.0, VPNs 6.0.0

Virtual Private Network (VPN) means a private computer network that allows secure connection of remote users or branches to the organization's LAN (local private network) through public telecommunications services, mostly via the internet. Everything is solved by creating an encrypted tunnel between two points (or one and several). VPN addresses confidentiality, authentication, communication integrity, etc.

VPN is a very broad term and includes a number of protocols and technologies. There are two main types of VPN:

  • Site-to-Site VPN - we connect two (or more) networks together, usually headquarters and branches, special network devices are used (VPN concentrator, firewall, router, server), which serve as VPN gateway and establish VPN connections between them (they unpack incoming communication and send it to the network as standard, outgoing is encapsulated into a VPN tunnel), user stations then don't need a VPN client, often used protocols/types are IPsec VPN and MPLS VPN
  • Remote Access VPN - we connect individual clients to the local network, clients must have special SW - VPN client, on the private network side there is again a special network device, often used protocols/types are SSL VPN and IPsec VPN

SSL VPN and protocols

Here we will focus on client connection, i.e. Remote Access VPN. FortiGate supports both IPsec VPN and the newer and more popular SSL VPN, which can be of two types/modes:

  • Tunnel Mode - standard VPN connection, where the client (application) FortiClient is used to establish an encrypted tunnel to the internal network
  • Web Mode - we connect using a web browser and get access to certain resources inside the private network (this can be even remote desktop) through web pages, Cisco calls this solution Clientless SSL VPN

We talk about SSL VPN, but today only the TLS (Transport Layer Security) protocol is used. Currently, TLS 1.2 and TLS 1.3 are enabled by default on FortiGate. SSL VPN has the advantage of using the widespread HTTPS protocol, which passes well through Firewalls, has no problems with NAT, and has much simpler configuration than IPsec.

FortiGate also supports the Datagram Transport Layer Security (DTLS) protocol, which runs over UDP (User Datagram Protocol). Compared to TLS, which runs over TCP (Transmission Control Protocol), it provides higher performance. DTLS is enabled by default. When connecting from FortiClient, we can check Preferred DTLS Tunnel in the settings (first you need to unlock the settings with the lock in the lower left or upper right corner).

Practice has shown that many people have connection problems when DTLS is turned on, which stops at 98 percent. More information in FortiGate problems connecting to SSL VPN via FortiClient.

Configuring SSL VPN on FortiGate

Basic steps and components

What objects and settings do we need to create to configure SSL VPN.

  • Users and Groups - who will log in to VPN, local or remote users (LDAP, RADIUS, etc.), we divide users into groups according to who should have common VPN connection parameters
  • Addresses (address ranges) - what addresses will be assigned to users in VPN (10.212.134.200-10.212.134.210 is pre-prepared), we can use one address Pool, but it may be more appropriate to have a different address range for each user group
  • VPN Realm (area) - optionally we can create multiple areas (URL addresses) through which we log in to VPN, thanks to Realm we can set different parameters for the same user according to the login address
  • VPN Portal - profiles for user groups, the basis is enabling Tunnel VPN or Web VPN modes, assigning IP addresses, parameters for VPN
  • VPN Settings - global settings for VPN, interface where FortiGate listens for client connections, certificate, IP ranges, mapping of users (groups) to portals
  • Firewall Policy - policies that allow traffic from the SSL-VPN Tunnel Interface for certain IP addresses and VPN users

Note: It's important that until a policy is created for a given user group, its users won't even log in to VPN.

How authentication and VPN connection works

The official documentation doesn't answer this question at all. I turned on debug LDAP authentication and SSL VPN and tried various situations (users were authenticated on the LDAP server) and from that put together the following process:

  • the user enters their login credentials to connect to VPN (either on the web or in FortiClient)
  • user authentication is performed against LDAP, if it fails (can't connect to server, wrong username or password), it returns [sslvpn_login_unknown_user]
    • generally, authentication is tried against various mechanisms (if defined) in the given order POP3, RADIUS, TACACS+, LDAP, local users
    • if we have defined multiple servers (like LDAP), it searches on all of them
    • the first authentication that passes successfully is used and group membership is determined based on it (which group had the user defined from this source)
  • LDAP searches if the user is a member of any defined group (see below), if not a member, it returns [sslvpn_login_unknown_user], otherwise it returns the group name, if member of multiple (VPN) groups, it returns only the first found
  • the assigned Portal is searched for the group, if not found, default is used (All Other Users/Groups)
  • according to the Portal parameters, the tunnel is established/web is displayed

It's important which groups are searched. It's not all groups on the LDAP server, nor those we have defined on FortiGate as Remote Groups from this LDAP. Although that's the initial condition for the group to exist on FortiGate. But only groups that are used in some policy (Policy) that (probably) has SSL-VPN Tunnel Interface as the source interface are searched. This means that we can have VPN connection completely set up, but if there's no policy for the given user, they won't connect even to web VPN.

If authentication fails for some reason and returns [sslvpn_login_unknown_user], the user is shown a general error. It doesn't indicate whether a wrong password was entered, the user doesn't exist, isn't allowed to connect to VPN, or there's an error on the server side. On the web, it simply displays

Error: Permission denied.

FortiClient returns

Unable to establish the VPN connection. The VPN server may be unreachable.
FortiClient chyba autentizace FortiGate Web VPN chyba autentizace

Planning and example of SSL VPN

At the beginning of VPN planning, it's good to think about what different connection variants we want to create. For example, according to various allowed communications to the internal network. Whether we want to allow Split Tunnel for someone and not elsewhere. Whether we'll make only Web VPN with certain defined links available to some users. Based on this, we'll name individual VPNs, prepare user groups that will be allowed the given VPN, prepare address ranges and policies for traffic.

We'll outline the configuration points of SSL VPN connection for a practical case. We have users stored in an Active Directory domain and we'll authenticate them via LDAP. In the example, we'll deal with only one group of users - consultants. They have limited access to the internal network only to HTTPS web servers allowed from any device. They authenticate using username and password (we can add OTP). Unlimited access to the internal network is allowed from company devices. Computer certificate verification is added to username and password verification.

VPN connection of consultants from non-company devices

  • Realm - NonCompany - we'll create an object with Virtual Host address vpn.company.com
  • User Groups - G VPN Consultant - we'll create a group in AD DS and include users in it, on FortiGate we'll create a group with the same name (Remote Group) and link it to this LDAP group
  • Addresses - VPNconsultantPool - we'll create an Address object of type IP Range, choose SSL-VPN tunnel interface as Interface and enter address range (according to our address plan) 172.31.254.10-172.31.254.100
  • SSL-VPN Portals - VPN-Consultant - we'll create a portal, enable Tunnel Mode and disable Web Mode, assign IP address pool VPNconsultantPool, we can turn on Split Tunnel and select internal addresses
  • IPv4 Policy - VPN Consultant to Local from NonCompany - we'll create a policy where we'll allow HTTPS service from SSL-VPN tunnel interface to LAN, set group G VPN Consultant and address range VPNconsultantPool as source, LANnet as destination

VPN connection of consultants from company devices

  • Realm - Company - we'll create an object with Virtual Host address vpn2.company.com
  • User Groups - G VPN Consultant - we'll use the already existing group
  • Addresses - VPNconsultantPoolCompany - we'll create an Address object of type IP Range, choose SSL-VPN tunnel interface as Interface and enter address range (according to our address plan) 172.31.254.101-172.31.254.199
  • SSL-VPN Portals - VPN-Consultant-Company - we'll create a portal, enable Tunnel Mode and disable Web Mode, assign IP address pool VPNconsultantPoolCompany, we can turn on Split Tunnel and select internal addresses,
  • IPv4 Policy - VPN Consultant to Local from Company - we'll create a policy where we'll allow all services ALL from SSL-VPN tunnel interface to LAN, set group G VPN Consultant and address range VPNconsultantPoolCompany as source, LANnet as destination

We'll set global VPN parameters

  • we'll specify the interface and port where FortiGate will accept SSL VPN client connections
  • we'll set up the server certificate
  • Tunnel Mode Client Settings - we'll choose Specify custom IP ranges and select ranges VPNconsultantPool, VPNconsultantPoolCompany
  • DNS Server - we'll choose Specify and enter company DNS servers
  • Authentication/Portal Mapping - we'll create two rules
    • G VPN Consultant - /noncompany - VPN-Consultant
    • G VPN Consultant - /company - VPN-Consultant-Company - we'll enable client certificate requirement and assign Peer User with set certificate parameters

User Authentication (Users and groups)

  • (VDOM) > User & Device > User Definitions
  • (VDOM) > User & Device > User Groups

We described how FortiGate works with users and groups, and how users are authenticated, in the previous article FortiGate users, groups and authentication to LDAP (AD DS). For greater access security, we can use FortiGate certificate authentication to SSL VPN or FortiGate two-factor authentication using OTP.

For VPN login, we can use local users and users from remote servers (LDAP, RADIUS, TACACS+). By default, users are authenticated by entering a username and password. A special case are Peer (PKI) users (can be included in Firewall or Peer Group), who use a client digital certificate. We can also enable certificate requirement for users from remote servers.

We can also use two-factor authentication. If we want to use OTP (SMS, email, FortiToken) for users from an LDAP server, it's not enough to create a group on FortiGate where a group from the LDAP server will be a member. We must create individual LDAP users locally and set OTP details for them.

Blocking login on failed authentication

If VPN login repeatedly fails (wrong username, password, or fails to authenticate in some other way), access is blocked for login for a certain time. The default settings are 2 attempts and blocking for 60 seconds. Then an error is displayed to the user. And it's not even possible to bring up the login dialog on the web again until the time elapses (the user is not blocked, but the IP address is).

Too many bad login attempts. Please try again in a few minutes.

Configuration is done only in CLI in SSL VPN configuration.

config vpn ssl settings
    set login-attempt-limit 2
    set login-block-time 60
end

Assigned address ranges

  • (VDOM) > Policy & Objects > Addresses

There's a predefined object SSLVPN_TUNNEL_ADDR1, which contains address range (IP Range) 10.212.134.200-10.212.134.210. We can modify it or create more of our own objects. We should choose private addresses from a subnet that we don't use in the company network. And try to find those that aren't used in home networks either.

We can select for example subnet 172.31.254.0/24 and create several address ranges (IP Pool) in it like 172.31.254.10-172.31.254.100 and 172.31.254.101-172.31.254.150. We define these as an address object, most often of type IP Range, we can choose SSL-VPN Tunnel Interface as interface. And later we'll assign them to a user group using portal settings (Portal).

SSL VPN Realms - different login addresses (URLs)

  • (VDOM) > VPN > SSL-VPN Realms

I found almost no documentation for this area. Fortinet provides an article SSL VPN multi-realm, which is especially bad even by their standards. Another is the already old Configuring SSL VPN web portals.

Note: We must have the feature System > Feature Visibility - SSL-VPN Realms enabled.

VPN Realm allows us to create different URL addresses, either with the same domain name (Hostname) distinguished by path (Path), or different domain names. On the address (Realm) we can create our own web login page (the default login page can be modified in (VDOM) > System > Replacement Messages).

Realm is then used in user mapping to the portal, creating combinations of user - portal - Realm. This allows us to assign a different portal to a group of users based on the URL they use to log in. As a result, we can assign them a different IP address. And based on the source IP address, we define allowed communications in the FW policy.

FortiGate - SSL VPN Realms

Using the GUI, we can create a Realm that is identified by its URL Path. The simplified form of the URL is protocol://hostname:port/path. If we access SSL VPN (either via web or FortiClient) through the address https://vpn.company.com, then to access the defined Realm, we add the specified path, for example https://vpn.company.com/company. We can also set limits on how many users can connect simultaneously. And we can customize the login screen.

Note: The GUI will display information about which address to use to access the SSL-VPN Realm, but it will likely be incorrect in most cases because it uses the management address of FortiGate (how we are currently connected to the configuration). And even when we further define a Virtual Host, the correct address is not displayed. At least in the SSL VPN settings, the IP address of the interface where the VPN is running is displayed.

Using the CLI, we can set another important piece of information that will also be displayed in the GUI after setting it in the CLI. It's called Virtual Host and it's a different hostname that determines the address for this Realm. For example, vpn2.company.com. CLI documentation vpn ssl web realm.

config vpn ssl web realm
    edit "company"
       set virtual-host vpn2.company.com
    next

Usage (assignment) of Realm

  • (VDOM) > VPN > SSL-VPN Settings

In Authentication/Portal Mapping, we can then assign the created Realm to map a user/group to a portal. Typically, the default, i.e., root, is used. Users can then only log in when they access through the assigned address; login will not work on other login pages.

FortiGate - Authentication/Portal Mapping

Customizing messages and default login screen

  • (VDOM) > System > Replacement Messages

We can edit the default login screen Web VPN and some (error) messages. In the top right, we switch to Extended View, and it's the SSL-VPN section.

SSL-VPN Portals - portals

  • (VDOM) > VPN > SSL-VPN Portals

A Portal is the gateway to SSL VPN, whether it's a tunnel or web VPN. Portals are profiles that we assign to users or groups, thereby allowing them to connect to a VPN mode. We determine the main behavior parameters of the given VPN connection, such as assigned IP addresses, FortiClient options, or Web VPN content. We can perform certain client checks (Host Check) and if they don't pass, we can deny the connection.

By default, three SSL-VPN Portals are prepared, which we can, but don't have to use.

  • web-access - web access allowed
  • tunnel-access - client access allowed
  • full-access - both allowed

In the global settings of SSL VPN, we must choose one portal as default (All Other Users/Groups). For users to be able to log in to VPN, and thus for a portal to be chosen, they must be part of some FW policy. Nevertheless, it may be safer to create a portal without access and set it as default.

  • no-access - everything blocked
FortiGate - SSL-VPN Portals

Portal configuration using GUI

Documentation Portal configuration

  • (VDOM) >VPN > SSL-VPN Portals

The main options in the portal are enabling/disabling connection via Tunnel Mode and Web Mode. If Tunnel Mode is not enabled, the user cannot log in with FortiClient. If Web Mode is not enabled, the user can still log in to the web. Similarly, if we create a no-access tunnel where everything is turned off (Tunnel Mode and Web Mode). The user gets misleading information:

The SSL-VPN portal has been enabled for tunnel mode use only. FortiClient is required to connect.
FortiGate - Web Portal nepovolený

In practice, it may be appropriate to create custom Portal profiles for individual user groups. At least where different VPN options are required.

FortiGate - SSL-VPN Portals nastavení

GUI allows setting only certain portal properties.

  • Name - naming the portal
  • Limit Users to One SSL-VPN Connection at a Time - if there's already one connection for a user, another cannot be established
  • Tunnel Mode - allowing connection to SSL VPN tunnel (FortiClient)
    • Enable Split Tunneling - by default, all traffic goes into the VPN tunnel; when enabled, only certain addresses are sent and others go locally to the internet
    • Routing Address - which addresses are routed to the tunnel (if not specified, addresses from defined policies should be used)
    • Source IP Pools - range of assigned addresses for VPN clients
  • Tunnel Mode Client Options - settings that affect FortiClient options
    • Allow client to save password - user can save password
    • Allow client to connect automatically - when the application starts (e.g., at startup), it tries to connect automatically
    • Allow client to keep connections alive - if allowed, the client tries to reconnect when there's an outage, but the password must be saved
    • DNS Split Tunneling - different DNS for different domains, Split DNS support for SSL VPN portals
  • Host Check - checking that antivirus or firewall or both are running on the client
  • Restrict to Specific OS Versions - ability to restrict access from certain OS versions (offers certain versions of Windows and MacOS)
  • Enable Web Mode - allows access to the web portal (even if not allowed, it's possible to log in to the web, but it doesn't contain given functions)
    • Portal Message - title and name of the portal
    • Theme - color appearance
    • Show Session Information - widget at the top of the page that contains info about connection time, transferred data, user's name
    • Show Connection Launcher - ability to create connections to internal resources without the need for them to be predefined (Predefined Bookmarks), offers a Quick Connection button
    • Show Login History - list of user's connection history
    • User Bookmarks - ability to create own bookmark, offers a New Bookmark button
    • Pre-Defined Bookmarks - we can prepare various bookmarks to internal resources
  • Enable FortiClient Download - there's a link to download FortiClient on the portal, we can select OS (Windows, Mac, iOS, Android), but for mobile platforms it's just a link to the store and otherwise it downloads an online installer that further downloads data from Fortinet
    • Download Method - download via direct link or through SSL VPN
    • Customize Download Location - we can enter a URL where the client for Windows and Mac is

In the web portal, we can connect to various protocols that are mediated in the web browser. Supported protocols for links are HTTP/HTTPS, FTP, RDP, SFTP, SMB/CIFS, SSH, TELNET, VNC. Using CLI, we can set a few more parameters. For example, disable some protocols for links.

The CLI command documentation also mentions the ability to define a Port Forward type link. But I can't manage to use these commands and the only mention of this feature is for an old version Port forwarding mode.

Fortinet Web VPN

Portal configuration using CLI

CLI documentation vpn ssl web portal

Below are mentioned only certain portal settings using CLI. Primarily, these are options that cannot be set in the GUI.

Assigning addresses to the client

Besides assigning from the set range (range), we can set the use of an address assigned to the user from an external server (user-group).

config vpn ssl web portal
    edit <name>
        set ip-mode range
    next
end

DNS and WINS server address

We can specify DNS and WINS servers that the client will get for the given portal.

config vpn ssl web portal
    edit <name>
        set dns-server1 0.0.0.0
        set dns-server2 0.0.0.0
        set dns-suffix ''
        set wins-server1 0.0.0.0
        set wins-server2 0.0.0.0
    next
end

Client communication restrictions

Blocking communication of the VPN user to their local subnet. If Split Tunnel is turned off (set split-tunneling disable), we have two commands available. First Technical Tip: Enabling SSL VPN Full Tunnel, I couldn't find any information about the second one.

config vpn ssl web portal
    edit <name>
        set exclusive-routing disable
        set service-restriction disable
    next
end

Web Mode settings

A number of CLI settings relate to Web Mode, which must be turned on (set web-mode enable).

config vpn ssl web portal
    edit <name>

We can specify which applications are accessible in Web VPN for connection

        set allow-user-access web ftp smb sftp telnet ssh vnc rdp ping citrix portforward

Option to hide the bookmark widget

        set display-bookmark enable

Allows users to create bookmarks for all users in the same group

        set user-group-bookmark enable

After logging into Web VPN, it opens the specified internal address through VPN (opens as a new window)

        set redir-url ''

Option to set the language for the portal, which changes the global language setting in FortiGate

        set custom-lang ''

Allows the use of NTLMv1 for SMB/CIFS

        set smb-ntlmv1-auth disable

Minimum and maximum allowed SMB version

        set smb-min-version smbv2
        set smb-max-version smbv3

Transformation of backslashes in URL

        set transform-backward-slashes disable

Prevents sending SSO credentials to the client

        set hide-sso-credential enable
    next
end

Client checks

Then we have commands for client checks, we'll look at those in the next part.

config vpn ssl web portal
    edit <name>
        set host-check none
        set mac-addr-check disable
        set os-check disable
    next
end

SSL-VPN Settings - global SSL VPN settings

  • (VDOM) > VPN > SSL-VPN Settings

Some SSL VPN settings are set globally and we can't modify them for different users. For example, the interface and port where FortiGate listens for VPN client connections. What I find bad is that we can't specify the IP address it listens on. We globally determine which ranges are used for assigning addresses to clients in Tunnel VPN. We perform mapping of users (groups) to portals.

FortiGate - SSL-VPN Settings

SSL VPN configuration using GUI

  • Connection Settings - basic connection parameters
    • Listen on Interface(s) - we specify the interface on which SSL VPN will listen, we can't specify the IP address (which I find a major flaw), but it will use the primary IP address on the interface and if used, all secondary ones as well
    • Listen on Port - on which port VPN listens (HTTPS), we may get a warning that the port is in conflict with the administration port (Global > System > Settings setting), but if we use a different interface, it's not a problem (again, it's misleading information)
    • Redirect HTTP to SSL-VPN - if a user accesses HTTP, they will be redirected
    • Restrict Access - allowing access from any addresses or only selected ones
    • Idle Logout - logs out VPN session on inactivity
    • Inactive For - inactivity time
    • Server Certificate - certificate for HTTPS
    • Require Client Certificate - authentication by client certificate
  • Tunnel Mode Client Settings - settings (addresses) for SSL VPN tunnel (FortiClient)
    • Address Range - from which range IP addresses are assigned, Specify custom IP ranges - we can create address objects and use them here, if we leave Automatically assign address, the predefined object SSLVPN_TUNNEL_ADDR1 is used, which we can modify
    • DNS Server - whether the client should get internal DNS servers, FortiClient sets these addresses not only on the SSL VPN adapter, which causes problems, description of changing the setting is at the end of the article in FortiClient configuration
    • Specify WINS Servers - whether the client should get internal WINS servers
  • Authentication/Portal Mapping - assigning users or groups to existing portals that determine specific VPN connection properties, we must set a default portal (All Other Users/Groups)

SSL VPN configuration using CLI

CLI documentation vpn ssl settings

Each setting in the GUI applies a certain command to the configuration. So in the command line, we set everything we have in the GUI, but there are also a number of other settings. Below we'll look at some CLI options that aren't in the GUI.

Just a note, in each part of the configuration we can use the show command, which shows us the current settings. We can supplement it and it will show all settings, including those that have default values.

FW1 (setting) # show full-configuration

Allowed protocols

We can limit allowed TLS and possibly DTLS protocols.

config vpn ssl settings
    set ssl-max-proto-ver tls1-3
    set ssl-min-proto-ver tls1-2
    set dtls-tunnel enable
    set dtls-max-proto-ver dtls1-2
    set dtls-min-proto-ver dtls1-0
end

Allowed encryption algorithms

We can enforce a certain level of security by allowing only certain categories of algorithms (high should be at least 128 bit AES or ChaCha). We can also list some ciphers that must not be used (not set by default). Configuring encryption key algorithms

config vpn ssl settings
    set algorithm high
    unset banned-cipher
end

Connection time limits

Logout on inactivity (idle-timeout) can also be set in the GUI. But the authentication validity period (auth-timeout), which causes SSL VPN to terminate (log out) after the specified time has elapsed, can only be set in the CLI. The default value is 28800 seconds, i.e. 8 hours.

config vpn ssl settings
    set idle-timeout 300
    set auth-timeout 28800
end

HTTP Strict Transport Security (HSTS) includeSubDomains

By default, it sends the HSTS header Strict-Transport-Security: max-age=31536000. We can use the command:

config vpn ssl settings
    set hsts-include-subdomains enable
end

Then the complete header is sent:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Authentication/Portal Mapping - authentication rules

In the GUI, we can make a simple assignment of users/groups to a portal (and possibly Realm). CLI offers us more options. Authentication rules (mapping) are numbered and we can edit (create) them.

    config authentication-rule
        edit 1

In the global settings, we determine on which interface and from which addresses VPN listens. We can enter multiple interfaces and then in the rules assign a specific interface for the given mapping (Technical Note: SSL VPN source-interface setting in authentication rule taking precedence).

              set source-interface "Port1"
              set source-address "all"

In the global settings, we can enable requiring authentication by client certificate (either any trusted certificate or together with User Peer a specific certificate), then it applies to all connections. If we want to use a certificate only for certain users (portal), we can define it here.

              set client-cert disable
              set user-peer {string}

Strength of used ciphers. I'm not sure how much this relates to the global setting set algorithm. We can choose High (>= 168 bits), Medium (>= 128 bits) or Any.

              set cipher high

Restriction of authentication methods. We can choose where user verification must come from, any, local, radius, tacacs+, ldap.

              set auth any
        next

Firewall Policy - policies for VPN client communication

  • (VDOM) > Policy & Objects > IPv4 Policy

After we set up SSL VPN connection, we must define allowed communications for users connected to VPN. Generally, for a user to be able to log into VPN at all, they must be part of some policy (which has SSL-VPN Tunnel Interface as the source interface).

For communication of VPN clients to the internal network, we create policies where SSL-VPN Tunnel Interface is the input interface. We can set different rules for different users and their VPN connections thanks to the fact that we enter user groups and address ranges as the source. However, IP addresses from defined ranges are assigned only to clients in Tunnel mode, if we create only Web VPN for some group, then according to the documentation, the address all should be chosen.

Note: This makes sense to me, clients access from their public addresses and FortiGate acts as a proxy. When we look at the traffic log, it corresponds. Clients who have established a VPN tunnel have a source address from the VPN range (this is communication that is encapsulated into the tunnel and unpacked again on the FortiGate side). But what doesn't make sense to me anymore. I realized that where I allowed Tunnel and Web, I only set VPN user IP addresses in the policy, and yet access via Web VPN worked. I did various tests and for Web VPN it doesn't matter at all what address is set as the source, it can even be none.

IPv4 policy parameters

  • name (Name) - reasonable naming of the policy
  • incoming interface (Incoming Interface) - we must choose the VPN tunnel interface, it has the alias SSL-VPN Tunnel Interface
  • outgoing interface (Outgoing Interface) - we choose according to the network where we want to allow communication
  • source (Source) - we enter user groups (used in VPN rules) and address ranges (address objects from which we assigned IP addresses to clients)
  • destination (Destination) - network addresses (address objects) where we want to allow communication
  • services (Service) - which protocols/ports we want to allow, we can use ALL
  • action (Action) - we choose Accept
  • Inspection Mode, Security Profiles - depending on how we use security checks, we set the required values
  • NAT - again, depending on requirements and topology, we may or may not use source IP address translation
  • logging (Log Allowed Traffic) - All Sessions is suitable
  • Enable this policy - of course we must enable the policy
FortiGate IPv4 Policy pro SSL VPN

Because we assigned different user groups to a specific portal, where a specific address range was set. We can easily create different rules for different users. If we also use Realm, we can assign the same user group a different portal (and thus IP address), depending on which URL (Realm) they log in through. We can thus create a company profile (Realm), where station checks (Host Check) are performed or authenticated by certificate. If the login passes, the policy allows more communications. And a second profile, where the user can log in from anywhere, but the connection is limited.

We typically allow communication from VPN clients to the internal network. But we can also add reverse policies that allow certain communication from the internal network to VPN clients. By default, communication between VPN clients is not possible, and this is certainly safe. If necessary, we can allow that too Technical Tip: How to perform routing between SSLVPN Clients.

Routing - routing

In half of the guides on Fortinet for setting up SSL VPN, it is stated that a static route for client addresses in the VPN needs to be created. Routing in tunnel mode. In the other half of the guides, there is no such thing. When I don't manually set any routing, all communication works for me anyway.

I found some mentions that it is to ensure responses, for example, of the UDP protocol. Or a discussion where someone asked about the reason for this manual routing. Someone wrote that it is to ensure communication from the internal network to VPN clients. But when I allow such communication by policy, it works, and the route is not needed.

There is also the question of what exactly the following command, which is enabled by default, does.

config vpn ssl settings 
     set auto-tunnel-static-route enabled
end

Troubleshooting and monitoring clients

Debug SSL VPN

Documentation SSL VPN troubleshooting

When troubleshooting, we can use the CLI to enable debug mode for SSL VPN.

diagnose debug application sslvpn -1
diagnose debug enable

It may be useful to enable timestamp display for individual records.

diagnos debug console timestamp enable

Or also enable authentication debugging.

diagnose debug application fnbamd -1

Now all related events are displayed in the CLI (even though "all" is in quotes, just like the informational value of the messages). Example of only selected events when a user logs into Web VPN:

[9314:root:188]allocSSLConn:289 sconn 0x7fe3ca091500 (1:root)
[9314:root:188]SSL state:before SSL initialization (78.28.251.155)
[9314:root:188]got SNI server name: vpn.firma.cz realm (null)
[9314:root:188]client cert requirement: no
[9314:root:188]SSL state:SSLv3/TLS read client hello (78.28.251.155)
[9314:root:188]SSL state:TLSv1.3 early data (78.28.251.155)
[9314:root:188]got SNI server name: vpn.firma.cz realm (null)
[9314:root:188]client cert requirement: no
[9314:root:188]SSL state:SSL negotiation finished successfully (78.28.251.155)
[9314:root:188]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[9314:root:188]req: /remote/logincheck
[9314:root:188]rmt_web_auth_info_parser_common:470 no session id in auth info
[9314:root:188]rmt_web_access_check:723 access failed, uri=[/remote/logincheck],ret=4103,
[9314:root:188]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
[9314:root:188]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.
[9314:root:188]sslvpn_auth_check_usrgroup:2145 got user (0) group (3:0).
[9314:root:188]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (2), realm ().
[9314:root:188]sslvpn_validate_user_group_list:1690 checking rule 1 cipher.
[9314:root:188]sslvpn_validate_user_group_list:1698 checking rule 1 realm.
[9314:root:188]sslvpn_validate_user_group_list:1709 checking rule 1 source intf.
[9314:root:188]sslvpn_validate_user_group_list:1748 checking rule 1 vd source intf.
[9314:root:188]sslvpn_validate_user_group_list:1845 rule 1 done, got user (0:0) group (1:0) peer group (0).
[9314:root:188]sslvpn_validate_user_group_list:1963 got user (0:0), group (3:0) peer group (0).
[9314:root:188]two factor check for bouska: off
[9314:root:188]sslvpn_authenticate_user:191 authenticate user: [bouska]
[9314:root:188]sslvpn_authenticate_user:198 create fam state
[9314:root:188]fam_auth_send_req:583 with server blacklist: 
[9314:root:188]fam_auth_send_req_internal:461 fnbam_auth return: 4
[9314:root:188]Auth successful for group G VPN
[9314:root:188]fam_do_cb:654 fnbamd return auth success.
[9314:root:188]SSL VPN login matched rule (1).
[9314:root:188]rmt_web_session_create:781 create web session, idx[1]
[9314:root:188]req: /remote/hostcheck_install?auth_type=16&u
[9314:root:188]deconstruct_session_id:426 decode session id ok, user=[bouska],group=[G VPN],authserver=[DC],portal=[VPN1],host=[78.28.251.155],realm=[],idx=1,auth=16,sid=7631bb58,login=1584609359,access=1584609359,saml_logout_url=no
[9314:root:188]req: /sslvpn/portal.html
[9314:root:188]mza: 0x26f18b0 /sslvpn/portal.html

To disable debug mode, we can use

diagnose debug disable
diagnose debug reset

VPN events

  • (VDOM) > Log &Report > Events

On FortiGate, we can look at certain events regarding SSL VPN, we just need to correctly switch the event type.

FortiGate - Log & Report > VPN Events

Client monitoring

In FortiClient, we can enable Debug logging and export logs. For more demanding control of what the client is doing, we can use Sysinternals Process Monitor. To check ciphers and other HTTPS properties, we can use Qualys SSL Labs.

Monitoring logged-in users

  • (VDOM) > Monitor > SSL-VPN Monitor
  • (VDOM) > Monitor > Firewall User Monitor

I will say right away that information about established SSL VPN Sessions and users logged into VPN is another very insufficient area. We only get basic information about the user, from which public IP address they are connected, and what internal address they received. We can terminate the tunnel. Under the Firewall user monitor, we will see a few more details, such as the group and transferred data.

FortiGate - SSL-VPN Monitor

I haven't figured out how to find out details about the used protocols (whether it's TLS/DTLS), encryption algorithms, client details, applied portal and Realm, inactivity time, etc. When we deal with limiting client connections by MAC address, we would also like to see this information.

Using the CLI, we get similar information as in the GUI

FW1 (FWINT) # execute vpn sslvpn list 
SSL VPN Login Users:
 Index  User     Auth Type Timeout     From  HTTP in/out  HTTPS in/out
 0      bouska   16(1)      3598        1.2.3.4  0/0   0/0
 
SSL VPN sessions:
 Index  User      Source IP Duration  I/O Bytes   Tunnel/Dest IP 
 0      bouska    1.2.3.4    163 1167583/1216084 172.31.254.10

If we want to get data about the history of user connections to the VPN, we need FortiAnalyzer. However, FortiGate must know this data because it can display our login history in Web VPN.

Using the CLI, we can display summary statistics.

FW1 (FWINT) # diagnose vpn ssl statistics
SSLVPN statistics (FWINT):
------------------
Memory unit:               1
System total memory:       8368185344
System free memory:        5880107008
SSLVPN memory margin:      629145600
SSLVPN state:              normal
 
Max number of users:       9
Max number of tunnels:     6
Max number of connections: 13
 
Current number of users:       6
Current number of tunnels:     5
Current number of connections: 6

FortiClient - client for VPN connection

The application FortiClient is used as a VPN client. It is currently available in versions 6.0.x and 6.2.x, which have significant differences. Up to version FortiClient 6.0.x, it is provided for free. It is a client that contains a number of components, and during installation, we choose which ones we will use. At a minimum, we must install the Security Fabric Agent (Endpoint Telemetry and Host Vulnerability Scan) to add Secure Remote Access (SSL and IPsec VPN client), other components include AntiVirus, Application Firewall, Web Filtering, Single Sign On.

From version FortiClient 6.2.0, it became a paid product that must be managed using EMS (Enterprise Management Server). Previously, FortiClient could also connect to FortiGate (FortiOS from version 6.2 does not support this). Fortinet provides only a limited version of FortiClient VPN 6.2 for free. It does not contain other components than SSL and IPsec VPN client, but even these options are limited. For example, Host Check or IKEv2 is not supported.

Versions are available for various operating systems, but full functionality is only supported in the client for Windows. Details can be found on the official FortiClient page, where the online installer (a small file that downloads additional data during installation over the internet, which in practice works very slowly) is also available. In the Web VPN portal settings, we can enable the client download, then the online installer is also offered (so it is better to choose your own location and upload the offline installer somewhere). If we have an account, we can download the offline installation from the Support Fortinet website in the Download - Firmware Images - FortiClient menu.

Colleagues told me that FortiClient 6.0 for Linux requires Root permissions and overall does not work. They chose the alternative OpenFortiVPN, or Fortinet SSLVPN support for NetworkManager (if Split Tunnel is used, it is necessary to set Use just for resources on this connection).

Here we primarily focus on the Windows version of the FortiClient 6.0 client. As I already wrote in the introduction, the 6.0.9.0277 installer is 95 MB and after installation, only the VPN takes up 290 MB. The 6.2.6.0951 installer is 98 MB and takes up 205 MB. It is definitely not a fast and reliable application.

FortiClient settings

Documentation FortiClient 6.0

The configuration of FortiClient 6.2 should be managed through the EMS server. For FortiClient 6.0, it should be possible to create a customized installer according to the company's requirements using the FortiClient Configurator Tool. However, to obtain this tool, we must have an account on the Fortinet Developer Network. To create an account, we need two sponsors, who are Fortinet employees, to approve the account creation.

So we are left with only the manual configuration of FortiClient in the GUI (which, similar to FortiOS, allows only some things) or editing the XML configuration file. Below is a view of the interface of versions 6.0 and 6.2.

FortiClient 6.0 nastavení
FortiClient 6.2 nastavení

When troubleshooting, it may be useful to set the logging level and export logs to a text file. Basically, the only option for global VPN settings (others are parameters of individual VPN connections) is the use of DTLS, which Fortinet recommends in some places, yet the default state is off.

Unlock settings

Some options are usually locked, and to use/change them, we need to unlock the settings. The lock is at the bottom left or top right Unlock Settings.

Configuration backup

If we want to modify the current settings, we can perform a configuration backup, which will give us an XML file with the settings.

  • FortiClient - Settings - in the System section - Backup
  • for example, to a file forticlient.conf, confirm OK, and we get a message that the backup was successful

Configuration restore

If we have modified the settings of the backed-up configuration, or we have received a prepared configuration file, we restore (import) it into FortiClient.

  • FortiClient - Settings - in the System section - Restore
  • select the file and confirm, we get a message that the restore was successful

Backup and restore in the command line

We can perform both backup and restore of the configuration using the command line tool FCConfig.exe.

FCConfig -m all -f <filename> -o export
FCConfig -m all -f <filename> -o import

We can even export/import only a specific part of the configuration. Below is the VPN part and only VPN connections.

FCConfig -m vpn -f <filename> -o exportvpn
FCConfig -m vpn -f <filename> -o importvpn

Editing settings and XML configuration file

Documentation FortiClient 6.0.9 Administration Guide, FortiClient 6.0.9 XML Reference Guide

Using the XML configuration file, we can modify a number of settings. With this file, we can also distribute settings profiles for VPN connections to clients. If we save a backup, the file contains most of the settings and their values, and we can add some additional parameters. As we showed in the article about certificate authentication, if we want to use a computer certificate. A certain description of all settings is found in the XML reference guide.

We simply open the configuration file in a text editor and modify the values in the appropriate part of the XML. Then we save it. The XML file contains a number of sections, which are described in the documentation. The main ones for SSL VPN are as follows.

<forticlient_configuration>
    <system>
    </system>
    <endpoint_control>
    </endpoint_control>
    <vpn>
        <options>
        </options>
        <sslvpn>
            <options>
            </options>
            <connections>
                <connection>
                </connection>
            </connections>
        </sslvpn>
    </vpn>
    <vulnerability_scan>
    </vulnerability_scan>
</forticlient_configuration>

In the configuration, we can set a number of special features. For example, running a script when the VPN tunnel is established. Or setting up the VPN tunnel before logging into Windows. It is worth looking at the list of options.

Setting DNS servers only on the SSL VPN adapter

One of the problems I dealt with and did not find any mention of what to do with it was related to the registration of DNS names in the corporate DNS. When the user connected to the VPN, 2 or more records were created for their computer name in the corporate DNS. One record contained the IP address from the VPN connection, i.e., the adapter Fortinet SSL VPN Virtual Ethernet Adapter. Another record had the IP address from the Wireless or Ethernet adapter of the user's local network.

The cause was immediately visible. The corporate DNS servers were not added only to the Fortinet SSL VPN Virtual Ethernet Adapter but also to the adapter through which the user was locally connected to the network.

Only in the FortiClient settings using the XML file did I find how to change this behavior.

<forticlient_configuration>
    <vpn>
        <sslvpn>
            <options>
               <prefer_sslvpn_dns>0</prefer_sslvpn_dns>
            </options>
        </sslvpn>
    </vpn>
</forticlient_configuration>

Alternatively, we can set it so that DNS record registration is not performed. But it seems that it only unchecks the Register this connection's addresses in DNS option on the Fortinet SSL VPN Virtual Ethernet Adapter. If we do not set the switch above, the main adapter will still be registered. It also seems that after returning the switch to 0, the DNS registration option is not checked again.

The setting is in the same place and is a tag.

<no_dns_registration>1</no_dns_registration>

Uninstalling FortiClient

FortiClient VPN 6.2.6 can be uninstalled normally through Programs and Features. But with FortiClient 6.0.9, the Uninstall option is missing on all computers, and only Repair is available. The procedure from the documentation Uninstalling FortiClient also does not work.

There are various tips on forums, but the only thing that worked for me was to use the tool FCRemove.exe, which is located among the FortiClientTools in the SupportUtils folder. These tools can be downloaded from the Support Fortinet website in the same place as the client.

Note: When we are at FortiClientTools, there is also a tool FortiSSLVPNclient (SSLVPNcmdline), which I did not quite understand. I thought it was a simple VPN client, but it does not work without the installed FortiClient (it does not even display any error). When launched, it displays a simple GUI and can probably be called from the command line.

Author:

Related articles:

Fortinet FortiGate and more

Fortinet security solutions. Mostly focused on the Next Generation Firewall (NGFW) FortiGate. Configuration of FW, policies, NAT, but also VPN and authentication options. Marginally working with logs using FortiAnalyzer and with clients using FortiClient EMS.

VPN - Virtual Private Network

A series of articles that provides a general description of VPN technology. It breaks down individual VPN types such as Site to Site VPN and Remote Access VPN. And it describes configurations on different devices.

If you want write something about this article use comments.

Comments
  1. [1] Martin

    Ahoj, chtěl jsem se zeptat jestli jste řešil problematiku připojení pouze klientů registrovaných v EMS

    Wednesday, 29.11.2023 17:34 | answer
Add comment

Insert tag: strong em link

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)