You are on page 1of 17

FortiOS Cookbook

SSL VPN
SSL is an easy to use application-level network independent method of ensuring private communication over the Internet. Commonly used to protect the privacy of online shopping payments, customer’s web browsers can almost transparently switch to using SSL for secure communication without customer’s being required to do any SSL-related configuration or have any extra SSL-related software. SSL protection can also be applied to secure communication over the Internet between client PCs and a remote network using SSL VPN. For basic SSL VPN functionality all a user needs to do to access an SSL VPN is to browse to the IP address of a FortiGate unit configured for SSL VPN. The users do not require any special SSL VPN software or configuration since SSL in the form of HTTPS is automatically enabled by most web browsers. The FortiGate SSL VPN configuration requires an SSL VPN web portal for SSL VPN users to log into, the addition of a user authentication configuration to allow SSL VPN users to login and then the creation of SSL VPN security policies that control the source and destination access of SSL VPN users. SSL VPN security policies can also apply UTM and other security features to all SSL VPN traffic. FortiASIC processors can accelerate SSL VPN encryption, optimizing SSL VPN performance for a large user base. Additional SSL VPN features are available including tunnel mode, virtual desktop for enhanced endpoint protection, and endpoint security checks. These features are supported for SSL VPN clients that can be downloaded automatically by SSL VPN users after logging into the SSL VPN portal. Users can also download Fortinet SSL VPN clients to access these additional SSL VPN features without logging into and SSL VPN portal. Fortinet supports SSL VPN clients for many PC and mobile platforms. This chapter includes the following SSL VPN examples: • • • • Setting up remote web browsing for internal sites through SSL VPN Using SSL VPN to provide protected Internet access for remote users SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users Verifying that SSL VPN users have the most recent AV software before they can log into the SSL VPN

FortiOS 4.0 MR3 http://docs.fortinet.com/

300

1 To add the email server address.2 1 Fo rtiG ate Un it er erv 1 il S 68. select Create New and enter the email server address: Address Name Type Subnet / IP Range Interface Email Server Subnet / IP Range 192.223 Re er L .168. n 0 wa 72. Creating a firewall address for the email server Create a firewall address for the email server.12 Internal FortiOS 4.Setting up remote web browsing for internal sites through SSL VPN Setting up remote web browsing for internal sites through SSL VPN Problem You want to provide remote users the ability to access corporate internal sites and specific companyrelated external sites.120 s U . a Em 92.0 MR3 http://docs.1. which.13 120 1 . when the remote user connects they can view a list of links for internal servers and web sites.1 1 Solution Using SSL VPN you can create a web portal.com/ 301 .fortinet. er Us e t n mo ogi .1. go to Firewall Objects > Address > Address.20 172 6 .

1 2 Go to VPN > SSL > Config and for IP Pools select Edit and add twhite to the Selected table. 11 Select Apply at the top of web portal page to save the web portal configuration. In the new Bookmarks widget select the Edit icon (looks like a pencil). 302 FortiGate Cookbook  http://docs.com/ . Select OK in the Bookmarks widget. Go to VPN > SSL > Portal and select Create New to create the portal: Name Applications Portal Message Internal_company_sites_portal HTTP/HTTPS Internal Company sites 3 4 Select OK to close the Edit Settings window. Creating the web portal Create the SSL VPN portal and a bookmark for the email server that the user connects to after logging in. In the Bookmarks widget select Add and create a bookmark to link the email server web page: Name Type Location Description Email HTTP/HTTPS https://mail. On the default web portal delete the Bookmarks widget by selecting its Remove icon (looks like an X). Always select Apply at the top of the web portal page after making a change. When you have completed making changes. Optionally edit the Name and make sure Applications is set to HTTP/HTTPS.fortinet.company. navigate to another web-based manager page and then navigate back to the web portal to make sure your changes were saved.Setting up remote web browsing for internal sites through SSL VPN 2 Select OK.com Corporate email system 5 6 7 8 9 10 Select OK at the bottom of the Bookmarks widget. On the Add Widget on the right of the default portal select Bookmarks. Adding and working with web portal widgets can be confusing and produce unexpected results.

the Sales user group will not appear in the group list when configuring the SSL VPN authentication security policy.0 MR3 http://docs. 1 Go to User > User > User and select Create New to add the user: User Name Password twhite password 2 . If not selected.Setting up remote web browsing for internal sites through SSL VPN Creating an SSL VPN user and user group Create the SSL VPN user and add the user to a user group configured for SSL VPN use.com/ 303 .fortinet. 1 Go to Policy > Policy > Policy and select Create New to add the SSL VPN security policy: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Action wan1 all internal Email SSL-VPN FortiOS 4. 3 4 Move twhite to the Members list. Go to User > User Group > User Group and select Create New to add twhite to the SSL VPN user group: Name Type Allow SSL-VPN Access Sales Firewall Internal_company_sites_portal Make sure you select the Allow SSL-VPN Access option and that you also select the SSL VPN web portal that the members of this user group connect to. Select OK. Creating an SSL VPN security policy Create an SSL VPN security policy with SSL VPN user authentication.

Login to the web portal: Name Password twhite password After logging in.136:10443/remote/login.com/ . the SSL VPN portal appears. If that option is not selected. ensure you selected the SSL PVN Access option when creating the user group.120.fortinet. Results To verify the setup works: 1 2 From the Internet. 304 FortiGate Cookbook  http://docs. browse to https://172. the Sales user group will not appear in the group list when configuring the authentication security policy.20. 3 Select OK.Setting up remote web browsing for internal sites through SSL VPN 2 Select Configure SSL-VPN Users and select Add to add an authentication rule for remote SSL VPN users: Selected User Groups Selected Services Schedule Sales HTTP HTTPS always If the Sales user group does not appear in the User Group list.

go to Policy > Monitor > Session Monitor to view the session information for the SSL connection.0 MR3 http://docs.0.fortinet.1 You can also use the diagnose debug application sslvpn -1 command to debug this configuration as described in “Debugging FortiGate configurations” on page 139.Setting up remote web browsing for internal sites through SSL VPN 3 Select the Email link in the Bookmarks widget. The portal launches a new window that displays the email server website.com/ 305 .0 and the destination is the internal home address of 224.0. the source address appears as 0. FortiOS 4. From the FortiGate web-based manager. Because of the internal nature of the SSL connection.0.0. 4 From the FortiGate web-based manager go to VPN > Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN.

Creating an SSL VPN IP pool and SSL VPN web portal 1 Go to VPN > SSL > Config and for IP Pools select Edit and add SSLVPN_TUNNEL_ADDR1 to the Selected table. n1 wa .20 Fo 2 7 rtiG 1 ate ot .html Using SSL VPN and FortiClient SSL VPN software.com/ .com/cb/ssl1.fortinet.1 mo Re 10.fortinet. and ensure that they are not subjected to malware and other dangers by using the corporate firewall to filter all of their Internet traffic. Select the Edit pencil icon for the Tunnel Mode widget and enter the following: Name IP Mode IP Pools Browsing User Group SSLVPN_TUNNEL_ADDR1 2 3 306 FortiGate Cookbook  http://docs.ro ing ssl rows b Un it Solution Watch the video: http://docs. you create a means to use the corporate FortiGate to browse the web safely.2 e t Us 212. Create the SSL VPN portal to by going to VPN > SSL > Portal and selecting tunnel-access.Using SSL VPN to provide protected Internet access for remote users Using SSL VPN to provide protected Internet access for remote users Problem You want to provide remote users the ability to access the Internet while travelling.12 . er Us N P L V gin 00 SS er Lo 34.136 0 .

4 5 Move twhite to the Members list.root The Destination IP/Mask matches the network address of the remote SSL VPN user.134.255. 1 Go to Router > Static > Static and select Create New to add the static route: Destination IP/Mask Device 10. Select OK. Creating a static route for the remote SSL VPN user Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.fortinet.0 ssl. If not selected. 2 Select OK. the Tunnel user group will not appear in the group list when configuring the authentication security policy. Go to User > User Group > User Group and select Create New to add twhite to the SSL VPN user group: Name Type Allow SSL-VPN Access Tunnel Firewall tunnel-access Make sure you select the Allow SSL VPN Access option.com/ 307 . Creating the SSL VPN user and user group Create the SSL VPN user and add the user to a user group configured for SSL VPN use.255.212.0 MR3 http://docs.Using SSL VPN to provide protected Internet access for remote users 4 Select OK. 1 Go to User > User > User and select Create New to add the user: User Name Password twhite password 2 3 Select OK. FortiOS 4.0/255.

3 4 Select OK. the Tunnel user group will not appear in the user group list when configuring the authentication security policy. FortiGate Cookbook  http://docs. select Add to add an authentication rule for the remote user: Selected User Groups Selected Services Schedule Tunnel ANY always If the Tunnel user group does not appear in the User Group list. If that option is not selected. Select Create New to add a security policy that allows remote SSL VPN users to connect to the Internet: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action SSLVPN Tunnel Interface all wan1 all always ANY ACCEPT 5 6 308 Select Enable NAT. Create a normal security policy from wan1 to SSLVPN Tunnel Interface to allow SSL VPN traffic to connect to the Internet.Using SSL VPN to provide protected Internet access for remote users Creating security policies Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. Select OK.com/ . 1 Go to Policy > Policy > Policy and select Create New to add the SSL VPN security policy: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Action wan1 all SSLVPN Tunnel Interface SSLVPN_TUNNEL_ADDR1 SSL-VPN 2 Under Configure SSL-VPN Users. ensure you select the SSL VPN Access option when creating the user group.fortinet.

The Subsession entry indicates the split tunnel which redirects to the Internet.0 MR3 http://docs.Using SSL VPN to provide protected Internet access for remote users Results Using FortiClient SSLVPN application.com/ 309 .root interface. Go to Log&Report > Log & Archive Access > Traffic Log to view the log information.136:10443/ and log in as twhite. From the FortiGate web-based manager go to VPN > Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. FortiOS 4. For any web traffic. you can browse the Internet. From the FortiGate web-based manager. the source interface becomes ssl. go to Policy > Monitor > Policy Monitor to view the policy information for the SSL connection. and the logs will also show the source interface for outbound traffic from the SSL connection through the ssl.20. Once connected. log into the VPN using the address https://172.root.fortinet.120.

com/ ss br l.ro ow o si t ng .168. 20 . ot e 10 Us U SS .12 Internal 2 310 Select OK. Creating a firewall address for the head office server 1 Go to Firewall Objects > Address > Address and select Create New and add the head office server address: Address Name Type Subnet / IP Range Interface Head office server Subnet / IP Range 192.2 er se L V 12 Lo r P N . available from the Fortinet Support site. Connections to the Internet are routed back out the head office FortiGate unit to the Internet. rv c 16 er e 8.1 w 20 an .SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users Problem You want remote users to be able to securely access head office internal network servers and browse the Internet through the head office firewall.1 g 34 in . Using split tunneling. FortiGate Cookbook  http://docs. Replies come back into the head office FortiGate unit before being routed back through the SSL VPN tunnel to the remote user.2 00 17 R em 2. 1 H Solution This solution describes how to configure FortiGate SSL VPN split tunnelling using the FortiClient SSL VPN software.1 1 36 ce it of Un d te ea a H tiG r Fo ea d 19 Se Of 2.1. all communication from remote SSL VPN users to the head office internal network and to the Internet uses an SSL VPN tunnel between the user’s PC and the head office FortiGate unit. 1.fortinet.

Select the Edit pencil icon for the Tunnel Mode widget and enter the following: Name IP Mode IP Pools Split Tunneling Connect to head office server User Group SSLVPN_TUNNEL_ADDR1 Enable 2 3 4 Select OK. select Create New and add the user: User Name Password twhite password 2 3 Select OK. Creating the SSL VPN user and user group Create the SSL VPN user and add the user to a user group configured for SSL VPN use. If not selected.com/ 311 .SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users Creating an SSL VPN IP pool and SSL VPN web portal 1 Go to VPN > SSL > Config and for IP Pools select Edit and add SSLVPN_TUNNEL_ADDR1 to the Selected table. 4 5 Move twhite to the Members list. Go to User > User Group > User Group and select Create New to add twhite to the SSL VPN user group: Name Type Allow SSL-VPN Access Tunnel Firewall tunnel-access Make sure you select the Allow SSL-VPN Access option. 1 Go to User > User > User.fortinet. Select OK. Create the SSL VPN portal to by going to VPN > SSL > Portal and selecting tunnel-access. the Tunnel user group will not appear in the group list when configuring the authentication security policy. FortiOS 4.0 MR3 http://docs.

Creating security policies Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. If that option is not selected.0 ssl. 1 Go to Policy > Policy > Policy and select Create New to add the SSL VPN security policy: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Action wan1 all internal Head office server SSL-VPN 2 Select Configure SSL-VPN Users and select Add to add an authentication rule for the remote user: Selected User Groups Selected Services Schedule Tunnel ANY always If the Tunnel user group does not appear in the User Group list.134. 2 Select OK.0/255. Create a normal security policy from ssl.212.fortinet.root to wan1 to allow SSL VPN traffic to connect to the Internet.255.root The Destination IP/Mask matches the network address of the remote SSL VPN user. the Tunnel user group will not appear in the user group list when configuring the authentication security policy.com/ . ensure you select the SSL VPN Access option when creating the user group. 1 Go to Router > Static > Static and select Create New to add the static route: Destination IP/Mask Device 10.SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users Creating a static route for the remote SSL VPN user Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.255. 312 FortiGate Cookbook  http://docs.

connect to the VPN using the address https://172. From the web-based manager.120.20.root all wan1 all always ANY ACCEPT 5 Select OK.fortinet. Once connected. For any web traffic. the source interface becomes ssl. Results Using the FortiClient SSL VPN application on the remote PC.com/ 313 . Select Create New to add a security policy that allows remote SSL VPN users to connect to the Internet: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action ssl.0 MR3 http://docs. go to Policy > Monitor > Session Monitor to view the session information for the SSL connection.136:10443/ and log in with the twhite user account. The Subsession entry indicates the split tunnel which redirects SSL VPN sessions to the Internet. you can connect to the head office server or browse to web sites on the Internet.root. FortiOS 4.SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users 3 4 Select OK. From the web-based manager go to VPN > Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN.

SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users Go to Log&Report > Log & Archive Access > Traffic Log to view the log information.root interface. and the logs will also show the source interface for outbound traffic from the SSL connection through the ssl.fortinet.com/ . 314 FortiGate Cookbook  http://docs.

0 MR3 http://docs. l rna rk Inte etwo n Se rve r Fo rtiG ate Un it Re VP mote Nu S ser SL Solution Use SSL VPN host checking.com/ 315 . in which case. the FortiGate unit uses the host check information to verify that the approved antivirus software is installed on the client computer. Select Security Control and select the following: Host Check Custom Select the names of one or more antivirus software packages from the FortiGate AV software database.fortinet. When the remote client attempts to log in to the VPN network. Policy If your company does not require a standard AV software on remote computers. 1 2 Go to VPN > SSL > Portal. you want to be sure that they have approved antivirus software installed on their computers. Only clients that meet the requirements are permitted to log on. Edit a portal and select Settings. you can set Custom to AV option. the FortiGate unit will check for any AV software from its SSL VPN antivirus software database. You can select multiple options. FortiOS 4.Verifying that SSL VPN users have the most recent AV software before they can log into the SSL VPN Verifying that SSL VPN users have the most recent AV software before they can log into the SSL VPN Problem Before a remote SSL VPN user logs into the network.

which indicates the user attempting to connect. If it is. the user can log in. the remote user sees the following error message: From the FortiGate web-based manager go to Log&Report > Event Log to see the tunnel message in the Action column. go to Log&Report > Log Config > Log Setting. Enable Event Logging and select SSL VPN user authentication event and SSL VPN session event. If the approved antivirus software is not installed. Select the log entry to view the detailed information. To make sure that SSL logs appear in the event log.fortinet.com/ . Results When a remote user connects to the SSL VPN tunnel. The Reason row indicates that the host check failed.Verifying that SSL VPN users have the most recent AV software before they can log into the SSL VPN 3 Select OK twice to save the portal configuration changes. the FortiGate unit verifies that the approved antivirus software is installed on the remote user’s device. 316 FortiGate Cookbook  http://docs.