Fortinet black logo

Handbook

SSL VPN with FortiToken two-factor authentication

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:458581
Download PDF

SSL VPN with FortiToken two-factor authentication

This is a sample configuration of SSL VPN that uses FortiToken two-factor authentication (2FA).

Sample topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:
  1. Configure the interface and firewall address. The port1 interface connects to the internal network.
    1. Go to Network > Interfaces and edit the wan1 interface.
    2. Set IP/Network Mask to 172.20.120.123/255.255.255.0.
    3. Edit port1 interface and set IP/Network Mask to 192.168.1.99/255.255.255.0.
    4. Click OK.
    5. Go to Policy & Objects > Address and create an address for internal subnet 192.168.1.0.
  2. Register FortiGate for FortiCare Support.

    To add or download a mobile token on FortiGate, FortiGate must be registered for FortiCare Support. If your FortiGate is registered, skip this step.

    1. Go to Dashboard > Licenses.
    2. Hover the pointer on FortiCare Support to check if FortiCare registered. If not, click it and select Register.
  3. Add FortiToken mobile to FortiGate.

    If your FortiGate has FortiToken installed, skip this step.

    1. Go to User & Device > FortiTokens and click Create New.
    2. Select Mobile Token and type in Activation Code.
    3. Every FortiGate has two free mobile tokens. Go to User & Device > FortiTokens and click Import Free Trial Tokens.
  4. Configure user and user group.
    1. Go to User & Device > User Definition to create a local user sslvpnuser1.
    2. Enter the user's Email Address.
    3. Enable Two-factor Authentication and select one mobile Token from the list,
    4. Enable Send Activation Code and select Email.
    5. Click Next and click Submit.
    6. Go to User & Device > User Groups to create a group sslvpngroup with the member sslvpnuser1.
  5. Activate the mobile token.
    1. When the user sslvpnuser1 is created, an email is sent to the user's email address. Follow the instructions to install your FortiToken mobile application on your device and activate your token.
  6. Configure SSL VPN web portal.
    1. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-split-tunnel-portal.
    2. Enable Split Tunneling.
    3. Select Routing Address.
  7. Configure SSL VPN settings.
    1. Go to VPN > SSL-VPN Settings.
    2. For Listen on Interface(s), select wan1.
    3. Set Listen on Port to 10443.
    4. Choose a certificate for Server Certificate. The default is Fortinet_Factory.
    5. In Authentication/Portal MappingAll Other Users/Groups, set the Portal to tunnel-access.
    6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-split-tunnel-portal.
  8. Configure SSL VPN firewall policy.
    1. Go to Policy & Objects > IPv4 Policy.
    2. Fill in the firewall policy name. In this example, sslvpn certificate auth.
    3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
    4. Set the Source Address to all and Source User to sslvpngroup.
    5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example, port1.
    6. Set Destination Address to the internal protected subnet 192.168.1.0.
    7. Set Schedule to always, Service to ALL, and Action to Accept.
    8. Enable NAT.
    9. Configure any remaining firewall and security options as desired.
    10. Click OK.
To configure SSL VPN using the CLI:
  1. Configure the interface and firewall address.
    config system interface 
        edit "wan1"
            set vdom "root"
            set ip 172.20.120.123 255.255.255.0
        next
    end
  2. Configure internal interface and protected subnet, then connect the port1 interface to the internal network.
    config system interface
        edit "port1"
            set vdom "root"
            set ip 192.168.1.99 255.255.255.0
        next
    end
    config firewall address
        edit "192.168.1.0"
            set subnet 192.168.1.0 255.255.255.0
        next
    end
  3. Register FortiGate for FortiCare Support.

    To add or download a mobile token on FortiGate, FortiGate must be registered for FortiCare Support. If your FortiGate is registered, skip this step.

    # diagnose forticare direct-registration product-registration -a "your account@xxx.com" -p "your password" -T "Your Country/Region" -R "Your Reseller" -e 1
  4. Add FortiToken mobile to FortiGate.
    1. If your FortiGate has FortiToken installed, skip this step.
      execute fortitoken-mobile import <your FTM code>
    2. Every FortiGate has two free mobile Tokens. You can download the free token.
      execute fortitoken-mobile import 0000-0000-0000-0000-0000
  5. Configure user and user group.
    config user local
        edit "sslvpnuser1"
            set type password
            set two-factor fortitoken
            set fortitoken <select mobile token for the option list>
            set email-to <user's email address>
            set passwd <user's password>
        next
    end
    config user group
        edit "sslvpngroup" 
            set member "sslvpnuser1"
        next 
    end
  6. Activate the mobile token.
    1. When the user sslvpnuser1 is created, an email is sent to the user's email address. Follow the instructions to install your FortiToken mobile application on your device and activate your token.
  7. Configure SSL VPN web portal.
    config vpn ssl web portal
        edit "my-split-tunnel-portal"
            set tunnel-mode enable
            set split-tunneling  enable
            set split-tunneling-routing-address "192.168.1.0"
            set ip-pools "SSLVPN_TUNNEL_ADDR1"
        next
    end
  8. Configure SSL VPN settings.
    config vpn ssl settings
        set servercert "Fortinet_Factory"
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set source-interface "wan1"
        set source-address "all"
        set source-address6 "all"
        set default-portal "full-access"
        config authentication-rule
            edit 1
                set groups "sslvpngroup"
                set portal "my-split-tunnel-portal" 
            next        
        next
    end
  9. Configure one SSL VPN firewall policy to allow remote user to access the internal network.
    config firewall policy 
        edit 1
            set name "sslvpn web mode access"
            set srcintf "ssl.root"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "192.168.1.0"
            set groups “sslvpngroup”
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end
To see the results of tunnel connection:
  1. Download FortiClient from www.forticlient.com.
  2. Open the FortiClient Console and go to Remote Access > Configure VPN.
  3. Add a new connection:
    • Set VPN Type to SSL VPN.
    • Set the connection name.
    • Set Remote Gateway to the IP of the listening FortiGate interface, in this example, 172.20.120.123.
  4. Select Customize Port and set it to 10443.
  5. Save your settings.
  6. Log in using the sslvpnuser1 credentials.
  7. Enter the token from the FortiToken mobile app when required.

    When the authentication is approved, sslvpnuser1 is logged into the SSL VPN tunnel and traffic to 192.168.1.0 goes through the tunnel. Other traffic goes through the local gateway.

To check the SSL VPN connection using the GUI:
  1. Go to VPN > Monitor > SSL-VPN Monitor to verify the user’s connection.
  2. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
To check the web portal login using the CLI:
get vpn ssl monitor
SSL VPN Login Users:
 Index   User           Auth Type    Timeout   From           HTTP in/out   HTTPS in/out
 0       sslvpnuser1    1(1)         229       10.1.100.254   0/0           0/0

SSL VPN sessions:
 Index   User    Source IP      Duration        I/O Bytes       Tunnel/Dest IP 
To check the tunnel login using the CLI:
get vpn ssl monitor
SSL VPN Login Users:
 Index   User          Auth Type    Timeout   From           HTTP in/out  HTTPS in/out
 0       sslvpnuser1   1(1)         291       10.1.100.254   0/0          0/0

SSL VPN sessions:
 Index   User          Source IP      Duration   I/O Bytes      Tunnel/Dest IP 
 0       sslvpnuser1   10.1.100.254   9          22099/43228    10.212.134.200

SSL VPN with FortiToken two-factor authentication

This is a sample configuration of SSL VPN that uses FortiToken two-factor authentication (2FA).

Sample topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:
  1. Configure the interface and firewall address. The port1 interface connects to the internal network.
    1. Go to Network > Interfaces and edit the wan1 interface.
    2. Set IP/Network Mask to 172.20.120.123/255.255.255.0.
    3. Edit port1 interface and set IP/Network Mask to 192.168.1.99/255.255.255.0.
    4. Click OK.
    5. Go to Policy & Objects > Address and create an address for internal subnet 192.168.1.0.
  2. Register FortiGate for FortiCare Support.

    To add or download a mobile token on FortiGate, FortiGate must be registered for FortiCare Support. If your FortiGate is registered, skip this step.

    1. Go to Dashboard > Licenses.
    2. Hover the pointer on FortiCare Support to check if FortiCare registered. If not, click it and select Register.
  3. Add FortiToken mobile to FortiGate.

    If your FortiGate has FortiToken installed, skip this step.

    1. Go to User & Device > FortiTokens and click Create New.
    2. Select Mobile Token and type in Activation Code.
    3. Every FortiGate has two free mobile tokens. Go to User & Device > FortiTokens and click Import Free Trial Tokens.
  4. Configure user and user group.
    1. Go to User & Device > User Definition to create a local user sslvpnuser1.
    2. Enter the user's Email Address.
    3. Enable Two-factor Authentication and select one mobile Token from the list,
    4. Enable Send Activation Code and select Email.
    5. Click Next and click Submit.
    6. Go to User & Device > User Groups to create a group sslvpngroup with the member sslvpnuser1.
  5. Activate the mobile token.
    1. When the user sslvpnuser1 is created, an email is sent to the user's email address. Follow the instructions to install your FortiToken mobile application on your device and activate your token.
  6. Configure SSL VPN web portal.
    1. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-split-tunnel-portal.
    2. Enable Split Tunneling.
    3. Select Routing Address.
  7. Configure SSL VPN settings.
    1. Go to VPN > SSL-VPN Settings.
    2. For Listen on Interface(s), select wan1.
    3. Set Listen on Port to 10443.
    4. Choose a certificate for Server Certificate. The default is Fortinet_Factory.
    5. In Authentication/Portal MappingAll Other Users/Groups, set the Portal to tunnel-access.
    6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-split-tunnel-portal.
  8. Configure SSL VPN firewall policy.
    1. Go to Policy & Objects > IPv4 Policy.
    2. Fill in the firewall policy name. In this example, sslvpn certificate auth.
    3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
    4. Set the Source Address to all and Source User to sslvpngroup.
    5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example, port1.
    6. Set Destination Address to the internal protected subnet 192.168.1.0.
    7. Set Schedule to always, Service to ALL, and Action to Accept.
    8. Enable NAT.
    9. Configure any remaining firewall and security options as desired.
    10. Click OK.
To configure SSL VPN using the CLI:
  1. Configure the interface and firewall address.
    config system interface 
        edit "wan1"
            set vdom "root"
            set ip 172.20.120.123 255.255.255.0
        next
    end
  2. Configure internal interface and protected subnet, then connect the port1 interface to the internal network.
    config system interface
        edit "port1"
            set vdom "root"
            set ip 192.168.1.99 255.255.255.0
        next
    end
    config firewall address
        edit "192.168.1.0"
            set subnet 192.168.1.0 255.255.255.0
        next
    end
  3. Register FortiGate for FortiCare Support.

    To add or download a mobile token on FortiGate, FortiGate must be registered for FortiCare Support. If your FortiGate is registered, skip this step.

    # diagnose forticare direct-registration product-registration -a "your account@xxx.com" -p "your password" -T "Your Country/Region" -R "Your Reseller" -e 1
  4. Add FortiToken mobile to FortiGate.
    1. If your FortiGate has FortiToken installed, skip this step.
      execute fortitoken-mobile import <your FTM code>
    2. Every FortiGate has two free mobile Tokens. You can download the free token.
      execute fortitoken-mobile import 0000-0000-0000-0000-0000
  5. Configure user and user group.
    config user local
        edit "sslvpnuser1"
            set type password
            set two-factor fortitoken
            set fortitoken <select mobile token for the option list>
            set email-to <user's email address>
            set passwd <user's password>
        next
    end
    config user group
        edit "sslvpngroup" 
            set member "sslvpnuser1"
        next 
    end
  6. Activate the mobile token.
    1. When the user sslvpnuser1 is created, an email is sent to the user's email address. Follow the instructions to install your FortiToken mobile application on your device and activate your token.
  7. Configure SSL VPN web portal.
    config vpn ssl web portal
        edit "my-split-tunnel-portal"
            set tunnel-mode enable
            set split-tunneling  enable
            set split-tunneling-routing-address "192.168.1.0"
            set ip-pools "SSLVPN_TUNNEL_ADDR1"
        next
    end
  8. Configure SSL VPN settings.
    config vpn ssl settings
        set servercert "Fortinet_Factory"
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set source-interface "wan1"
        set source-address "all"
        set source-address6 "all"
        set default-portal "full-access"
        config authentication-rule
            edit 1
                set groups "sslvpngroup"
                set portal "my-split-tunnel-portal" 
            next        
        next
    end
  9. Configure one SSL VPN firewall policy to allow remote user to access the internal network.
    config firewall policy 
        edit 1
            set name "sslvpn web mode access"
            set srcintf "ssl.root"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "192.168.1.0"
            set groups “sslvpngroup”
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end
To see the results of tunnel connection:
  1. Download FortiClient from www.forticlient.com.
  2. Open the FortiClient Console and go to Remote Access > Configure VPN.
  3. Add a new connection:
    • Set VPN Type to SSL VPN.
    • Set the connection name.
    • Set Remote Gateway to the IP of the listening FortiGate interface, in this example, 172.20.120.123.
  4. Select Customize Port and set it to 10443.
  5. Save your settings.
  6. Log in using the sslvpnuser1 credentials.
  7. Enter the token from the FortiToken mobile app when required.

    When the authentication is approved, sslvpnuser1 is logged into the SSL VPN tunnel and traffic to 192.168.1.0 goes through the tunnel. Other traffic goes through the local gateway.

To check the SSL VPN connection using the GUI:
  1. Go to VPN > Monitor > SSL-VPN Monitor to verify the user’s connection.
  2. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
To check the web portal login using the CLI:
get vpn ssl monitor
SSL VPN Login Users:
 Index   User           Auth Type    Timeout   From           HTTP in/out   HTTPS in/out
 0       sslvpnuser1    1(1)         229       10.1.100.254   0/0           0/0

SSL VPN sessions:
 Index   User    Source IP      Duration        I/O Bytes       Tunnel/Dest IP 
To check the tunnel login using the CLI:
get vpn ssl monitor
SSL VPN Login Users:
 Index   User          Auth Type    Timeout   From           HTTP in/out  HTTPS in/out
 0       sslvpnuser1   1(1)         291       10.1.100.254   0/0          0/0

SSL VPN sessions:
 Index   User          Source IP      Duration   I/O Bytes      Tunnel/Dest IP 
 0       sslvpnuser1   10.1.100.254   9          22099/43228    10.212.134.200