Fortinet black logo

Handbook

Additional configuration options

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:890621
Download PDF

Additional configuration options

Beyond the basics of setting up the SSL VPN, you can configure a number of other options that can help to ensure your internal network is secure and can limit the possibility of attacks and viruses entering the network from an outside source.

Routing in tunnel mode

If you are creating a SSL VPN connection in tunnel mode, you need to add a static route so that replies from the protected network can reach the remote SSL VPN client.

To add the tunnel mode route - GUI:
  1. Go to Network > Static Routes and select Create New.
  2. Enter the Destination IP/Mask of the tunnel IP address that you assigned to the users of the web portal.
  3. Select the SSL VPN virtual interface for the Device.
  4. Select OK.
To add the tunnel mode route - CLI:

If you assigned 10.11.254.0/24 as the tunnel IP range, you would enter:

config router static

edit <id>

set device ssl.root

set dst 10.11.254.0/24

end

Changing the port number for web portal connections

You can specify a different TCP port number for users to access the web portal login page through the HTTPS link. By default, the port number is 443 and users can access the web portal login page using the following default URL:

https://<FortiGate_IP_address>:443/remote/login

where <FortiGate_IP_address> is the IP address of the FortiGate interface that accepts connections from remote users.

To change the SSL VPN port - GUI:
  1. If Current VDOM appears at the bottom left of the screen, select Global from the list of VDOMs.
  2. Go to VPN > SSL-VPN Settings.
  3. Type an unused port number in the Listen on Port field and select Apply.
To change the SSL VPN port - CLI:

This is a global setting. For example, to set the SSL VPN port to 10443, enter the following:

config vpn ssl settings

set port 10443

end

HTTP to HTTPS redirect support

The admin HTTP port can be redirected to the admin HTTPS port. This is enabled in VPN > SSL-VPN Settings using the option Redirect port 80 to this login port.

There are two likely scenarios for this:

  • SSL VPN is not in use, in which case the admin GUI runs on port 443 or 10443, and port 80 is redirected.
  • SSL VPN runs on port 443, in which case port 80 is redirected to 443 and the admin port runs on 10443.

If the administrator chooses to run SSL VPN on port 80, the redirect option is invalid.

This can also be configured in the CLI as described below:

To redirect HTTP to HTTPS port - CLI:

config vpn ssl settings

set https-redirect [enable | disable] (Default is disabled)

end

SSL offloading

To configure SSL offloading, which allows or denies client renegotiation, you must use the CLI. This helps to resolve the issues that affect all SSL and TLS servers that support renegotiation, identified by the Common Vulnerabilities and Exposures system in CVE-2009-3555. The SSL offloading renegotiation feature is considered a workaround until the IETF permanently resolves the issue.

The CLI command is ssl-client-renegotiation and is found under the config firewall vip syntax.

Host check

When you enable AV, FW, or AV-FW host checking in the web portal Security Control settings, each client is checked for security software that is recognized by the Windows Security Center. As an alternative, you can create a custom host check that looks for security software selected from the Host Check list. For more information, see Configuring SSL VPN web portals.

The Host Check list includes default entries for many security software products.

note icon

Host integrity checking is only possible with client computers running Microsoft Windows platforms.

Tooltip

Host Check is only applicable for SSL VPN tunnel mode.

To configure host checking - CLI:

To configure the full-access portal to check for AV and firewall software on client Windows computers, you would enter the following:

config vpn ssl web portal

edit full-access

set host-check av-fw

end

To configure the full-access portal to perform a custom host check for FortiClient Host Security AV and firewall software, you would enter the following:

config vpn ssl web portal

edit full-access

set host-check custom

set host-check-policy FortiClient-AV FortiClient-FW

end

Replacing the host check error message

You can add your own host security check error message using either the GUI or the CLI. The default message reads: “Your PC does not meet the host checking requirements set by the firewall. Please check that your OS version or antivirus and firewall applications are installed and running properly or you have the right network interface.”

To replace the host check error message - GUI:
  1. Navigate to System > Replacement Messages and select Extended View in the upper right corner.
  2. Scroll down to SSL VPN and select Hostcheck Error Message.
  3. Edit the text in the right-hand column below and select Save.
    If you are unhappy with the new message, you can restore the message to its default by selecting Restore Default instead of Save.
To replace the host check error message - CLI:

Configure the host check error message using the following command.

config system replacemsg sslvpn hostcheck-error

Creating a custom host check list

You can add your own software requirements to the host check list using the CLI. Host integrity checking is only possible with client computers running Microsoft Windows platforms. Enter the following commands:

config vpn ssl web host-check-software

edit <software_name>

set guid <guid_value>

set type <av | fw>

set version <version_number>

end

If known, enter the Globally Unique Identifier (GUID) for the host check application. Windows uses GUIDs to identify applications in the Windows Registry. The GUID can be found in the Windows registry in the HKEY_CLASSES_ROOT section.

To obtain the exact versioning, in Windows, right-click on the .EXE file of the application and select Properties, then select the Version tab.

Example Tunnel Mode Host Check - Registry Key Check
  • Check to see if a required registry key is present:

config vpn ssl web host-check-software

edit <computer_name>

config check-item-list

edit 1

set target "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName:ComputerName=WINXP32SP3B62"

set type registry <<<-----

next

end

next

end

Example Tunnel Mode Host Check - Application Running Check
  • Check to see if a required application is isntalled and/or running:

config vpn ssl web host-check-software

edit "calc"

config check-item-list

edit 1

set target "calc.exe"

set type process <<<-----

next

end

next

end

Example Tunnel Mode Host Check - File Check
  • Check to see if a specific file exists at a specific location:

config vpn ssl web host-check-software

edit "putty"

config check-item-list

edit 1

set target "C:\\software\\putty.txt"

set md5s <ENC>

next

end

next

end

Mac OS host check

This feature provides the host check function for Mac OS to SSL VPN. The following Mac OS hosts can be allowed, denied, or checked:

  • macos-high-sierra-10.13
  • macos-sierra-10.12
  • os-x-el-capitan-10.11
  • os-x-yosemite-10.10
  • os-x-mavericks-10.9

The os-type option is available under vpn ssl web host-check-software; if os-type is macos, then type, version and guid are hidden. Furthermore, type in check-item-list can only be set to file or process.

SSL VPN Host check support is currently not planned for iOS or Android.

To configure Mac OS host check - CLI:

config vpn ssl web portal

edit <name>

set os-check enable

config os-check-list macos-high-sierra-10.13

set action {allow | deny | check-up-to-date}

set tolerance <value>

set latest-patch-level <value>

end

next

end

config vpn ssl web host-check-software

edit <name>

set os-type macos

config check-item-list

edit <name>

set type process

set target "calc.exe"

next

end

...

next

end

Configuring client OS Check

The SSLVPN client OS Check feature can determine if clients are running the Windows 2000, Windows XP, Windows Vista, Windows 7, or Windows 10 operating system. You can configure the OS Check to do any of the following:

  • Allow the client access.
  • Allow the client access only if the operating system has been updated to a specified patch (service pack) version.
  • Deny the client access.

The OS Check has no effect on clients running other operating systems.

The Windows patch check enables you to define the minimum Windows version and patch level allowed when connecting to the SSL VPN portal. When the user attempts to connect to the web portal, FortiOS performs a query on the version of Windows the user has installed. If it does not match the minimum requirement, the connection is denied. The Windows patch check is configured in the CLI.

To specify the acceptable patch level, you set the latest-patch-level and the tolerance. The lowest acceptable patch level is latest-patch-level minus tolerance. In this case, latest-patch-level is 3 and tolerance is 1, so 2 is the lowest acceptable patch level.

To configure OS Check:

OS Check is configurable only in the CLI.

config vpn ssl web portal

edit <portal_name>

set os-check enable

config os-check-list [windows-2000 | windows-xp | windows-vista | windows-7 | windows-10]

set action [allow | check-up-to-date | deny]

set latest-patch-level [disable | 0 - 255]

set tolerance <tolerance_num>

end

end

Host check for Windows firewall

The Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, but you can use a registry value to detect the firewall status.

If Windows firewall is on, the following registry value will be set to 1:

  • KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • ValueName: EnableFirewall

In FortiOS, use the registry-value-check feature to define the Windows Firewall software by entering the following in the CLI:

config vpn ssl web host-check-software

edit "Microsoft-Windows-Firewall"

config check-item-list

edit 1

set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1"

set type registry

next

edit 2

set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile:EnableFirewall==1"

set type registry

next

edit 3

set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile:EnableFirewall==1"

set type registry

next

end

set type fw

next

set host-check custom

set host-check-policy Microsoft-Windows-Firewall

Adding WINS and DNS services for clients

You can specify the WINS or DNS servers that are made available to SSL-VPN clients.

DNS servers provide the IP addresses that browsers need to access web sites. For Internet sites, you can specify the DNS server that your FortiGate unit uses. If SSL VPN users will access intranet sites using URLs, you need to provide them access to the intranet’s DNS server. You specify a primary and a secondary DNS server.

A WINS server provides IP addresses for named servers in a Windows domain. If SSL VPN users will access a Windows network, you need to provide them access to the domain WINS server. You specify a primary and a secondary WINS server.

To specify WINS and DNS services for clients - GUI:
  1. Go to VPN > SSL-VPN Settings.
  2. Next to DNS Server select Specify.
  3. Enter the IP addresses of DNS servers in the DNS Server fields as needed. Fields are available for both IPv4 and IPv6 addresses.
  4. Select Specify WINS Servers, and enter the IP addresses of WINS servers in the WINS Server fields as needed. Fields are available for both IPv4 and IPv6 addresses.
  5. Select Apply.
To specify WINS and DNS services for clients - CLI:

config vpn ssl settings

set dns-server1 <address_ipv4>

set dns-server2 <address_ipv4>

set wins-server1 <address_ipv4>

set wins-server2 <address_ipv4>

end

Idle timeout

The idle timeout setting controls how long the connection can remain idle before the system forces the remote user to log in again. For security, keep the default value of 5000 seconds or less. Set the timeout value to 0 to disable idle timeouts.

To set the idle timeout - GUI:
  1. Go to VPN > SSL-VPN Settings and enable Idle Logout.
  2. In the Inactive For field, enter the timeout value.
  3. The valid range is from 10 to 28800 seconds.

  4. Select Apply.
To set the idle timeout - CLI:

config vpn ssl settings

set idle-timeout <seconds_int>

end

Login timeout

With long network latency, the FortiGate can timeout the client before it can finish negotiation processes, such as DNS lookup and time to enter a token. Two CLI commands under config vpn ssl settings allow the login timeout to be configured, replacing the previous hard timeout value. The second command can be used to set the SSL VPN maximum DTLS hello timeout.

CLI syntax

config vpn ssl settings

edit <example>

set login-timeout [10-180] Default is 30 seconds.

set dtls-hello-timeout [10-60] Default is 10 seconds.

end

Login failure limit

The following CLI allows the administrator to configure the number of times wrong credentials are allowed before the SSL VPN server blocks an IP address, and also how long the block would last.

CLI syntax

config vpn ssl settings

set login-attempt-limit [0-10] Default is 2.

set login-block-time [0-86400] Default is 60 seconds.

end

SSL VPN logs

Logging is available for SSL VPN traffic so you can monitor users connected to the FortiGate unit and their activity.

To enable logging of SSL VPN events - GUI:
  1. Go to Log & Report > Log Settings.
  2. Enable Event Logging, and select VPN activity event.
  3. Select Apply.

To view the SSL VPN log data, in the GUI, go to Log & Report and select either the Event Log or Traffic Log.

In event log entries, look for the sub-types “sslvpn-session” and “sslvpn-user”.

For information about how to interpret log messages, see the FortiGate Log Message Reference.

Monitoring active SSL VPN sessions

You can go to User & Device > Monitor to view a list of active SSL VPN sessions. The list displays the user name of the remote user, the IP address of the remote client, and the time the connection was made. You can also see which services are being provided, and delete an active web session from the FortiGate unit.

To monitor SSL VPNs - GUI:

To view the list of active SSL VPN sessions, go to Monitor > SSL-VPN Monitor.

When a tunnel-mode user is connected, the Description field displays the IP address that the FortiGate unit assigned to the remote host.

If required, you can end a session/connection by selecting its checkbox and then clicking the Delete icon.

Importing and using a CA-signed SSL certificate

Use the following set of instructions to import a CA-signed SSL certificate and configure an SSL VPN using that certificate.

Import the signed certificate into your FortiGate device

  1. Unzip the file downloaded from the CA.
  2. There should be two .CRT files: a CA certificate with bundle in the file name, and a local certificate.

  3. Log in to your FortiGate unit and browse to System > Certificates.
  4. Select Create New > Local Certificate to import the local certificate.
    The status of the certificate will change from PENDING to OK.
  5. Import the CA certificate by selecting Import > CA Certificate.
  6. It will be listed in the CA Certificates section of the certificates list. You can now configure SSL VPN using the signed certificate.

Configure your FortiGate device to use the signed certificate

  1. Log in to your FortiGate unit and browse to VPN > SSL-VPN Settings.
  2. In the Connection Settings section, locate the Server Certificate field.
  3. Select the new certificate from the drop-down menu.
  4. Select Apply to configure SSL VPN to use the new certificate.

Implement post-authentication CSRF protection in SSL VPN web mode

This attribute can enable/disable verification of a referrer in the HTTP request header in order to prevent a Cross-Site Request Forgery attack.

CLI Syntax

config vpn ssl settings

set check-referer [enable|disable]

end

DTLS support

The Datagram Transport Layer Security (DTLS) protocol is supported for SSL VPN connections. DTLS allows datagram-based applications to communicate in a way that prevents eavesdropping, tampering, or message forgery. It can also be used to improve upload/download throughput. It is similar to the Transport Layer Security (TLS) protocol.

DTLS support can be enabled in the CLI as described below.

CLI Syntax

config vpn ssl settings

set dtls-tunnel [enable | disable] (default: enabled)

end

Allow firewall address to be used in routing table for SSL VPN

If destination Named Address is set in Network > Static Routes and Address Range is set to Automatically assign addresses in VPN > SSL-VPN Settings, SSL VPN should refresh the routing table automatically.

To view the routes in the routing table, go to Monitor > Routing Monitor.

WAN link load balancing

You can set virtual-wan-link as the destination interface in a firewall policy (when SSL VPN is the source interface) for WAN link load balancing. This allows logging into a FortiGate via SSL VPN for traffic inspection and then have outbound traffic load balanced by WAN link load balancing.

CLI syntax

config firewall policy

edit <example>

set dstintf virtual-wan-link

end

Additional configuration options

Beyond the basics of setting up the SSL VPN, you can configure a number of other options that can help to ensure your internal network is secure and can limit the possibility of attacks and viruses entering the network from an outside source.

Routing in tunnel mode

If you are creating a SSL VPN connection in tunnel mode, you need to add a static route so that replies from the protected network can reach the remote SSL VPN client.

To add the tunnel mode route - GUI:
  1. Go to Network > Static Routes and select Create New.
  2. Enter the Destination IP/Mask of the tunnel IP address that you assigned to the users of the web portal.
  3. Select the SSL VPN virtual interface for the Device.
  4. Select OK.
To add the tunnel mode route - CLI:

If you assigned 10.11.254.0/24 as the tunnel IP range, you would enter:

config router static

edit <id>

set device ssl.root

set dst 10.11.254.0/24

end

Changing the port number for web portal connections

You can specify a different TCP port number for users to access the web portal login page through the HTTPS link. By default, the port number is 443 and users can access the web portal login page using the following default URL:

https://<FortiGate_IP_address>:443/remote/login

where <FortiGate_IP_address> is the IP address of the FortiGate interface that accepts connections from remote users.

To change the SSL VPN port - GUI:
  1. If Current VDOM appears at the bottom left of the screen, select Global from the list of VDOMs.
  2. Go to VPN > SSL-VPN Settings.
  3. Type an unused port number in the Listen on Port field and select Apply.
To change the SSL VPN port - CLI:

This is a global setting. For example, to set the SSL VPN port to 10443, enter the following:

config vpn ssl settings

set port 10443

end

HTTP to HTTPS redirect support

The admin HTTP port can be redirected to the admin HTTPS port. This is enabled in VPN > SSL-VPN Settings using the option Redirect port 80 to this login port.

There are two likely scenarios for this:

  • SSL VPN is not in use, in which case the admin GUI runs on port 443 or 10443, and port 80 is redirected.
  • SSL VPN runs on port 443, in which case port 80 is redirected to 443 and the admin port runs on 10443.

If the administrator chooses to run SSL VPN on port 80, the redirect option is invalid.

This can also be configured in the CLI as described below:

To redirect HTTP to HTTPS port - CLI:

config vpn ssl settings

set https-redirect [enable | disable] (Default is disabled)

end

SSL offloading

To configure SSL offloading, which allows or denies client renegotiation, you must use the CLI. This helps to resolve the issues that affect all SSL and TLS servers that support renegotiation, identified by the Common Vulnerabilities and Exposures system in CVE-2009-3555. The SSL offloading renegotiation feature is considered a workaround until the IETF permanently resolves the issue.

The CLI command is ssl-client-renegotiation and is found under the config firewall vip syntax.

Host check

When you enable AV, FW, or AV-FW host checking in the web portal Security Control settings, each client is checked for security software that is recognized by the Windows Security Center. As an alternative, you can create a custom host check that looks for security software selected from the Host Check list. For more information, see Configuring SSL VPN web portals.

The Host Check list includes default entries for many security software products.

note icon

Host integrity checking is only possible with client computers running Microsoft Windows platforms.

Tooltip

Host Check is only applicable for SSL VPN tunnel mode.

To configure host checking - CLI:

To configure the full-access portal to check for AV and firewall software on client Windows computers, you would enter the following:

config vpn ssl web portal

edit full-access

set host-check av-fw

end

To configure the full-access portal to perform a custom host check for FortiClient Host Security AV and firewall software, you would enter the following:

config vpn ssl web portal

edit full-access

set host-check custom

set host-check-policy FortiClient-AV FortiClient-FW

end

Replacing the host check error message

You can add your own host security check error message using either the GUI or the CLI. The default message reads: “Your PC does not meet the host checking requirements set by the firewall. Please check that your OS version or antivirus and firewall applications are installed and running properly or you have the right network interface.”

To replace the host check error message - GUI:
  1. Navigate to System > Replacement Messages and select Extended View in the upper right corner.
  2. Scroll down to SSL VPN and select Hostcheck Error Message.
  3. Edit the text in the right-hand column below and select Save.
    If you are unhappy with the new message, you can restore the message to its default by selecting Restore Default instead of Save.
To replace the host check error message - CLI:

Configure the host check error message using the following command.

config system replacemsg sslvpn hostcheck-error

Creating a custom host check list

You can add your own software requirements to the host check list using the CLI. Host integrity checking is only possible with client computers running Microsoft Windows platforms. Enter the following commands:

config vpn ssl web host-check-software

edit <software_name>

set guid <guid_value>

set type <av | fw>

set version <version_number>

end

If known, enter the Globally Unique Identifier (GUID) for the host check application. Windows uses GUIDs to identify applications in the Windows Registry. The GUID can be found in the Windows registry in the HKEY_CLASSES_ROOT section.

To obtain the exact versioning, in Windows, right-click on the .EXE file of the application and select Properties, then select the Version tab.

Example Tunnel Mode Host Check - Registry Key Check
  • Check to see if a required registry key is present:

config vpn ssl web host-check-software

edit <computer_name>

config check-item-list

edit 1

set target "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName:ComputerName=WINXP32SP3B62"

set type registry <<<-----

next

end

next

end

Example Tunnel Mode Host Check - Application Running Check
  • Check to see if a required application is isntalled and/or running:

config vpn ssl web host-check-software

edit "calc"

config check-item-list

edit 1

set target "calc.exe"

set type process <<<-----

next

end

next

end

Example Tunnel Mode Host Check - File Check
  • Check to see if a specific file exists at a specific location:

config vpn ssl web host-check-software

edit "putty"

config check-item-list

edit 1

set target "C:\\software\\putty.txt"

set md5s <ENC>

next

end

next

end

Mac OS host check

This feature provides the host check function for Mac OS to SSL VPN. The following Mac OS hosts can be allowed, denied, or checked:

  • macos-high-sierra-10.13
  • macos-sierra-10.12
  • os-x-el-capitan-10.11
  • os-x-yosemite-10.10
  • os-x-mavericks-10.9

The os-type option is available under vpn ssl web host-check-software; if os-type is macos, then type, version and guid are hidden. Furthermore, type in check-item-list can only be set to file or process.

SSL VPN Host check support is currently not planned for iOS or Android.

To configure Mac OS host check - CLI:

config vpn ssl web portal

edit <name>

set os-check enable

config os-check-list macos-high-sierra-10.13

set action {allow | deny | check-up-to-date}

set tolerance <value>

set latest-patch-level <value>

end

next

end

config vpn ssl web host-check-software

edit <name>

set os-type macos

config check-item-list

edit <name>

set type process

set target "calc.exe"

next

end

...

next

end

Configuring client OS Check

The SSLVPN client OS Check feature can determine if clients are running the Windows 2000, Windows XP, Windows Vista, Windows 7, or Windows 10 operating system. You can configure the OS Check to do any of the following:

  • Allow the client access.
  • Allow the client access only if the operating system has been updated to a specified patch (service pack) version.
  • Deny the client access.

The OS Check has no effect on clients running other operating systems.

The Windows patch check enables you to define the minimum Windows version and patch level allowed when connecting to the SSL VPN portal. When the user attempts to connect to the web portal, FortiOS performs a query on the version of Windows the user has installed. If it does not match the minimum requirement, the connection is denied. The Windows patch check is configured in the CLI.

To specify the acceptable patch level, you set the latest-patch-level and the tolerance. The lowest acceptable patch level is latest-patch-level minus tolerance. In this case, latest-patch-level is 3 and tolerance is 1, so 2 is the lowest acceptable patch level.

To configure OS Check:

OS Check is configurable only in the CLI.

config vpn ssl web portal

edit <portal_name>

set os-check enable

config os-check-list [windows-2000 | windows-xp | windows-vista | windows-7 | windows-10]

set action [allow | check-up-to-date | deny]

set latest-patch-level [disable | 0 - 255]

set tolerance <tolerance_num>

end

end

Host check for Windows firewall

The Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, but you can use a registry value to detect the firewall status.

If Windows firewall is on, the following registry value will be set to 1:

  • KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • ValueName: EnableFirewall

In FortiOS, use the registry-value-check feature to define the Windows Firewall software by entering the following in the CLI:

config vpn ssl web host-check-software

edit "Microsoft-Windows-Firewall"

config check-item-list

edit 1

set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1"

set type registry

next

edit 2

set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile:EnableFirewall==1"

set type registry

next

edit 3

set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile:EnableFirewall==1"

set type registry

next

end

set type fw

next

set host-check custom

set host-check-policy Microsoft-Windows-Firewall

Adding WINS and DNS services for clients

You can specify the WINS or DNS servers that are made available to SSL-VPN clients.

DNS servers provide the IP addresses that browsers need to access web sites. For Internet sites, you can specify the DNS server that your FortiGate unit uses. If SSL VPN users will access intranet sites using URLs, you need to provide them access to the intranet’s DNS server. You specify a primary and a secondary DNS server.

A WINS server provides IP addresses for named servers in a Windows domain. If SSL VPN users will access a Windows network, you need to provide them access to the domain WINS server. You specify a primary and a secondary WINS server.

To specify WINS and DNS services for clients - GUI:
  1. Go to VPN > SSL-VPN Settings.
  2. Next to DNS Server select Specify.
  3. Enter the IP addresses of DNS servers in the DNS Server fields as needed. Fields are available for both IPv4 and IPv6 addresses.
  4. Select Specify WINS Servers, and enter the IP addresses of WINS servers in the WINS Server fields as needed. Fields are available for both IPv4 and IPv6 addresses.
  5. Select Apply.
To specify WINS and DNS services for clients - CLI:

config vpn ssl settings

set dns-server1 <address_ipv4>

set dns-server2 <address_ipv4>

set wins-server1 <address_ipv4>

set wins-server2 <address_ipv4>

end

Idle timeout

The idle timeout setting controls how long the connection can remain idle before the system forces the remote user to log in again. For security, keep the default value of 5000 seconds or less. Set the timeout value to 0 to disable idle timeouts.

To set the idle timeout - GUI:
  1. Go to VPN > SSL-VPN Settings and enable Idle Logout.
  2. In the Inactive For field, enter the timeout value.
  3. The valid range is from 10 to 28800 seconds.

  4. Select Apply.
To set the idle timeout - CLI:

config vpn ssl settings

set idle-timeout <seconds_int>

end

Login timeout

With long network latency, the FortiGate can timeout the client before it can finish negotiation processes, such as DNS lookup and time to enter a token. Two CLI commands under config vpn ssl settings allow the login timeout to be configured, replacing the previous hard timeout value. The second command can be used to set the SSL VPN maximum DTLS hello timeout.

CLI syntax

config vpn ssl settings

edit <example>

set login-timeout [10-180] Default is 30 seconds.

set dtls-hello-timeout [10-60] Default is 10 seconds.

end

Login failure limit

The following CLI allows the administrator to configure the number of times wrong credentials are allowed before the SSL VPN server blocks an IP address, and also how long the block would last.

CLI syntax

config vpn ssl settings

set login-attempt-limit [0-10] Default is 2.

set login-block-time [0-86400] Default is 60 seconds.

end

SSL VPN logs

Logging is available for SSL VPN traffic so you can monitor users connected to the FortiGate unit and their activity.

To enable logging of SSL VPN events - GUI:
  1. Go to Log & Report > Log Settings.
  2. Enable Event Logging, and select VPN activity event.
  3. Select Apply.

To view the SSL VPN log data, in the GUI, go to Log & Report and select either the Event Log or Traffic Log.

In event log entries, look for the sub-types “sslvpn-session” and “sslvpn-user”.

For information about how to interpret log messages, see the FortiGate Log Message Reference.

Monitoring active SSL VPN sessions

You can go to User & Device > Monitor to view a list of active SSL VPN sessions. The list displays the user name of the remote user, the IP address of the remote client, and the time the connection was made. You can also see which services are being provided, and delete an active web session from the FortiGate unit.

To monitor SSL VPNs - GUI:

To view the list of active SSL VPN sessions, go to Monitor > SSL-VPN Monitor.

When a tunnel-mode user is connected, the Description field displays the IP address that the FortiGate unit assigned to the remote host.

If required, you can end a session/connection by selecting its checkbox and then clicking the Delete icon.

Importing and using a CA-signed SSL certificate

Use the following set of instructions to import a CA-signed SSL certificate and configure an SSL VPN using that certificate.

Import the signed certificate into your FortiGate device

  1. Unzip the file downloaded from the CA.
  2. There should be two .CRT files: a CA certificate with bundle in the file name, and a local certificate.

  3. Log in to your FortiGate unit and browse to System > Certificates.
  4. Select Create New > Local Certificate to import the local certificate.
    The status of the certificate will change from PENDING to OK.
  5. Import the CA certificate by selecting Import > CA Certificate.
  6. It will be listed in the CA Certificates section of the certificates list. You can now configure SSL VPN using the signed certificate.

Configure your FortiGate device to use the signed certificate

  1. Log in to your FortiGate unit and browse to VPN > SSL-VPN Settings.
  2. In the Connection Settings section, locate the Server Certificate field.
  3. Select the new certificate from the drop-down menu.
  4. Select Apply to configure SSL VPN to use the new certificate.

Implement post-authentication CSRF protection in SSL VPN web mode

This attribute can enable/disable verification of a referrer in the HTTP request header in order to prevent a Cross-Site Request Forgery attack.

CLI Syntax

config vpn ssl settings

set check-referer [enable|disable]

end

DTLS support

The Datagram Transport Layer Security (DTLS) protocol is supported for SSL VPN connections. DTLS allows datagram-based applications to communicate in a way that prevents eavesdropping, tampering, or message forgery. It can also be used to improve upload/download throughput. It is similar to the Transport Layer Security (TLS) protocol.

DTLS support can be enabled in the CLI as described below.

CLI Syntax

config vpn ssl settings

set dtls-tunnel [enable | disable] (default: enabled)

end

Allow firewall address to be used in routing table for SSL VPN

If destination Named Address is set in Network > Static Routes and Address Range is set to Automatically assign addresses in VPN > SSL-VPN Settings, SSL VPN should refresh the routing table automatically.

To view the routes in the routing table, go to Monitor > Routing Monitor.

WAN link load balancing

You can set virtual-wan-link as the destination interface in a firewall policy (when SSL VPN is the source interface) for WAN link load balancing. This allows logging into a FortiGate via SSL VPN for traffic inspection and then have outbound traffic load balanced by WAN link load balancing.

CLI syntax

config firewall policy

edit <example>

set dstintf virtual-wan-link

end