Additional configuration options
Beyond the basics of setting up the SSL VPN, you can configure a number of other options that can help to ensure your internal network is secure and can limit the possibility of attacks and viruses entering the network from an outside source.
Routing in tunnel mode
If you are creating a SSL VPN connection in tunnel mode, you need to add a static route so that replies from the protected network can reach the remote SSL VPN client.
To add the tunnel mode route - GUI:
- Go to Network > Static Routes and select Create New.
- Enter the Destination IP/Mask of the tunnel IP address that you assigned to the users of the web portal.
- Select the SSL VPN virtual interface for the Device.
- Select OK.
To add the tunnel mode route - CLI:
If you assigned 10.11.254.0/24 as the tunnel IP range, you would enter:
config router static
edit <id>
set device ssl.root
set dst 10.11.254.0/24
end
Changing the port number for web portal connections
You can specify a different TCP port number for users to access the web portal login page through the HTTPS link. By default, the port number is 443 and users can access the web portal login page using the following default URL:
https://<FortiGate_IP_address>:443/remote/login
where <FortiGate_IP_address>
is the IP address of the FortiGate interface that accepts connections from remote users.
To change the SSL VPN port - GUI:
- If Current VDOM appears at the bottom left of the screen, select Global from the list of VDOMs.
- Go to VPN > SSL-VPN Settings.
- Type an unused port number in the Listen on Port field and select Apply.
To change the SSL VPN port - CLI:
This is a global setting. For example, to set the SSL VPN port to 10443, enter the following:
config vpn ssl settings
set port 10443
end
HTTP to HTTPS redirect support
The admin HTTP port can be redirected to the admin HTTPS port. This is enabled in VPN > SSL-VPN Settings using the option Redirect port 80 to this login port.
There are two likely scenarios for this:
- SSL VPN is not in use, in which case the admin GUI runs on port 443 or 10443, and port 80 is redirected.
- SSL VPN runs on port 443, in which case port 80 is redirected to 443 and the admin port runs on 10443.
If the administrator chooses to run SSL VPN on port 80, the redirect option is invalid.
This can also be configured in the CLI as described below:
To redirect HTTP to HTTPS port - CLI:
config vpn ssl settings
set https-redirect [enable | disable] (Default is disabled)
end
SSL offloading
To configure SSL offloading, which allows or denies client renegotiation, you must use the CLI. This helps to resolve the issues that affect all SSL and TLS servers that support renegotiation, identified by the Common Vulnerabilities and Exposures system in CVE-2009-3555. The SSL offloading renegotiation feature is considered a workaround until the IETF permanently resolves the issue.
The CLI command is ssl-client-renegotiation
and is found under the config firewall vip
syntax.
Host check
When you enable AV, FW, or AV-FW host checking in the web portal Security Control settings, each client is checked for security software that is recognized by the Windows Security Center. As an alternative, you can create a custom host check that looks for security software selected from the Host Check list. For more information, see Configuring SSL VPN web portals.
The Host Check list includes default entries for many security software products.
|
Host integrity checking is only possible with client computers running Microsoft Windows platforms. |
Host Check is only applicable for SSL VPN tunnel mode. |
To configure host checking - CLI:
To configure the full-access portal to check for AV and firewall software on client Windows computers, you would enter the following:
config vpn ssl web portal
edit full-access
set host-check av-fw
end
To configure the full-access portal to perform a custom host check for FortiClient Host Security AV and firewall software, you would enter the following:
config vpn ssl web portal
edit full-access
set host-check custom
set host-check-policy FortiClient-AV FortiClient-FW
end
Replacing the host check error message
You can add your own host security check error message using either the GUI or the CLI. The default message reads: “Your PC does not meet the host checking requirements set by the firewall. Please check that your OS version or antivirus and firewall applications are installed and running properly or you have the right network interface.”
To replace the host check error message - GUI:
- Navigate to System > Replacement Messages and select Extended View in the upper right corner.
- Scroll down to SSL VPN and select Hostcheck Error Message.
- Edit the text in the right-hand column below and select Save.
If you are unhappy with the new message, you can restore the message to its default by selecting Restore Default instead of Save.
To replace the host check error message - CLI:
Configure the host check error message using the following command.
config system replacemsg sslvpn hostcheck-error
Creating a custom host check list
You can add your own software requirements to the host check list using the CLI. Host integrity checking is only possible with client computers running Microsoft Windows platforms. Enter the following commands:
config vpn ssl web host-check-software
edit <software_name>
set guid <guid_value>
set type <av | fw>
set version <version_number>
end
If known, enter the Globally Unique Identifier (GUID) for the host check application. Windows uses GUIDs to identify applications in the Windows Registry. The GUID can be found in the Windows registry in the HKEY_CLASSES_ROOT section.
To obtain the exact versioning, in Windows, right-click on the .EXE file of the application and select Properties, then select the Version tab.
Example Tunnel Mode Host Check - Registry Key Check
- Check to see if a required registry key is present:
config vpn ssl web host-check-software
edit <computer_name>
config check-item-list
edit 1
set target "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName:ComputerName=WINXP32SP3B62"
set type registry <<<-----
next
end
next
end
Example Tunnel Mode Host Check - Application Running Check
- Check to see if a required application is isntalled and/or running:
config vpn ssl web host-check-software
edit "calc"
config check-item-list
edit 1
set target "calc.exe"
set type process <<<-----
next
end
next
end
Example Tunnel Mode Host Check - File Check
- Check to see if a specific file exists at a specific location:
config vpn ssl web host-check-software
edit "putty"
config check-item-list
edit 1
set target "C:\\software\\putty.txt"
set md5s <ENC>
next
end
next
end
Mac OS host check
This feature provides the host check function for Mac OS to SSL VPN. The following Mac OS hosts can be allowed, denied, or checked:
- macos-high-sierra-10.13
- macos-sierra-10.12
- os-x-el-capitan-10.11
- os-x-yosemite-10.10
- os-x-mavericks-10.9
The os-type
option is available under vpn ssl web host-check-software
; if os-type
is macos
, then type
, version
and guid
are hidden. Furthermore, type
in check-item-list
can only be set to file
or process
.
SSL VPN Host check support is currently not planned for iOS or Android.
To configure Mac OS host check - CLI:
config vpn ssl web portal
edit <name>
set os-check enable
config os-check-list macos-high-sierra-10.13
set action {allow | deny | check-up-to-date}
set tolerance <value>
set latest-patch-level <value>
end
next
end
config vpn ssl web host-check-software
edit <name>
set os-type macos
config check-item-list
edit <name>
set type process
set target "calc.exe"
next
end
...
next
end
Configuring client OS Check
The SSLVPN client OS Check feature can determine if clients are running the Windows 2000, Windows XP, Windows Vista, Windows 7, or Windows 10 operating system. You can configure the OS Check to do any of the following:
- Allow the client access.
- Allow the client access only if the operating system has been updated to a specified patch (service pack) version.
- Deny the client access.
The OS Check has no effect on clients running other operating systems.
The Windows patch check enables you to define the minimum Windows version and patch level allowed when connecting to the SSL VPN portal. When the user attempts to connect to the web portal, FortiOS performs a query on the version of Windows the user has installed. If it does not match the minimum requirement, the connection is denied. The Windows patch check is configured in the CLI.
To specify the acceptable patch level, you set the latest-patch-level
and the tolerance
. The lowest acceptable patch level is latest-patch-level
minus tolerance
. In this case, latest-patch-level
is 3 and tolerance
is 1, so 2 is the lowest acceptable patch level.
To configure OS Check:
OS Check is configurable only in the CLI.
config vpn ssl web portal
edit <portal_name>
set os-check enable
config os-check-list [windows-2000 | windows-xp | windows-vista | windows-7 | windows-10]
set action [allow | check-up-to-date | deny]
set latest-patch-level [disable | 0 - 255]
set tolerance <tolerance_num>
end
end
Host check for Windows firewall
The Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, but you can use a registry value to detect the firewall status.
If Windows firewall is on, the following registry value will be set to 1:
- KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- ValueName: EnableFirewall
In FortiOS, use the registry-value-check feature to define the Windows Firewall software by entering the following in the CLI:
config vpn ssl web host-check-software
edit "Microsoft-Windows-Firewall"
config check-item-list
edit 1
set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1"
set type registry
next
edit 2
set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile:EnableFirewall==1"
set type registry
next
edit 3
set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile:EnableFirewall==1"
set type registry
next
end
set type fw
next
set host-check custom
set host-check-policy Microsoft-Windows-Firewall
Adding WINS and DNS services for clients
You can specify the WINS or DNS servers that are made available to SSL-VPN clients.
DNS servers provide the IP addresses that browsers need to access web sites. For Internet sites, you can specify the DNS server that your FortiGate unit uses. If SSL VPN users will access intranet sites using URLs, you need to provide them access to the intranet’s DNS server. You specify a primary and a secondary DNS server.
A WINS server provides IP addresses for named servers in a Windows domain. If SSL VPN users will access a Windows network, you need to provide them access to the domain WINS server. You specify a primary and a secondary WINS server.
To specify WINS and DNS services for clients - GUI:
- Go to VPN > SSL-VPN Settings.
- Next to DNS Server select Specify.
- Enter the IP addresses of DNS servers in the DNS Server fields as needed. Fields are available for both IPv4 and IPv6 addresses.
- Select Specify WINS Servers, and enter the IP addresses of WINS servers in the WINS Server fields as needed. Fields are available for both IPv4 and IPv6 addresses.
- Select Apply.
To specify WINS and DNS services for clients - CLI:
config vpn ssl settings
set dns-server1 <address_ipv4>
set dns-server2 <address_ipv4>
set wins-server1 <address_ipv4>
set wins-server2 <address_ipv4>
end
Idle timeout
The idle timeout setting controls how long the connection can remain idle before the system forces the remote user to log in again. For security, keep the default value of 5000 seconds or less. Set the timeout value to 0 to disable idle timeouts.
To set the idle timeout - GUI:
- Go to VPN > SSL-VPN Settings and enable Idle Logout.
- In the Inactive For field, enter the timeout value.
- Select Apply.
The valid range is from 10 to 28800 seconds.
To set the idle timeout - CLI:
config vpn ssl settings
set idle-timeout <seconds_int>
end
Login timeout
With long network latency, the FortiGate can timeout the client before it can finish negotiation processes, such as DNS lookup and time to enter a token. Two CLI commands under config vpn ssl settings
allow the login timeout to be configured, replacing the previous hard timeout value. The second command can be used to set the SSL VPN maximum DTLS hello timeout.
CLI syntax
config vpn ssl settings
edit <example>
set login-timeout [10-180] Default is 30 seconds.
set dtls-hello-timeout [10-60] Default is 10 seconds.
end
Login failure limit
The following CLI allows the administrator to configure the number of times wrong credentials are allowed before the SSL VPN server blocks an IP address, and also how long the block would last.
CLI syntax
config vpn ssl settings
set login-attempt-limit [0-10] Default is 2.
set login-block-time [0-86400] Default is 60 seconds.
end
SSL VPN logs
Logging is available for SSL VPN traffic so you can monitor users connected to the FortiGate unit and their activity.
To enable logging of SSL VPN events - GUI:
- Go to Log & Report > Log Settings.
- Enable Event Logging, and select VPN activity event.
- Select Apply.
To view the SSL VPN log data, in the GUI, go to Log & Report and select either the Event Log or Traffic Log.
In event log entries, look for the sub-types “sslvpn-session” and “sslvpn-user”.
For information about how to interpret log messages, see the FortiGate Log Message Reference.
Monitoring active SSL VPN sessions
You can go to User & Device > Monitor to view a list of active SSL VPN sessions. The list displays the user name of the remote user, the IP address of the remote client, and the time the connection was made. You can also see which services are being provided, and delete an active web session from the FortiGate unit.
To monitor SSL VPNs - GUI:
To view the list of active SSL VPN sessions, go to Monitor > SSL-VPN Monitor.
When a tunnel-mode user is connected, the Description field displays the IP address that the FortiGate unit assigned to the remote host.
If required, you can end a session/connection by selecting its checkbox and then clicking the Delete icon.
Importing and using a CA-signed SSL certificate
Use the following set of instructions to import a CA-signed SSL certificate and configure an SSL VPN using that certificate.
Import the signed certificate into your FortiGate device
- Unzip the file downloaded from the CA.
- Log in to your FortiGate unit and browse to System > Certificates.
- Select Create New > Local Certificate to import the local certificate.
The status of the certificate will change from PENDING to OK. - Import the CA certificate by selecting Import > CA Certificate.
There should be two .CRT files: a CA certificate with bundle in the file name, and a local certificate.
It will be listed in the CA Certificates section of the certificates list. You can now configure SSL VPN using the signed certificate.
Configure your FortiGate device to use the signed certificate
- Log in to your FortiGate unit and browse to VPN > SSL-VPN Settings.
- In the Connection Settings section, locate the Server Certificate field.
- Select the new certificate from the drop-down menu.
- Select Apply to configure SSL VPN to use the new certificate.
Implement post-authentication CSRF protection in SSL VPN web mode
This attribute can enable/disable verification of a referrer in the HTTP request header in order to prevent a Cross-Site Request Forgery attack.
CLI Syntax
config vpn ssl settings
set check-referer [enable|disable]
end
DTLS support
The Datagram Transport Layer Security (DTLS) protocol is supported for SSL VPN connections. DTLS allows datagram-based applications to communicate in a way that prevents eavesdropping, tampering, or message forgery. It can also be used to improve upload/download throughput. It is similar to the Transport Layer Security (TLS) protocol.
DTLS support can be enabled in the CLI as described below.
CLI Syntax
config vpn ssl settings
set dtls-tunnel [enable | disable] (default: enabled)
end
Allow firewall address to be used in routing table for SSL VPN
If destination Named Address is set in Network > Static Routes and Address Range is set to Automatically assign addresses in VPN > SSL-VPN Settings, SSL VPN should refresh the routing table automatically.
To view the routes in the routing table, go to Monitor > Routing Monitor.
WAN link load balancing
You can set virtual-wan-link
as the destination interface in a firewall policy (when SSL VPN is the source interface) for WAN link load balancing. This allows logging into a FortiGate via SSL VPN for traffic inspection and then have outbound traffic load balanced by WAN link load balancing.
CLI syntax
config firewall policy
edit <example>
set dstintf virtual-wan-link
end