Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.2.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Enhancing IPsec security and performance 7.2.8

    Enhancing IPsec security and performance 7.2.8

    Note

    This information is also available in the FortiOS 7.2 Administration Guide:

    This enhancement brings three new changes to the Internet Key Exchange (IKE) protocol. These changes are designed to bolster the security measures and improve the performance of IPsec VPN.

    1. EMS SN verification: This new feature enhances security by adding an additional layer of protection on a per tunnel basis.

    2. IPsec SAML-based authentication: This enhancement adds support for SAML authentication for FortiClient dial-up IPsec VPN clients. This addition allows for a more streamlined and secure user authentication process.

    3. IPsec split DNS: This enhancement adds support for split DNS for FortiClient dialup IPsec VPN clients. This addition enhances performance and efficiency in network traffic management.

    These changes collectively contribute to a more robust and efficient IKE protocol, enhancing the overall security and performance of IPSec tunnels.

    EMS SN verification

    This feature ensures that only licensed FortiClient endpoints can establish an IPsec VPN connection with FortiGate. The FortiGate performs EMS SN verification, and for this feature to work, both the FortiGate and FortiClient endpoints must be connected to the same FortiClient EMS.

    To enable the EMS SN verification in the CLI:
    config vpn ipsec phase1-interface
    edit <name>
        set ems-sn-check {enable | disable}
    next
end

    Command

    Description
    set ems-sn-check Enable or disable EMS serial number verification.

    IPsec SAML-based authentication

    The FortiGate’s authd daemon has been improved to support SAML authentication and now accepts local-in traffic from the FortiClient through a TCP port number, which can be configured using a new CLI command.

    Prerequisites

    Before you begin to configure IPsec SAML-based authentication related configuration on the FortiGate, as listed in steps 4 and 5, complete the following steps:

    1. Enable SAML Identity Provider:

      • To set up Single Sign-On (SSO) using Microsoft Entra SSO in the Azure portal, see Configure Microsoft Entra SSO.

      • To set up Single Sign-On (SSO) using FortiAutheticator, see SAML IdP in the FortiAuthenticator Administration Guide.

    2. Configure the SAML user and assign this user to a user group. This group will be used in the firewall policy. For more details, refer to step 4 of the Configuring SAML SSO login for SSL VPN with Entra ID acting as SAML IdP.

    3. Configure dialup IPsec VPN with FortiClient as the dialup client. See FortiClient as dialup client in the FortiOS Administration Guide for more information.

    4. Configure the SAML user in VPN relative interface:

      config system interface
    edit <port>
        set ike-saml-server <saml_server> 
    next
end

      Command

      Description
      set ike-saml-server Configure IKE authentication SAML server.

    5. Configure the SAML port if using the Customize port on FortiClient:

      config system global
    set auth-ike-saml-port <port_number>
end

      Command

      Description
      set auth-ike-saml-port User IKE SAML authentication port (0 - 65535, default = 1001).

    6. Configure an IPsec VPN connection and select Enable Single Sign On (SSO) for VPN Tunnel. See Configuring an IPsec VPN connection in the FortiClient Administration Guide for more information.

    IPsec split DNS

    This functionality empowers clients to determine whether DNS traffic should utilize the tunnel’s DNS or the local DNS server for query resolution. This is achieved by letting users specify a list of FQDNs. Only FQDNs that match the specified list are directed to the tunnel for resolution, while all other queries are handled by the local DNS server.

    Note

    The internal-domain-list option is available on IKEv2 phase1 dialup gateways if mode-cfg is enabled.
    To enable IPsec Split DNS in the CLI:
    config vpn ipsec phase1-interface
    edit <name>
        set type dynamic
        set ike-version 2 
        set mode-cfg enable
        set dns-mode {manual | auto}
        set internal-domain-list <domain name>
    next
end

    Command

    Description
    set internal-domain-list One or more internal domain names in quotes separated by spaces.

    Two scenarios need attention:

    1. When there is no split tunnel, or the split tunnel is set to address all, the user must manually select the Enable Local LAN checkbox in the FortiClient by navigating to Advanced Settings > Phase 1. If not, only the FQDN matching the internal-domain-list will be resolved, discarding other DNS queries. However, once this setting is enabled on FortiClient, any non-matching DNS query will be resolved through the local DNS server.

    2. If the dns-mode is set to manual, but the ipv4-dns-server1 is not configured, the VPN tunnel's DNS will default to 0.0.0.0 and all DNS queries will be routed through the local DNS server.

    Previous
    Next

    Enhancing IPsec security and performance 7.2.8

    Enhancing IPsec security and performance 7.2.8

    Note

    This information is also available in the FortiOS 7.2 Administration Guide:

    This enhancement brings three new changes to the Internet Key Exchange (IKE) protocol. These changes are designed to bolster the security measures and improve the performance of IPsec VPN.

    1. EMS SN verification: This new feature enhances security by adding an additional layer of protection on a per tunnel basis.

    2. IPsec SAML-based authentication: This enhancement adds support for SAML authentication for FortiClient dial-up IPsec VPN clients. This addition allows for a more streamlined and secure user authentication process.

    3. IPsec split DNS: This enhancement adds support for split DNS for FortiClient dialup IPsec VPN clients. This addition enhances performance and efficiency in network traffic management.

    These changes collectively contribute to a more robust and efficient IKE protocol, enhancing the overall security and performance of IPSec tunnels.

    EMS SN verification

    This feature ensures that only licensed FortiClient endpoints can establish an IPsec VPN connection with FortiGate. The FortiGate performs EMS SN verification, and for this feature to work, both the FortiGate and FortiClient endpoints must be connected to the same FortiClient EMS.

    To enable the EMS SN verification in the CLI:
    config vpn ipsec phase1-interface
    edit <name>
        set ems-sn-check {enable | disable}
    next
end

    Command

    Description
    set ems-sn-check Enable or disable EMS serial number verification.

    IPsec SAML-based authentication

    The FortiGate’s authd daemon has been improved to support SAML authentication and now accepts local-in traffic from the FortiClient through a TCP port number, which can be configured using a new CLI command.

    Prerequisites

    Before you begin to configure IPsec SAML-based authentication related configuration on the FortiGate, as listed in steps 4 and 5, complete the following steps:

    1. Enable SAML Identity Provider:

      • To set up Single Sign-On (SSO) using Microsoft Entra SSO in the Azure portal, see Configure Microsoft Entra SSO.

      • To set up Single Sign-On (SSO) using FortiAutheticator, see SAML IdP in the FortiAuthenticator Administration Guide.

    2. Configure the SAML user and assign this user to a user group. This group will be used in the firewall policy. For more details, refer to step 4 of the Configuring SAML SSO login for SSL VPN with Entra ID acting as SAML IdP.

    3. Configure dialup IPsec VPN with FortiClient as the dialup client. See FortiClient as dialup client in the FortiOS Administration Guide for more information.

    4. Configure the SAML user in VPN relative interface:

      config system interface
    edit <port>
        set ike-saml-server <saml_server> 
    next
end

      Command

      Description
      set ike-saml-server Configure IKE authentication SAML server.

    5. Configure the SAML port if using the Customize port on FortiClient:

      config system global
    set auth-ike-saml-port <port_number>
end

      Command

      Description
      set auth-ike-saml-port User IKE SAML authentication port (0 - 65535, default = 1001).

    6. Configure an IPsec VPN connection and select Enable Single Sign On (SSO) for VPN Tunnel. See Configuring an IPsec VPN connection in the FortiClient Administration Guide for more information.

    IPsec split DNS

    This functionality empowers clients to determine whether DNS traffic should utilize the tunnel’s DNS or the local DNS server for query resolution. This is achieved by letting users specify a list of FQDNs. Only FQDNs that match the specified list are directed to the tunnel for resolution, while all other queries are handled by the local DNS server.

    Note

    The internal-domain-list option is available on IKEv2 phase1 dialup gateways if mode-cfg is enabled.
    To enable IPsec Split DNS in the CLI:
    config vpn ipsec phase1-interface
    edit <name>
        set type dynamic
        set ike-version 2 
        set mode-cfg enable
        set dns-mode {manual | auto}
        set internal-domain-list <domain name>
    next
end

    Command

    Description
    set internal-domain-list One or more internal domain names in quotes separated by spaces.

    Two scenarios need attention:

    1. When there is no split tunnel, or the split tunnel is set to address all, the user must manually select the Enable Local LAN checkbox in the FortiClient by navigating to Advanced Settings > Phase 1. If not, only the FQDN matching the internal-domain-list will be resolved, discarding other DNS queries. However, once this setting is enabled on FortiClient, any non-matching DNS query will be resolved through the local DNS server.

    2. If the dns-mode is set to manual, but the ipv4-dns-server1 is not configured, the VPN tunnel's DNS will default to 0.0.0.0 and all DNS queries will be routed through the local DNS server.

    Previous
    Next