Fortinet black logo

New Features

ZTNA device certificate verification from EMS for SSL VPN connections 7.2.1

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:480629
Download PDF

ZTNA device certificate verification from EMS for SSL VPN connections 7.2.1

When connecting to a FortiGate SSL VPN in tunnel mode, the ztna-trusted-client setting enforces a ZTNA trusted client before the user can successfully establish an SSL VPN tunnel. A ZTNA trusted client is a device that is registered to FortiClient EMS and has a device certificated issued by EMS.

config vpn ssl setting
    set ztna-trusted-client {enable | disable} 
end
Note

If a PKI user is also configured, then the user can specify their certificate to get authenticated without providing a certificate that is signed by EMS.

If a SAML log in is also configured, then the user can finish authentication without providing a certificate that is signed by EMS.

Example

In this example, a FortiGate is registered to two EMS servers: 172.18.62.18 and 172.18.62.213. The following conditions are required to access to the SSL VPN tunnel:

  • The device must have FortiClient installed.
  • FortiClient must register to an EMS that the FortiGate is also registered to.
  • The user must specify a certificate that is signed by EMS to log in.

There are two users: one is using PC1 (u1) installed with FortiClient that is registered to EMS 172.18.62.18, and another is using PC2 (u2) installed with FortiClient that is registered to EMS 172.18.62.213. Both users can log in to the SSL VPN tunnel when specifying an EMS signed certificate.

This example assumes that the FortiGate EMS Fabric connectors are already successfully connected, and that the users have successfully registered FortiClient to their corresponding EMS servers.

When FortiClient is registered to EMS, the certificate is automatically installed on the device and is signed by EMS.

  • User u1 FortiClient configuration:

  • User u2 FortiClient configuration:

To configure the SSL VPN connection:
  1. Configure the portal settings:
    config vpn ssl web portal
        edit "testportal1"
            set tunnel-mode enable
            set web-mode enable
            set auto-connect enable
            set keep-alive enable
            set save-password enable
            set ip-pools "ip_pool"
            set split-tunneling disable
            set heading "SSL-VPN Portal 1"
        next
    end
  2. Configure the SSL VPN settings:
    config vpn ssl settings
        set servercert "Fortinet_Factory"
        set idle-timeout 0
        set auth-timeout 0
        set login-attempt-limit 0
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set port 1443
        set source-interface "port2" "port1"
        set source-address "all"
        set source-address6 "all"
        set default-portal "testportal1"
        set encrypt-and-store-password enable
        set ztna-trusted-client enable
    end

Testing the connection to the SSL VPN tunnel

To verify that users u1 and u2 can log in to FortiClient:
  1. Get users u1 and u2 to log in to FortiClient. Both logins should be successful.

    1. User u1:

    2. User u2:

  2. Deregister the u2 FortiClient from EMS 172.18.62.213.

  3. When u2 tries to log in to the SSL VPN again with an incorrect certificate, the SSL VPN connection is rejected.

    1. In the Remote Access tab, UNLICENSED appears in the top-right corner of the window, and a message appears to contact the administrator to activate the license.

    2. After clicking Connect, an error message appears that the Credential or SSLVPN configuration is wrong.

Once users u1 and u2 log in with FortiClient and use the correct certificate signed by the corresponding EMS (172.18.62.18 and 172.18.62.213 respectively), check the SSL VPN monitor to see that the tunnel connection was established.

To verify that u1 established an SSL VPN connection:
# get vpn ssl monitor
SSL-VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 0       u1             1(1)             N/A     172.16.200.254 0/0     0/0     0
SSL-VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 0       u1             172.16.200.254   537     168693/150495  19.0.0.1
To verify that u2 established an SSL VPN connection:
# get vpn ssl monitor
SSL-VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 1       u2             1(1)             N/A     172.16.200.254 0/0     0/0     0

SSL-VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 1       u2             172.16.200.254   300     88805/85301    19.0.0.2

ZTNA device certificate verification from EMS for SSL VPN connections 7.2.1

When connecting to a FortiGate SSL VPN in tunnel mode, the ztna-trusted-client setting enforces a ZTNA trusted client before the user can successfully establish an SSL VPN tunnel. A ZTNA trusted client is a device that is registered to FortiClient EMS and has a device certificated issued by EMS.

config vpn ssl setting
    set ztna-trusted-client {enable | disable} 
end
Note

If a PKI user is also configured, then the user can specify their certificate to get authenticated without providing a certificate that is signed by EMS.

If a SAML log in is also configured, then the user can finish authentication without providing a certificate that is signed by EMS.

Example

In this example, a FortiGate is registered to two EMS servers: 172.18.62.18 and 172.18.62.213. The following conditions are required to access to the SSL VPN tunnel:

  • The device must have FortiClient installed.
  • FortiClient must register to an EMS that the FortiGate is also registered to.
  • The user must specify a certificate that is signed by EMS to log in.

There are two users: one is using PC1 (u1) installed with FortiClient that is registered to EMS 172.18.62.18, and another is using PC2 (u2) installed with FortiClient that is registered to EMS 172.18.62.213. Both users can log in to the SSL VPN tunnel when specifying an EMS signed certificate.

This example assumes that the FortiGate EMS Fabric connectors are already successfully connected, and that the users have successfully registered FortiClient to their corresponding EMS servers.

When FortiClient is registered to EMS, the certificate is automatically installed on the device and is signed by EMS.

  • User u1 FortiClient configuration:

  • User u2 FortiClient configuration:

To configure the SSL VPN connection:
  1. Configure the portal settings:
    config vpn ssl web portal
        edit "testportal1"
            set tunnel-mode enable
            set web-mode enable
            set auto-connect enable
            set keep-alive enable
            set save-password enable
            set ip-pools "ip_pool"
            set split-tunneling disable
            set heading "SSL-VPN Portal 1"
        next
    end
  2. Configure the SSL VPN settings:
    config vpn ssl settings
        set servercert "Fortinet_Factory"
        set idle-timeout 0
        set auth-timeout 0
        set login-attempt-limit 0
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set port 1443
        set source-interface "port2" "port1"
        set source-address "all"
        set source-address6 "all"
        set default-portal "testportal1"
        set encrypt-and-store-password enable
        set ztna-trusted-client enable
    end

Testing the connection to the SSL VPN tunnel

To verify that users u1 and u2 can log in to FortiClient:
  1. Get users u1 and u2 to log in to FortiClient. Both logins should be successful.

    1. User u1:

    2. User u2:

  2. Deregister the u2 FortiClient from EMS 172.18.62.213.

  3. When u2 tries to log in to the SSL VPN again with an incorrect certificate, the SSL VPN connection is rejected.

    1. In the Remote Access tab, UNLICENSED appears in the top-right corner of the window, and a message appears to contact the administrator to activate the license.

    2. After clicking Connect, an error message appears that the Credential or SSLVPN configuration is wrong.

Once users u1 and u2 log in with FortiClient and use the correct certificate signed by the corresponding EMS (172.18.62.18 and 172.18.62.213 respectively), check the SSL VPN monitor to see that the tunnel connection was established.

To verify that u1 established an SSL VPN connection:
# get vpn ssl monitor
SSL-VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 0       u1             1(1)             N/A     172.16.200.254 0/0     0/0     0
SSL-VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 0       u1             172.16.200.254   537     168693/150495  19.0.0.1
To verify that u2 established an SSL VPN connection:
# get vpn ssl monitor
SSL-VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 1       u2             1(1)             N/A     172.16.200.254 0/0     0/0     0

SSL-VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 1       u2             172.16.200.254   300     88805/85301    19.0.0.2