Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.4 Administration Guide
    7.2.4
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    ZTNA device certificate verification from EMS for SSL VPN connections

    ZTNA device certificate verification from EMS for SSL VPN connections

    When connecting to a FortiGate SSL VPN in tunnel mode, the ztna-trusted-client setting enforces a ZTNA trusted client before the user can successfully establish an SSL VPN tunnel. A ZTNA trusted client is a device that is registered to FortiClient EMS and has a device certificated issued by EMS.

    config vpn ssl setting
    set ztna-trusted-client {enable | disable} 
end
    Note

    If a PKI user is also configured, then the user can specify their certificate to get authenticated without providing a certificate that is signed by EMS.

    If a SAML log in is also configured, then the user can finish authentication without providing a certificate that is signed by EMS.

    Example

    In this example, a FortiGate is registered to two EMS servers: 172.18.62.18 and 172.18.62.213. The following conditions are required to access to the SSL VPN tunnel:

    • The device must have FortiClient installed.
    • FortiClient must register to an EMS that the FortiGate is also registered to.
    • The user must specify a certificate that is signed by EMS to log in.

    There are two users: one is using PC1 (u1) installed with FortiClient that is registered to EMS 172.18.62.18, and another is using PC2 (u2) installed with FortiClient that is registered to EMS 172.18.62.213. Both users can log in to the SSL VPN tunnel when specifying an EMS signed certificate.

    This example assumes that the FortiGate EMS Fabric connectors are already successfully connected, and that the users have successfully registered FortiClient to their corresponding EMS servers.

    When FortiClient is registered to EMS, the certificate is automatically installed on the device and is signed by EMS.

    • User u1 FortiClient configuration:

    • User u2 FortiClient configuration:

    To configure the SSL VPN connection:
    1. Configure the portal settings:
      config vpn ssl web portal
    edit "testportal1"
        set tunnel-mode enable
        set web-mode enable
        set auto-connect enable
        set keep-alive enable
        set save-password enable
        set ip-pools "ip_pool"
        set split-tunneling disable
        set heading "SSL-VPN Portal 1"
    next
end
    2. Configure the SSL VPN settings:
      config vpn ssl settings
    set servercert "Fortinet_Factory"
    set idle-timeout 0
    set auth-timeout 0
    set login-attempt-limit 0
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 1443
    set source-interface "port2" "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "testportal1"
    set encrypt-and-store-password enable
    set ztna-trusted-client enable
end

    Testing the connection to the SSL VPN tunnel

    To verify that users u1 and u2 can log in to FortiClient:

    1. Get users u1 and u2 to log in to FortiClient. Both logins should be successful.

      1. User u1:

      2. User u2:

    2. Deregister the u2 FortiClient from EMS 172.18.62.213.

    3. When u2 tries to log in to the SSL VPN again with an incorrect certificate, the SSL VPN connection is rejected.

      1. In the Remote Access tab, UNLICENSED appears in the top-right corner of the window, and a message appears to contact the administrator to activate the license.

      2. After clicking Connect, an error message appears that the Credential or SSLVPN configuration is wrong.

    Once users u1 and u2 log in with FortiClient and use the correct certificate signed by the corresponding EMS (172.18.62.18 and 172.18.62.213 respectively), check the SSL VPN monitor to see that the tunnel connection was established.

    To verify that u1 established an SSL VPN connection:
    # get vpn ssl monitor
SSL-VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 0       u1             1(1)             N/A     172.16.200.254 0/0     0/0     0
SSL-VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 0       u1             172.16.200.254   537     168693/150495  19.0.0.1
    To verify that u2 established an SSL VPN connection:
    # get vpn ssl monitor
SSL-VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 1       u2             1(1)             N/A     172.16.200.254 0/0     0/0     0

SSL-VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 1       u2             172.16.200.254   300     88805/85301    19.0.0.2
    Previous
    Next

    ZTNA device certificate verification from EMS for SSL VPN connections

    ZTNA device certificate verification from EMS for SSL VPN connections

    When connecting to a FortiGate SSL VPN in tunnel mode, the ztna-trusted-client setting enforces a ZTNA trusted client before the user can successfully establish an SSL VPN tunnel. A ZTNA trusted client is a device that is registered to FortiClient EMS and has a device certificated issued by EMS.

    config vpn ssl setting
    set ztna-trusted-client {enable | disable} 
end
    Note

    If a PKI user is also configured, then the user can specify their certificate to get authenticated without providing a certificate that is signed by EMS.

    If a SAML log in is also configured, then the user can finish authentication without providing a certificate that is signed by EMS.

    Example

    In this example, a FortiGate is registered to two EMS servers: 172.18.62.18 and 172.18.62.213. The following conditions are required to access to the SSL VPN tunnel:

    • The device must have FortiClient installed.
    • FortiClient must register to an EMS that the FortiGate is also registered to.
    • The user must specify a certificate that is signed by EMS to log in.

    There are two users: one is using PC1 (u1) installed with FortiClient that is registered to EMS 172.18.62.18, and another is using PC2 (u2) installed with FortiClient that is registered to EMS 172.18.62.213. Both users can log in to the SSL VPN tunnel when specifying an EMS signed certificate.

    This example assumes that the FortiGate EMS Fabric connectors are already successfully connected, and that the users have successfully registered FortiClient to their corresponding EMS servers.

    When FortiClient is registered to EMS, the certificate is automatically installed on the device and is signed by EMS.

    • User u1 FortiClient configuration:

    • User u2 FortiClient configuration:

    To configure the SSL VPN connection:
    1. Configure the portal settings:
      config vpn ssl web portal
    edit "testportal1"
        set tunnel-mode enable
        set web-mode enable
        set auto-connect enable
        set keep-alive enable
        set save-password enable
        set ip-pools "ip_pool"
        set split-tunneling disable
        set heading "SSL-VPN Portal 1"
    next
end
    2. Configure the SSL VPN settings:
      config vpn ssl settings
    set servercert "Fortinet_Factory"
    set idle-timeout 0
    set auth-timeout 0
    set login-attempt-limit 0
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 1443
    set source-interface "port2" "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "testportal1"
    set encrypt-and-store-password enable
    set ztna-trusted-client enable
end

    Testing the connection to the SSL VPN tunnel

    To verify that users u1 and u2 can log in to FortiClient:

    1. Get users u1 and u2 to log in to FortiClient. Both logins should be successful.

      1. User u1:

      2. User u2:

    2. Deregister the u2 FortiClient from EMS 172.18.62.213.

    3. When u2 tries to log in to the SSL VPN again with an incorrect certificate, the SSL VPN connection is rejected.

      1. In the Remote Access tab, UNLICENSED appears in the top-right corner of the window, and a message appears to contact the administrator to activate the license.

      2. After clicking Connect, an error message appears that the Credential or SSLVPN configuration is wrong.

    Once users u1 and u2 log in with FortiClient and use the correct certificate signed by the corresponding EMS (172.18.62.18 and 172.18.62.213 respectively), check the SSL VPN monitor to see that the tunnel connection was established.

    To verify that u1 established an SSL VPN connection:
    # get vpn ssl monitor
SSL-VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 0       u1             1(1)             N/A     172.16.200.254 0/0     0/0     0
SSL-VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 0       u1             172.16.200.254   537     168693/150495  19.0.0.1
    To verify that u2 established an SSL VPN connection:
    # get vpn ssl monitor
SSL-VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 1       u2             1(1)             N/A     172.16.200.254 0/0     0/0     0

SSL-VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 1       u2             172.16.200.254   300     88805/85301    19.0.0.2
    Previous
    Next