Update SSL VPN default behavior and visibility in the GUI 7.4.1
SSL VPN default behavior and visibility in the GUI have been updated:
-
By default, SSL VPN web mode settings are disabled and hidden from the GUI and the CLI.
-
By default, SSL VPN tunnel mode settings and the VPN > SSL-VPN menus are hidden from the GUI.
-
The CLI configuration setting for VPN GUI feature visibility has been divided into IPsec (
set gui-vpnunderconfig system settings) and SSL-VPN (set gui-sslvpnunderconfig system settings), where IPsec is still enabled by default and SSL-VPN is now disabled by default. -
Warning messages have been added to the GUI on the SSL-VPN Settings page under SSL-VPN status and Authentication/Portal Mapping when either SSL VPN tunnel mode or SSL web mode is enabled.
-
In Security Fabric > Security Rating, a new check for Disable SSL-VPN Settings has been added and this check fails whenever SSL VPN is enabled.
To enable SSL VPN web mode:
config system global
set sslvpn-web-mode enable
end
To enable the VPN > SSL-VPN GUI menus:
config system settings
set gui-sslvpn enable
end
If SSL VPN web mode and tunnel mode were configured in a FortiOS firmware version prior to upgrading to FortiOS 7.4.1 and above, then the VPN > SSL-VPN menus and SSL VPN web mode settings remain visible in the GUI.
In FortiOS, alternative remote access solutions are IPsec VPN and ZTNA.
Upgrading devices with SSL VPN already configured
This table summarizes the SSL VPN visibility CLI configuration based on whether a device has been factory reset or has been upgraded with SSL VPN already configured:
|
Behavior in FortiOS 7.4.1 and above |
SSL VPN web mode |
SSL VPN tunnel mode |
|
|
|---|---|---|---|---|
| After factory reset | GUI and CLI disabled | GUI disabled | disable
|
disable
|
| After upgrade when SSL VPN web mode and SSL VPN tunnel mode previously not enabled | GUI and CLI disabled | GUI disabled | disable
|
disable
|
| After upgrade when only SSL VPN tunnel mode previously enabled | GUI and CLI disabled | GUI enabled | disable
|
enable
|
| After upgrade when both SSL VPN web mode and SSL VPN tunnel mode previously enabled | GUI and CLI enabled | GUI enabled | enable
|
enable
|
SSL VPN menu visibility
By default, hide VPN > SSL-VPN menus for tunnel mode from the GUI, namely, SSL-VPN Portals, SSL-VPN Settings, and SSL-VPN Clients. This visibility is configurable.
-
In the GUI, using System > Feature Visibility:
-
In the CLI, using this configuration setting:
config system settings set gui-sslvpn disable end
When SSL-VPN is enabled using either the GUI or CLI method, these VPN menus will become visible:
-
SSL-VPN Portals
-
SSL-VPN Settings
-
SSL-VPN Clients
SSL VPN web mode visibility
By default, hide SSL VPN web mode from the GUI using a CLI configuration setting:
config system global
set sslvpn-web-mode disable
end
When SSL VPN web mode is hidden, the following elements are hidden:
-
The Web Mode Settings section from the SSL-VPN Settings page.
-
The web-access portal from the SSL-VPN Portals page.
-
The Web Mode setting is disabled from within portals with a warning message.
If SSL VPN web mode is hidden from the GUI using the above CLI command, even though SSL VPN tunnel mode has been correctly configured, when you try to access SSL VPN web mode using the SSL VPN portal by navigating to the listening IP address, domain, and port using a web browser, you will see the following warning message:
VPN feature visibility
By default, VPN feature visibility is enabled:
config system settings
set gui-vpn enable
end
Starting in FortiOS 7.4.1, this CLI setting no longer enables both IPsec VPN and SSL VPN feature visibility and has been updated to control IPsec VPN feature visibility only:
config system settings
set gui-vpn {enable | disable}
end
|
Setting |
Description |
|---|---|
enable
|
Enable the IPsec VPN settings pages on the GUI. |
disable
|
Disable the IPsec VPN settings pages on the GUI. |
Warning messages when SSL VPN is configured
Warning messages have been added to the GUI on the VPN > SSL-VPN Settings page to inform the administrator of remote access alternatives.
The following warning messages are displayed with a yellow and blue banner, respectively, when SSL VPN tunnel mode is enabled and web mode is disabled:
-
The yellow warning is displayed in the opening section of VPN > SSL-VPN Settings.
-
The blue warning is displayed in the Authentication/Portal Mapping section of VPN > SSL-VPN Settings.
The following warning messages are displayed with red banners when SSL VPN tunnel mode and web mode are both enabled:
-
The first warning is displayed in the opening section of VPN > SSL-VPN Settings.
-
The second warning is displayed in the Authentication/Portal Mapping section of VPN > SSL-VPN Settings.
Security Rating check for disabling SSL VPN settings
In Security Fabric > Security Rating, add a check for Disable SSL-VPN Settings and have this check fail when SSL VPN is enabled.
When SSL VPN settings are enabled, this security rating check will fail because Fortinet Inc. Security Best Practices (FSBP) suggest using ZTNA or IPsec VPN instead of SSL VPN. This page will display IPsec VPN and ZTNA help links in the Recommendations section.