Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.6.1 Administration Guide
    7.6.1
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    SSL VPN custom landing page

    SSL VPN custom landing page

    An SSL VPN web mode user can log in to the web portal and be redirected to a custom landing page. The custom landing page can be configured in VPN > SSL-VPN Portals by setting the portal Landing page to Custom or by using the command config landing-page.

    The landing page can accept SSO credentials as well as SSO from form data. This allows administrators to streamline web application access for their users. The custom redirected portal has a logout button so that when users log out from the web application, they are also logged out from the SSL VPN web connection.

    Example

    In the following example, the SSL VPN web portal settings are configured so that the URL of the custom landing page of FGT_A is set to the FGT_B login page. Therefore, when a web user is logging into FGT_A's SSL VPN web portal, they will automatically be redirected to FGT_B, where the SSO username and password are passed into the username and password input fields. This allows for single sign on of the connecting user into FGT_B through the SSL VPN.

    To configure a custom landing page from the CLI:

    1. Configure the user and user group:

      config user local
    edit "custom_landing_user" 
        set type password
        set passwd ********
    next 
end
config user group
    edit "ssl-web-group" 
        set member "custom_landing_user"
    next 
end

    2. Configure the SSL VPN web portal:

      config vpn ssl web portal
    edit "custom_landing"
        set web-mode enable
        set landing-page-mode enable
        config landing-page
            set url "https://172.16.200.2/login"
            set sso static
            config form-data
                edit "username"
                    set value "admin"
                next
                edit "secretkey"
                    set value "1"
                next
            end 
            set sso-credential alternative
            set sso-username "admin"
            set sso-password ********
        end
    next
end

    3. Configure the SSL VPN settings:

      config vpn ssl settings
    set servercert "fgt_gui_automation"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 1443
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "full-access"
    config authentication-rule
        edit 2
            set users "custom_landing_user"
            set portal "custom_landing"
        next
    end
    set encrypt-and-store-password enable
end

    4. Configure the firewall policy:

      config firewall policy
    edit 1
        set name "testpolicy"
        set srcintf "ssl.root"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set groups "ssl-web-group"
        set users "custom_landing_user"
    next
end
    To configure a custom landing page from the GUI:

    1. Configure the user and user group:

      1. Go to User & Authentication > User Definition to create the custom_landing_user user.

      2. Go to User & Authentication > User Groups to create the ssl-web-group user group with the member custom_landing_user.

    2. Configure the SSL VPN web portal:

      1. Go to VPN > SSL-VPN Portals.

      2. Click Create New.

      3. Enter custom_landing as the Name.

      4. Enable custom Web Mode features:

        1. Enable Web Mode.

        2. Set Landing Page to Custom.

        3. Enter the FGT_B login page URL.

        4. Enable SSO Credentials and select Alternative.

        5. Enable SSO form data and enter the form keys and values.

      5. Click OK.

    3. Configure the SSL VPN settings:

      1. Go to VPN > SSL-VPN Settings.

      2. Set Listen on Interface(s) to port1.

      3. Set Listen on Port to 1443.

      4. Set Server Certificate to fgt_gui_automation.

      5. Create a new Authentication/Portal Mapping for group ssl-web-group mapping the portal custom-landing.

      6. Click Apply.

    4. Configure the firewall policy:

      1. Go to Policy & Objects > Firewall Policy and click Create New.

      2. Configure the following settings:

        Name testpolicy
        Incoming Interface ssl.root
        Outgoing Interface wan1
        Source

        all

        custom_landing_user

        ssl-web-group
        Destination all
        Schedule always
        Service ALL
        Action ACCEPT

      3. Enable NAT.

      4. Enable Log Allowed Traffic and set it to All Sessions.

      5. Click OK.

    Once the SSL VPN web portal is configured, the connected user can access FGT_B through the FGT_A SSL VPN web portal.

    To access FGT_B through the FGT_A SSL VPN web portal:

    1. Enter your SSO credentials in the SSL VPN login fields.

      The landing page is redirected to the FGT_B GUI automatically.

    Previous
    Next

    SSL VPN custom landing page

    SSL VPN custom landing page

    An SSL VPN web mode user can log in to the web portal and be redirected to a custom landing page. The custom landing page can be configured in VPN > SSL-VPN Portals by setting the portal Landing page to Custom or by using the command config landing-page.

    The landing page can accept SSO credentials as well as SSO from form data. This allows administrators to streamline web application access for their users. The custom redirected portal has a logout button so that when users log out from the web application, they are also logged out from the SSL VPN web connection.

    Example

    In the following example, the SSL VPN web portal settings are configured so that the URL of the custom landing page of FGT_A is set to the FGT_B login page. Therefore, when a web user is logging into FGT_A's SSL VPN web portal, they will automatically be redirected to FGT_B, where the SSO username and password are passed into the username and password input fields. This allows for single sign on of the connecting user into FGT_B through the SSL VPN.

    To configure a custom landing page from the CLI:

    1. Configure the user and user group:

      config user local
    edit "custom_landing_user" 
        set type password
        set passwd ********
    next 
end
config user group
    edit "ssl-web-group" 
        set member "custom_landing_user"
    next 
end

    2. Configure the SSL VPN web portal:

      config vpn ssl web portal
    edit "custom_landing"
        set web-mode enable
        set landing-page-mode enable
        config landing-page
            set url "https://172.16.200.2/login"
            set sso static
            config form-data
                edit "username"
                    set value "admin"
                next
                edit "secretkey"
                    set value "1"
                next
            end 
            set sso-credential alternative
            set sso-username "admin"
            set sso-password ********
        end
    next
end

    3. Configure the SSL VPN settings:

      config vpn ssl settings
    set servercert "fgt_gui_automation"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 1443
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "full-access"
    config authentication-rule
        edit 2
            set users "custom_landing_user"
            set portal "custom_landing"
        next
    end
    set encrypt-and-store-password enable
end

    4. Configure the firewall policy:

      config firewall policy
    edit 1
        set name "testpolicy"
        set srcintf "ssl.root"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set groups "ssl-web-group"
        set users "custom_landing_user"
    next
end
    To configure a custom landing page from the GUI:

    1. Configure the user and user group:

      1. Go to User & Authentication > User Definition to create the custom_landing_user user.

      2. Go to User & Authentication > User Groups to create the ssl-web-group user group with the member custom_landing_user.

    2. Configure the SSL VPN web portal:

      1. Go to VPN > SSL-VPN Portals.

      2. Click Create New.

      3. Enter custom_landing as the Name.

      4. Enable custom Web Mode features:

        1. Enable Web Mode.

        2. Set Landing Page to Custom.

        3. Enter the FGT_B login page URL.

        4. Enable SSO Credentials and select Alternative.

        5. Enable SSO form data and enter the form keys and values.

      5. Click OK.

    3. Configure the SSL VPN settings:

      1. Go to VPN > SSL-VPN Settings.

      2. Set Listen on Interface(s) to port1.

      3. Set Listen on Port to 1443.

      4. Set Server Certificate to fgt_gui_automation.

      5. Create a new Authentication/Portal Mapping for group ssl-web-group mapping the portal custom-landing.

      6. Click Apply.

    4. Configure the firewall policy:

      1. Go to Policy & Objects > Firewall Policy and click Create New.

      2. Configure the following settings:

        Name testpolicy
        Incoming Interface ssl.root
        Outgoing Interface wan1
        Source

        all

        custom_landing_user

        ssl-web-group
        Destination all
        Schedule always
        Service ALL
        Action ACCEPT

      3. Enable NAT.

      4. Enable Log Allowed Traffic and set it to All Sessions.

      5. Click OK.

    Once the SSL VPN web portal is configured, the connected user can access FGT_B through the FGT_A SSL VPN web portal.

    To access FGT_B through the FGT_A SSL VPN web portal:

    1. Enter your SSO credentials in the SSL VPN login fields.

      The landing page is redirected to the FGT_B GUI automatically.

    Previous
    Next