Fortinet black logo

SWG with VPN Deployment Guide

Home FortiSASE SWG with VPN Deployment Guide

Testing and monitoring

Testing and monitoring

The basic configuration is complete at this point. Test the connections to the Internet and corporate networks on an endpoint.

To test connection to the Internet on a Windows computer with a RADIUS user:
  1. From the endpoint, open a browser.
  2. Browse to a webpage.
  3. An authentication prompt appears. Enter your username and password.

  4. Once authenticated, you can browse to any webpage. FortiSASE scans this traffic.
  5. Browse to a webpage that triggers a Web Filter violation. The browser shows a message that FortiSASE is blocking the webpage.

    For the blocked webpage message to display without a certificate warning, the FortiSASE root certificate authority certificate must be installed on the endpoint. The following shows a valid certificate chain.

  6. In FortiSASE, go to Session Monitor to see the logged in user.

To test connection to the Internet on a macOS computer with an Azure Active Directory (AD) user:
  1. From the endpoint, open a browser.
  2. Browse to a webpage. The page redirects to a Microsoft login page to perform single sign on.
  3. Log in using your Azure AD credentials.
  4. Once authenticated, you can browse to any webpage. FortiSASE scans this traffic.
  5. To properly browse any HTTPS websites, you must install the FortiSASE root certificate on the endpoint. Double-click the FortiSASE certificate that the administrator provided during onboarding. In the Keychain field, select System, then click Add.
  6. When you view the certificate, the root certificate appears as not trusted. Expand the Trust section. In the When using this certificate field, select Always Trust.

  7. Save the configuration and add the certificate to the system keychain.
  8. You can connect to HTTPS websites without seeing a warning. Browse to an HTTPS website, then go to Session Monitor in FortiSASE to see the logged in user.
To test connection to the corporate network:
  1. On the endpoint, connect to the SSL VPN gateway using the VPN client (FortiClient). In this scenario, the SSL VPN user and FortiSASE user is from the same source.
  2. Once VPN connects, verify the routes from Windows Command Prompt: 
    > route print
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       10.10.10.1      10.10.10.25     60
       10.10.10.0    255.255.255.0         On-link       10.10.10.25    316
   10.212.134.200  255.255.255.255         On-link    10.212.134.200    257
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     192.168.20.0    255.255.255.0   10.212.134.201   10.212.134.200      1

    The corporate network (192.168.20.0/24) is routed through the SSL VPN interface.

  3. In FortiOS, go to Firewall > Network Dashboard > SSL-VPN widget to see the logged in VPN user.

  4. From the endpoint, connect to an internal resource on the corporate network. The connection succeeds.
Previous
Next

Testing and monitoring

The basic configuration is complete at this point. Test the connections to the Internet and corporate networks on an endpoint.

To test connection to the Internet on a Windows computer with a RADIUS user:
  1. From the endpoint, open a browser.
  2. Browse to a webpage.
  3. An authentication prompt appears. Enter your username and password.

  4. Once authenticated, you can browse to any webpage. FortiSASE scans this traffic.
  5. Browse to a webpage that triggers a Web Filter violation. The browser shows a message that FortiSASE is blocking the webpage.

    For the blocked webpage message to display without a certificate warning, the FortiSASE root certificate authority certificate must be installed on the endpoint. The following shows a valid certificate chain.

  6. In FortiSASE, go to Session Monitor to see the logged in user.

To test connection to the Internet on a macOS computer with an Azure Active Directory (AD) user:
  1. From the endpoint, open a browser.
  2. Browse to a webpage. The page redirects to a Microsoft login page to perform single sign on.
  3. Log in using your Azure AD credentials.
  4. Once authenticated, you can browse to any webpage. FortiSASE scans this traffic.
  5. To properly browse any HTTPS websites, you must install the FortiSASE root certificate on the endpoint. Double-click the FortiSASE certificate that the administrator provided during onboarding. In the Keychain field, select System, then click Add.
  6. When you view the certificate, the root certificate appears as not trusted. Expand the Trust section. In the When using this certificate field, select Always Trust.

  7. Save the configuration and add the certificate to the system keychain.
  8. You can connect to HTTPS websites without seeing a warning. Browse to an HTTPS website, then go to Session Monitor in FortiSASE to see the logged in user.
To test connection to the corporate network:
  1. On the endpoint, connect to the SSL VPN gateway using the VPN client (FortiClient). In this scenario, the SSL VPN user and FortiSASE user is from the same source.
  2. Once VPN connects, verify the routes from Windows Command Prompt: 
    > route print
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       10.10.10.1      10.10.10.25     60
       10.10.10.0    255.255.255.0         On-link       10.10.10.25    316
   10.212.134.200  255.255.255.255         On-link    10.212.134.200    257
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     192.168.20.0    255.255.255.0   10.212.134.201   10.212.134.200      1

    The corporate network (192.168.20.0/24) is routed through the SSL VPN interface.

  3. In FortiOS, go to Firewall > Network Dashboard > SSL-VPN widget to see the logged in VPN user.

  4. From the endpoint, connect to an internal resource on the corporate network. The connection succeeds.
Previous
Next