Fortinet black logo

New Features

Enhancing IPsec security and performance 7.2.8

Enhancing IPsec security and performance 7.2.8

Note

This information is also available in the FortiOS 7.2 Administration Guide:

This enhancement brings three new changes to the Internet Key Exchange (IKE) protocol. These changes are designed to bolster the security measures and improve the performance of IPsec VPN.

  1. EMS SN verification: This new feature enhances security by adding an additional layer of protection on a per tunnel basis.

  2. IPsec SAML-based authentication: This enhancement adds support for SAML authentication for FortiClient dial-up IPsec VPN clients. This addition allows for a more streamlined and secure user authentication process.

  3. IPsec split DNS: This enhancement adds support for split DNS for FortiClient dialup IPsec VPN clients. This addition enhances performance and efficiency in network traffic management.

These changes collectively contribute to a more robust and efficient IKE protocol, enhancing the overall security and performance of IPSec tunnels.

EMS SN verification

This feature ensures that only licensed FortiClient endpoints can establish an IPsec VPN connection with FortiGate. The FortiGate performs EMS SN verification, and for this feature to work, both the FortiGate and FortiClient endpoints must be connected to the same FortiClient EMS.

To enable the EMS SN verification in the CLI:
config vpn ipsec phase1-interface
    edit <name>
        set ems-sn-check {enable | disable}
    next
end

Command

Description

set ems-sn-check Enable or disable EMS serial number verification.

IPsec SAML-based authentication

The FortiGate’s authd daemon has been improved to support SAML authentication and now accepts local-in traffic from the FortiClient through a TCP port number, which can be configured using a new CLI command.

Prerequisites

Before you begin to configure IPsec SAML-based authentication related configuration on the FortiGate, as listed in steps 4 and 5, complete the following steps:

  1. Enable SAML Identity Provider:

    • To set up Single Sign-On (SSO) using Microsoft Entra SSO in the Azure portal, see Configure Microsoft Entra SSO.

    • To set up Single Sign-On (SSO) using FortiAutheticator, see SAML IdP in the FortiAuthenticator Administration Guide.

  2. Configure the SAML user and assign this user to a user group. This group will be used in the firewall policy. For more details, refer to step 4 of the Configuring SAML SSO login for SSL VPN with Entra ID acting as SAML IdP.

  3. Configure dialup IPsec VPN with FortiClient as the dialup client. See FortiClient as dialup client in the FortiOS Administration Guide for more information.

  4. Configure the SAML user in VPN relative interface:

    config system interface
        edit <port>
            set ike-saml-server <saml_server> 
        next
    end

    Command

    Description

    set ike-saml-server Configure IKE authentication SAML server.
  5. Configure the SAML port if using the Customize port on FortiClient:

    config system global
        set auth-ike-saml-port <port_number>
    end

    Command

    Description

    set auth-ike-saml-port User IKE SAML authentication port (0 - 65535, default = 1001).
  6. Configure an IPsec VPN connection and select Enable Single Sign On (SSO) for VPN Tunnel. See Configuring an IPsec VPN connection in the FortiClient Administration Guide for more information.

IPsec split DNS

This functionality empowers clients to determine whether DNS traffic should utilize the tunnel’s DNS or the local DNS server for query resolution. This is achieved by letting users specify a list of FQDNs. Only FQDNs that match the specified list are directed to the tunnel for resolution, while all other queries are handled by the local DNS server.

Note

The internal-domain-list option is available on IKEv2 phase1 dialup gateways if mode-cfg is enabled.

To enable IPsec Split DNS in the CLI:
config vpn ipsec phase1-interface
    edit <name>
        set type dynamic
        set ike-version 2 
        set mode-cfg enable
        set dns-mode {manual | auto}
        set internal-domain-list <domain name>
    next
end

Command

Description

set internal-domain-list One or more internal domain names in quotes separated by spaces.

Two scenarios need attention:

  1. When there is no split tunnel, or the split tunnel is set to address all, the user must manually select the Enable Local LAN checkbox in the FortiClient by navigating to Advanced Settings > Phase 1. If not, only the FQDN matching the internal-domain-list will be resolved, discarding other DNS queries. However, once this setting is enabled on FortiClient, any non-matching DNS query will be resolved through the local DNS server.

  2. If the dns-mode is set to manual, but the ipv4-dns-server1 is not configured, the VPN tunnel's DNS will default to 0.0.0.0 and all DNS queries will be routed through the local DNS server.

Enhancing IPsec security and performance 7.2.8

Note

This information is also available in the FortiOS 7.2 Administration Guide:

This enhancement brings three new changes to the Internet Key Exchange (IKE) protocol. These changes are designed to bolster the security measures and improve the performance of IPsec VPN.

  1. EMS SN verification: This new feature enhances security by adding an additional layer of protection on a per tunnel basis.

  2. IPsec SAML-based authentication: This enhancement adds support for SAML authentication for FortiClient dial-up IPsec VPN clients. This addition allows for a more streamlined and secure user authentication process.

  3. IPsec split DNS: This enhancement adds support for split DNS for FortiClient dialup IPsec VPN clients. This addition enhances performance and efficiency in network traffic management.

These changes collectively contribute to a more robust and efficient IKE protocol, enhancing the overall security and performance of IPSec tunnels.

EMS SN verification

This feature ensures that only licensed FortiClient endpoints can establish an IPsec VPN connection with FortiGate. The FortiGate performs EMS SN verification, and for this feature to work, both the FortiGate and FortiClient endpoints must be connected to the same FortiClient EMS.

To enable the EMS SN verification in the CLI:
config vpn ipsec phase1-interface
    edit <name>
        set ems-sn-check {enable | disable}
    next
end

Command

Description

set ems-sn-check Enable or disable EMS serial number verification.

IPsec SAML-based authentication

The FortiGate’s authd daemon has been improved to support SAML authentication and now accepts local-in traffic from the FortiClient through a TCP port number, which can be configured using a new CLI command.

Prerequisites

Before you begin to configure IPsec SAML-based authentication related configuration on the FortiGate, as listed in steps 4 and 5, complete the following steps:

  1. Enable SAML Identity Provider:

    • To set up Single Sign-On (SSO) using Microsoft Entra SSO in the Azure portal, see Configure Microsoft Entra SSO.

    • To set up Single Sign-On (SSO) using FortiAutheticator, see SAML IdP in the FortiAuthenticator Administration Guide.

  2. Configure the SAML user and assign this user to a user group. This group will be used in the firewall policy. For more details, refer to step 4 of the Configuring SAML SSO login for SSL VPN with Entra ID acting as SAML IdP.

  3. Configure dialup IPsec VPN with FortiClient as the dialup client. See FortiClient as dialup client in the FortiOS Administration Guide for more information.

  4. Configure the SAML user in VPN relative interface:

    config system interface
        edit <port>
            set ike-saml-server <saml_server> 
        next
    end

    Command

    Description

    set ike-saml-server Configure IKE authentication SAML server.
  5. Configure the SAML port if using the Customize port on FortiClient:

    config system global
        set auth-ike-saml-port <port_number>
    end

    Command

    Description

    set auth-ike-saml-port User IKE SAML authentication port (0 - 65535, default = 1001).
  6. Configure an IPsec VPN connection and select Enable Single Sign On (SSO) for VPN Tunnel. See Configuring an IPsec VPN connection in the FortiClient Administration Guide for more information.

IPsec split DNS

This functionality empowers clients to determine whether DNS traffic should utilize the tunnel’s DNS or the local DNS server for query resolution. This is achieved by letting users specify a list of FQDNs. Only FQDNs that match the specified list are directed to the tunnel for resolution, while all other queries are handled by the local DNS server.

Note

The internal-domain-list option is available on IKEv2 phase1 dialup gateways if mode-cfg is enabled.

To enable IPsec Split DNS in the CLI:
config vpn ipsec phase1-interface
    edit <name>
        set type dynamic
        set ike-version 2 
        set mode-cfg enable
        set dns-mode {manual | auto}
        set internal-domain-list <domain name>
    next
end

Command

Description

set internal-domain-list One or more internal domain names in quotes separated by spaces.

Two scenarios need attention:

  1. When there is no split tunnel, or the split tunnel is set to address all, the user must manually select the Enable Local LAN checkbox in the FortiClient by navigating to Advanced Settings > Phase 1. If not, only the FQDN matching the internal-domain-list will be resolved, discarding other DNS queries. However, once this setting is enabled on FortiClient, any non-matching DNS query will be resolved through the local DNS server.

  2. If the dns-mode is set to manual, but the ipv4-dns-server1 is not configured, the VPN tunnel's DNS will default to 0.0.0.0 and all DNS queries will be routed through the local DNS server.