fortigate sslvpn howto (gr 1.0) - certified
TRANSCRIPT
FortiGate SSL VPN How To William Lee CISA
1
The article aims to show an easier way to setup SSL VPN with a FortiGate UTM appliance. The equipment
used was a FortiGate 100A with FortiOS 4.0 MR2.
Prerequisites for the setup:
1. A working FortiGate box with FortiOS 4.0 MR2
2. Administrative credential to the box
3. A working internet connection with no restriction to inbound traffic on TCP port 443
4. Ability to generate a private key, certificate signing request (CSR) and obtaining a certificate from
a trusted CA
The author started with the box that had completed factory reset. This can be done by execute
factoryreset from CLI.
SSLVPNDEMO # execute factoryreset
This operation will reset the system to factory default!
Do you want to continue? (y/n) Y
Please be reminded that if you do this, all the configurations on the box will be erased. Afterwards, have
the IP address of your administrative PC set to 192.168.1.100/24 and point to https://192.168.1.99 from
your favorite browser.
Figure 1 – Pointing the browser to a FortiGate box
Because of the certificate is not trusted and the common name of the certificate does not match the URL,
so your favorite browser presents a warning. Use “Add Exception…” in Firefox or “Continue to this website
(not recommended)” in Internet Explorer.
001000100001001010111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001
000100001001010111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001000
100001001010111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001000100
001001010111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001000100001
001010111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001000100001001
010111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001000100001001010
111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001000100001001010111
011010110100000100010000100101011101101011010001100100010000100101011101101011010001001000100001001010111011
010110100010010001000010010101110110101101000100100010000100101011101101011010001001000100001001010111011010
110100010010001000010010101110110101101000100100010000100101011101101011010001001000100001001010111011010110
1000100100010000100101011101101011010001
FortiGate SSL VPN How To William Lee CISA
May 9, 2010
FortiGate SSL VPN How To William Lee CISA
2
Next, you will see a login prompt. The look and feel of FortiOS 4.0 MR2 is completely different from the
previous versions.
Figure 2 – Login Prompt for FortiGate Web-base Manager
Figure 3 – Dashboard
Once you can get here, configure all basic settings like timezone, clock, interfaces IP, dynamic DNS, etc.
FortiGate SSL VPN How To William Lee CISA
3
Configuration Steps
The configuration involves the following high level tasks, namely
1. Setup user account(s)
2. Setup user group(s) that allow SSL VPN access and include intended users
3. Setup tunnel mode IP address range
4. Add the tunnel mode IP address range to static route
5. Load the private key and certificate to the box
6. Enable SSL VPN
7. Create Firewall Policy to allow SSL VPN and/or tunnel mode access
8. Specify web-base manager TCP port not to use 443
9. Specify SSL VPN portal TCP port to use 443
Let’s start in a step-by-step manner.
FortiGate SSL VPN How To William Lee CISA
4
1. Setup user account(s)
Web-base manager – User > User > New User
Figure 4 – Create User
Enter user name and password for the user. Create as many as users that you need.
CLI – user name “sslvpn01” and password “Password” (without quotes) for example:
config user local
edit "sslvpn01"
set type password
set passwd Password
next
end
FortiGate SSL VPN How To William Lee CISA
5
2. Setup user group(s) that allow SSL VPN access and include intended users
Web-base manager – User > User Group > User Group
Figure 5 – Create User Group
Enter name of the group, select Firewall, check on Allow SSL-VPN Access and select “full-access”, select
the available users created in the previous step, check on the arrow sign and click OK.
CLI – user group “UserGroup_VPN_SSL” (without quotes) for example:
config user group
edit "UserGroup_VPN_SSL"
set sslvpn-portal "full-access"
set member "sslvpn01"
next
end
FortiGate SSL VPN How To William Lee CISA
6
3. Setup tunnel mode IP address range
You may leave this unchanged for a default of 10.0.0.1 – 10.0.0.10.
Figure 6 – SSLVPN_TUNNEL_ADDR1 address range definition
FortiGate SSL VPN How To William Lee CISA
7
4. Add the tunnel mode IP address range to static route
In order to make the tunnel mode IP address range routable to the FortiGate UTM appliance, you need to
add the IP range specified in the previous step to the static route table.
Web-base Manager – Router > Static > Static Route > Create New
Figure 7 – Define Static Route for Tunnel IP Range
Enter the IP Range defined in previous step as Destination IP/Mask and select ssl.root as Device and click
OK.
CLI – 10.0.0.1/24 for example:
config router static
edit 2
set device "ssl.root"
set dst 10.0.0.0 255.255.255.0
next
end
FortiGate SSL VPN How To William Lee CISA
8
5. Load the private key and certificate to the box
This step involves creating the private key, generating CSR and obtaining a certificate from a trusted CA.
The author suggested not to use FortiGate on box feature to generate the private key and CSR – because
the certificate cannot be renewed (reimport the renewed certificate using the same key).
The author generated the private key and CSR on a linux box using OpenSSL, and obtained the certificate
from CACert.org. You can choose to trust any CA of your choice.
Web-base Manager – System > Certificates > Local Certificates > Import
Figure 8 – Import certificate and private key
Select the certificate file and key file and click OK.
CLI – You need to setup tftp server to store the certificate for import. Not demonstrated here.
FortiGate SSL VPN How To William Lee CISA
9
6. Enable SSL VPN
This step aims to enable the SSL VPN service on the box.
Web-base Manager – VPN > SSL > Config
Figure 9 – Enable SSL-VPN
Check on Enable SSL-VPN, select the tunnel IP address range by clicking Edit from IP Pools, select the
certificate loaded from previous step, expand Advanced and type in the IP address of the internal interface
as DNS Server #1 and click Apply.
CLI – Internal interface IP address as 192.168.127.254 as an example
config vpn ssl settings
set sslvpn-enable enable
set dns-server1 192.168.127.254
set servercert "home"
set algorithm high
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
end
FortiGate SSL VPN How To William Lee CISA
10
7. Create Firewall Policy to allow SSL VPN and/or tunnel mode access
A number of firewall policies are required to be implemented.
internal > wan1 (accept) aims at internal to wan1 access
ssl.root > internal (SSL-VPN) aims at SSL VPN access to internal resource
ssl.root > internal (accept) aims at tunnel mode access to internal resource
ssl.root > wan1 (accept) aims at tunnel mode access to wan1
wan1 > internal (SSL-VPN) aims at SSL VPN access to internal resource
wan1 > ssl.root (SSL-VPN) aims at wan1 to access SSL VPN portal
wan1 > wan1 (SSL-VPN) aims at SSL VPN access to internet (e.g. outside website)
Web-base Manager – Firewall > Policy > Policy > Create New
Figure 10 – Final firewall policy layout
CLI – Configuring all the firewall policies stated above
config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
edit 2
set srcintf "wan1"
FortiGate SSL VPN How To William Lee CISA
11
set dstintf "ssl.root"
set srcaddr "all"
set dstaddr "all"
set action ssl-vpn
set sslvpn-cipher high
config identity-based-policy
edit 1
set schedule "always"
set groups "UserGroup_VPN_SSL"
set service "ANY"
next
end
next
edit 3
set srcintf "ssl.root"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action ssl-vpn
set sslvpn-cipher high
config identity-based-policy
edit 1
set schedule "always"
set groups "UserGroup_VPN_SSL"
set service "ANY"
next
end
next
edit 4
set srcintf "ssl.root"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
edit 5
set srcintf "wan1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action ssl-vpn
set sslvpn-cipher high
config identity-based-policy
edit 1
set schedule "always"
set groups "UserGroup_VPN_SSL"
set service "ANY"
next
end
next
edit 6
set srcintf "wan1"
set dstintf "internal"
FortiGate SSL VPN How To William Lee CISA
12
set srcaddr "all"
set dstaddr "all"
set action ssl-vpn
set sslvpn-cipher high
config identity-based-policy
edit 1
set schedule "always"
set groups "UserGroup_VPN_SSL"
set service "ANY"
next
end
next
edit 7
set srcintf "ssl.root"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
end
FortiGate SSL VPN How To William Lee CISA
13
8. Specify web-base manager TCP port not to use 443
The author aims to use TCP 8443 for web-base manager, this makes TCP 443 available for SSL VPN
portal.
Web-base Manager – System > Admin > Settings > Web Administration Ports
Figure 11 – Web-base manager administrators settings (modify HTTPS)
CLI – Configure web-base manager to use TCP 8443
config system global
set admin-sport 8443
end
FortiGate SSL VPN How To William Lee CISA
14
9. Specify SSL VPN portal TCP port to use 443
TCP 443 had been released from the previous steps. You can now use TCP 443 for SSL VPN portal.
Web-base Manager – System > Admin > Settings > Web Administration Ports
Figure 12 – Web-base manager administrators settings (modify SSLVPN Login Port)
CLI – Configure SSL VPN portal to use TCP 443
config system global
set sslvpn-sport 443
end
FortiGate SSL VPN How To William Lee CISA
15
About the author
William Lee, CISA, has been in the information security industry for more than 12 years. The author can
be reached at [email protected].
Document Revision and Change History Version Comments Created/Changed By
GR1.0 – This Version First General Release (GR) of this document William Lee CISA
[No Other Version]