Tro duc tion. Firewall/VPN Solutions. Offered as a plug-in to a Microsoft Dynamic Host Configuration Protocol. Table 3 lists the SSL VPN competitor solutions mapped against Cisco. Ing and Load. Set is much stronger, and the Cisco AnyConnect VPN Client provides greater.
53 Setup examples The examples in this chapter demonstrate the basic configurations needed for common connections to the SSL VPN tunnel and portals, applying the steps outlined in Basic configuration on page 18. The following examples are included: Secure Internet browsing Split Tunnel Multiple user groups with different access permissions Secure Internet browsing This example sets up an SSL VPN tunnel that provides remote users the ability to access the Internet while traveling, and ensures that they are not subject to malware and other dangers, by using the corporate firewall to filter all of their Internet traffic. Essentially, the remote user will connect to the corporate FortiGate unit to surf the Internet. Using SSL VPN and FortiClient SSL VPN software, you create a means to use the corporate FortiGate to browse the Internet safely. Creating an SSL VPN IP pool and SSL VPN web portal 1.
Go to VPN SSL-VPN Portals and select tunnel-access. For Source IP Pools select SSLVPNTUNNELADDR1. Creating the SSL VPN user and user group 1. Create the SSL VPN user and add the user to a user group configured for SSL VPN use. Go to User & Device User Definition and select Create New to add the user: User Name Password twhite password SSL VPN for FortiOS 54 Secure Internet browsing Setup examples 3. Go to User & Device User Groups and select Create New to add twhite to a group called SSL VPN: Name Type SSL VPN Firewall 5.
Move twhite to the Members list. Creating a static route for the remote SSL VPN user Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel. Go to Network Static Routes and select Create New to add the static route. Destination IP/Mask / Device ssl.root The Destination IP/Mask matches the network address of the remote SSL VPN user. Creating security policies Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. Create a normal security policy from ssl.root to wan1 to allow SSL VPN traffic to connect to the Internet.
Go to Policy & Objects IPv4 Policy and select Create New. Add an SSL VPN security policy as below, and click OK. Incoming Interface Source Address Source User(s) Outgoing Interface wan1 all SSL VPN ssl.root 3.
Select Create New to add a security policy that allows remote SSL VPN users to connect to the Internet: Incoming Interface Source Address ssl.root all 54 SSL VPN for FortiOS 5.4.1 55 Setup examples Split Tunnel Source User(s) Outgoing Interface Destination Address Schedule Service Action SSL VPN wan1 all always ALL ACCEPT 4. Configuring authentication rules 1.
Go to VPN SSL-VPN Settings and select Create New under Authentication/Portal Mapping. Add an authentication rule for the remote user: Users/Groups Portal Tunnel tunnel-access 3. Select OK and Apply. Results Using the FortiClient SSLVPN application, access the VPN using the address and log in as twhite. Once connected, you can browse the Internet.
From the FortiGate web-based manager, go to Monitor SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects to the Internet. Split Tunnel In this configuration, remote users are able to securely access the head office internal network through the head office firewall, yet browse the Internet without going through the head office FortiGate. Split tunneling is enabled by default for SSL VPN on FortiGate units. The solution below describes how to configure FortiGate SSL VPN split tunneling using the FortiClient SSL VPN software, available from the Fortinet Support site. Without split tunneling, all communication from remote SSL VPN users to the head office internal network and to the Internet uses an SSL VPN tunnel between the user s PC and the head office FortiGate unit. Connections to the Internet are routed back out the head office FortiGate unit to the Internet.
Replies come back into the head office FortiGate unit before being routed back through the SSL VPN tunnel to the remote user. In short, enabling split tunneling protects the head office from potentially harmful access and external threats that may occur as a result of the user's indiscretion while browsing the Internet. By contrast, disabling split tunneling protects the user by forcing all their Internet traffic to pass through the FortiGate firewall. SSL VPN for FortiOS 56 Split Tunnel Setup examples Creating a firewall address for the head office server 1. Go to Policy & Objects Addresses and select Create New and add the head office server address: Category Name Type Address Head office server Subnet Subnet / IP Range Interface Internal 2. Creating an SSL VPN IP pool and SSL VPN web portal 1. Go to VPN SSL-VPN Portals and select tunnel-access.
Enter the following: Name Enable Tunnel Mode Enable Split Tunneling Routing Address Source IP Pools Connect to head office server Enable Enable Internal SSLVPNTUNNELADDR1 3. Creating the SSL VPN user and user group Create the SSL VPN user and add the user to a user group. Go to User & Device User Definition, select Create New and add the user: User Name Password twhite password 2. Go to User & Device User Groups and select Create New to add the new user to the SSL VPN user group: Name Type Tunnel Firewall 4.
Move twhite to the Members list. 56 SSL VPN for FortiOS 5.4.1 57 Setup examples Split Tunnel Creating a static route for the remote SSL VPN user Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel. Go to Network Static Routes and select Create New Destination IP/Mask / Device ssl.root 2. Creating security policies Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit.
Create a normal security policy from ssl.root to wan1 to allow SSL VPN traffic to connect to the Internet. Go to Policy & Objects IPv4 Policy and select Create New. Complete the following: Incoming Interface Source Address Source User(s) Outgoing Interface Destination Address ssl.root all Tunnel internal Head office server 3. Add a security policy that allows remote SSL VPN users to connect to the Internet.
Select Create New. Complete the following and select OK: Incoming Interface Source Address Source User(s) Outgoing Interface Destination Address Schedule Service Action ssl.root all Tunnel wan1 all always ALL ACCEPT SSL VPN for FortiOS 58 Multiple user groups with different access permissions Setup examples Configuring authentication rules 1. Go to VPN SSL-VPN Settings and select Create New under Authentication/Portal Mapping. Add an authentication rule for the remote user: Users/Groups Portal Tunnel tunnel-access 3.
![Fortinet Fortinet](http://cookbook.fortinet.com/wp-content/uploads/FortiGate/multi-realm-ssl-vpn/FALogin2.png)
Select OK and Apply. Results Using the FortiClient SSL VPN application on the remote PC, connect to the VPN using the address and log in with the twhite user account. Once connected, you can connect to the head office server or browse to web sites on the Internet. From the web-based manager, go to Monitor SSL-VPN Monitor to view the list of users connected using SSL VPN.
The Subsession entry indicates the split tunnel which redirects SSL VPN sessions to the Internet. Multiple user groups with different access permissions You might need to provide access to several user groups with different access permissions. Consider the following example topology in which users on the Internet have controlled access to servers and workstations on private networks behind a FortiGate unit. In this example configuration, there are two users: User1 can access the servers on Subnet1. User2 can access the workstation PCs on Subnet2.
You could easily add more users to either user group to provide them access to the user group s assigned web portal. General configuration steps 1.
Create firewall addresses for: The destination networks. Two non-overlapping tunnel IP address ranges that the FortiGate unit will assign to tunnel clients in the two user groups.
Create two web portals. Create two user accounts, User1 and User2. Create two user groups. For each group, add a user as a member and select a web portal. In this example, User1 will belong to Group1, which will be assigned to Portal1 (similar configuration for User2). Create security policies: Two SSL VPN security policies, one to each destination.
Two tunnel-mode policies to allow each group of users to reach its permitted destination network. Create the static route to direct packets for the users to the tunnel. 58 SSL VPN for FortiOS 5.4.1 59 Setup examples Multiple user groups with different access permissions Creating the firewall addresses Security policies do not accept direct entry of IP addresses and address ranges. You must define firewall addresses in advance. Creating the destination addresses SSL VPN users in this example can access either Subnet1 or Subnet2.
To define destination addresses - web-based manager: 1. Go to Policy & Objects Addresses. Select Create New, enter the following information, and select OK: Name Type Subnet1 Subnet Subnet/IP Range /24 Interface port2 3. Select Create New, enter the following information, and select OK: Name Type Subnet2 Subnet Subnet/IP Range /24 Interface port3 Creating the tunnel client range addresses To accommodate the two groups of users, split an otherwise unused subnet into two ranges. The tunnel client addresses must not conflict with each other or with other addresses. To define tunnel client addresses - web-based manager: 1.
Go to Policy & Objects Addresses. Select Create New, enter the following information, and select OK: Name Type Tunnelgroup1 IP Range Subnet/IP Range Interface Any 3. Select Create New, enter the following information, and select OK.
SSL VPN for FortiOS 60 Multiple user groups with different access permissions Setup examples Name Type Tunnelgroup2 IP Range Subnet/IP Range Interface Any Creating the web portals To accommodate two different sets of access permissions, you need to create two web portals, portal1 and portal2, for example. Later, you will create two SSL VPN user groups, one to assign to portal1 and the other to assign to portal2. To create the portal1 web portal: 1.
Go to VPN SSL-VPN Portals and select Create New. Enter portal1 in the Name field. In Source IP Pools, select Tunnel group1. To create the portal2 web portal: 1. Go to VPN SSL-VPN Portals and select Create New.
Enter portal2 in the Name field and select OK. In IP Pools, select Tunnel group2 4. Later, you can configure these portals with bookmarks and enable connection tool capabilities for the convenience of your users. Creating the user accounts and user groups After enabling SSL VPN and creating the web portals that you need, you need to create the user accounts and then the user groups that require SSL VPN access. Go to User & Device User Definition and create user1 and user2 with password authentication.
After you create the users, create the SSL VPN user groups. To create the user groups - web-based manager: 1. Go to User & Device User Groups. Select Create New and enter the following information: Name Type Group1 Firewall 3. From the Available list, select User1 and move it to the Members list by selecting the right arrow button. 60 SSL VPN for FortiOS 5.4.1 61 Setup examples Multiple user groups with different access permissions 5. Repeat steps 2 through 4 to create Group2, assigned to Portal2, with User2 as its only member.
Creating the security policies You need to define security policies to permit your SSL VPN clients, web-mode or tunnel-mode, to connect to the protected networks behind the FortiGate unit. Before you create the security policies, you must define the source and destination addresses to include in the policy. See Creating the firewall addresses on page 59. Two types of security policy are required: An SSL VPN policy enables clients to authenticate and permits a web-mode connection to the destination network. In this example, there are two destination networks, so there will be two SSL VPN policies. The authentication ensures that only authorized users can access the destination network. A tunnel-mode policy is a regular ACCEPT security policy that enables traffic to flow between the SSL VPN tunnel interface and the protected network.
Tunnel-mode policies are required if you want to provide tunnel-mode connections for your clients. In this example, there are two destination networks, so there will be two tunnel-mode policies.
To create the SSL VPN security policies - web-based manager: 1. Go to Policy & Objects IPv4 Policy and select Create New.
Enter the following information and click OK: Incoming Interface Source Address Source User(s) Outgoing Interface Destination Address Service ssl.root (sslvpn tunnel interface) All Group1 port2 Subnet1 All 3. Select Create New. Enter the following information: Incoming Interface Source Address Source User(s) Outgoing Interface Destination Address Service ssl.root (sslvpn tunnel interface) All Group2 port3 Subnet2 All 5. SSL VPN for FortiOS 62 Multiple user groups with different access permissions Setup examples Configuring authentication rules 1. Go to VPN SSL-VPN Settings and select Create New under Authentication/Portal Mapping. Add an authentication rule for the first remote group: Users/Groups Portal Group1 Portal1 3.
Select OK and Apply. Select Create New and add an authentication rule for the second remote group: Users/Groups Portal Group2 Portal2 5. Select OK and Apply. To create the tunnel-mode security policies - web-based manager: 1. Go to Policy & Objects IPv4 Policy and select Create New. Enter the following information, and select OK: Incoming Interface Source Address Source User(s) Outgoing Interface Destination Address Service Action Enable NAT ssl.root (sslvpn tunnel interface) Tunnelgroup1 Group1 port2 Subnet1 All ACCEPT Enable 3. Select Create New.
Enter the following information, and select OK: Incoming Interface Source Address Source User(s) Outgoing Interface ssl.root (sslvpn tunnel interface) Tunnelgroup2 Group2 port3 62 SSL VPN for FortiOS 5.4.1 63 Setup examples Multiple user groups with different access permissions Destination Address Service Action Enable NAT Subnet2 All ACCEPT Enable Create the static route to tunnel mode clients Reply packets destined for tunnel mode clients must pass through the SSL VPN tunnel. You need to define a static route to allow this. To add a route to SSL VPN tunnel mode clients - web-based manager: 1. Go to Network Static Routes and select Create New.
Enter the following information and select OK. Destination IP/Mask /24 This IP address range covers both ranges that you assigned to SSL VPN tunnel-mode users. See Creating the tunnel client range addresses on page 59.
Device Select the SSL VPN virtual interface, ssl.root for example. In this example, the IP Pools field on the VPN SSL-VPN Settings page is not used because each web portal specifies its own tunnel IP address range.
SSL VPN for FortiOS 64 Troubleshooting This section contains tips to help you with some common challenges of SSL VPNs. Enter the following to display debug messages for SSL VPN: diagnose debug application sslvpn -1 This command enables debugging of SSL VPN with a debug level of -1. The -1 debug level produces detailed results. Enter the following command to verify the debug configuration: diagnose debug info debug output: disable console timestamp: disable console no user log message: disable sslvpn debug level: -1 (0xffffffff) CLI debug level: 3 This output verifies that SSL VPN debugging is enabled with a debug level of -1, and shows what filters are in place. The output above indicates that debug output is disabled, so debug messages are not displayed. The output also indicates that debugging has not been enabled for any software systems. Enter the following to enable displaying debug messages: diagnose debug enable To view the debug messages, log into the SSL VPN portal.
67 Copyright 2017 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. And other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary.
Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.