Choosing an SSL VPN mode is dependent on the type of traffic sent through the VPN or the type of application a remote user is trying to access.
Tunnel mode
This mode requires the FortiClient and requires the user to setup a virtual network adapter on their client machine.
Once the connection is establishes a tunnel, a virtual IP address is assigned to the VPN client and encrypts the traffic using SSL/TLS.
FortiGate can be configured as a client, to establish a VPN between 2 FortiGate devices.
Web mode
This mode uses a standard web browser and support FTP, HTTP, HTTPS RDP, SMB, CIF, SSH, Telnet. VNC, Ping.
The remote user connects to the FortiGate SSL VPN Portal to view a list of application which are bookmarked on the web page.
To select an SSL VPN mode, go to: VPN > SSL VPN Portals.
Remote users are able to connect to the SSL VPN gateway (FortiGate) using the SSL VPN client.
This provides an option to allow users to authenticate to FortiGate.
The virtual adapter on the client machine creates an encrypted tunnel to FortiGate.
Once the tunnel is established, users are able to securely access resource over the SSL/TLS tunnel.
FortiGate as a Client
This enables one FortiGate to operate as a VPN client, using an SSL VPN Tunnel interface.
Establishes a connection between two FortiGate devices, using a hub-and-spoke topology.
When the Client FortiGate establishes a connection, remote routes are added to the routing table.
Supports split-tunneling to route specific traffic through the VPN tunnel and other traffic types directly to the internet.
Setup user accounts and groups for the SSL VPN
Go to, User & Authentication
Configure the SSL VPN portal
Go to, VPN > SSL-VPN Portals
Set the tunnel mode, enable web mode and set the bookmarks.
Configure the SSL VPN settings
Go to, VPN > SSL-VPN Settings
Set the listen interface and port number (do not use port 443), use either the default certificate or generate a new one.
Define a new IP address for VPN clients or use the default range.
Create the firewall policy to and from the SSL VPN interface
Go to, Policy & Objects.
Incoming interface: SSL VPN Interface (ssl.root)
Outgoing interface: set the egress interface
Source: the source of traffic (users and groups) for the VPN tunnel
Destination: the destination network
Action: Accept
Create a Firewall Policy to permit SSL VPN traffic to the internet
Create user accounts and groups
Go to, User & Authentication
Create two user accounts: local/remote & PKI
Require clients to authenticate using their digital certificate + username with password.
Go to, User & Authentication > User Definition
Go to, User & Authentication > PKI
Configure the SSL VPN Portal
Go to, VPN > SSL-VPN Portals
Configure SSL VPN settings
Go to, VPN > SSL-VPN Settings
Use:
Config user peer
Edit pki
Set ca "CA_Cert_1"
Set cn "FGVM01TN905"
End
Create a firewall policy to and from the SSL VPN interface
Create a firewall policy to allow SSL VPN traffic to the interface
Create a PKI user account
Go to, VPN > SSL-VPN Clients > Create New
Interface: Virtual SSL interface
Server: address of FortiGate as a server
Port: destination port number
Set a username and Pre-Shared Key (PSK)
Peer: pki
Create SSL VPN tunnel interface using ssl.vdom interface
Create and configure the SSL VPN Client settings, go to VPN > SSL-VPN Clients
Create a firewall policy from internal interface to the SSL VPN interface.
Dashboard > Network > SSL VPN
View logs, go to Log & Report > System Events
If a user is disconnected, check the idle timeout, go to VPN > SSL VPN Settings
diagnose debug enable – Run this command before executing the others in the list.
diagnose vpn ssl list – shows current connections
diagnose vpn ssl info – shows general VPN information
diagnose vpn ssl statistics – Shows stats on memory usage on firewall and connections.
diagnose vpn ssl debug-filter – Debug message filter for SSL VPN