FortiGate SSLVPN Howto (GR 1.0) - Certified

FortiGate SSL VPN How To William Lee CISA

1

The article aims to show an easier way to setup SSL VPN with a FortiGate UTM appliance. The equipment

used was a FortiGate 100A with FortiOS 4.0 MR2.

Prerequisites for the setup:

1. A working FortiGate box with FortiOS 4.0 MR2

2. Administrative credential to the box

3. A working internet connection with no restriction to inbound traffic on TCP port 443

4. Ability to generate a private key, certificate signing request (CSR) and obtaining a certificate from

a trusted CA

The author started with the box that had completed factory reset. This can be done by execute

factoryreset from CLI.

SSLVPNDEMO # execute factoryreset

This operation will reset the system to factory default!

Do you want to continue? (y/n) Y

Please be reminded that if you do this, all the configurations on the box will be erased. Afterwards, have

the IP address of your administrative PC set to 192.168.1.100/24 and point to https://192.168.1.99 from

your favorite browser.

Figure 1 – Pointing the browser to a FortiGate box

Because of the certificate is not trusted and the common name of the certificate does not match the URL,

so your favorite browser presents a warning. Use “Add Exception…” in Firefox or “Continue to this website

(not recommended)” in Internet Explorer.

001000100001001010111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001

000100001001010111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001000

100001001010111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001000100

001001010111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001000100001

001010111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001000100001001

010111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001000100001001010

111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001000100001001010111

011010110100000100010000100101011101101011010001100100010000100101011101101011010001001000100001001010111011

010110100010010001000010010101110110101101000100100010000100101011101101011010001001000100001001010111011010

110100010010001000010010101110110101101000100100010000100101011101101011010001001000100001001010111011010110

1000100100010000100101011101101011010001


May 9, 2010


2

Next, you will see a login prompt. The look and feel of FortiOS 4.0 MR2 is completely different from the

previous versions.

Figure 2 – Login Prompt for FortiGate Web-base Manager

Figure 3 – Dashboard

Once you can get here, configure all basic settings like timezone, clock, interfaces IP, dynamic DNS, etc.


3

Configuration Steps

The configuration involves the following high level tasks, namely

1. Setup user account(s)

2. Setup user group(s) that allow SSL VPN access and include intended users

3. Setup tunnel mode IP address range

4. Add the tunnel mode IP address range to static route

5. Load the private key and certificate to the box

6. Enable SSL VPN

7. Create Firewall Policy to allow SSL VPN and/or tunnel mode access

8. Specify web-base manager TCP port not to use 443

9. Specify SSL VPN portal TCP port to use 443

Let’s start in a step-by-step manner.


4

1. Setup user account(s)

Web-base manager – User > User > New User

Figure 4 – Create User

Enter user name and password for the user. Create as many as users that you need.

CLI – user name “sslvpn01” and password “Password” (without quotes) for example:

config user local

edit "sslvpn01"

set type password

set passwd Password

next

end


5

2. Setup user group(s) that allow SSL VPN access and include intended users

Web-base manager – User > User Group > User Group

Figure 5 – Create User Group

Enter name of the group, select Firewall, check on Allow SSL-VPN Access and select “full-access”, select

the available users created in the previous step, check on the arrow sign and click OK.

CLI – user group “UserGroup_VPN_SSL” (without quotes) for example:

config user group

edit "UserGroup_VPN_SSL"

set sslvpn-portal "full-access"

set member "sslvpn01"

next

end


6

3. Setup tunnel mode IP address range

You may leave this unchanged for a default of 10.0.0.1 – 10.0.0.10.

Figure 6 – SSLVPN_TUNNEL_ADDR1 address range definition


7

4. Add the tunnel mode IP address range to static route

In order to make the tunnel mode IP address range routable to the FortiGate UTM appliance, you need to

add the IP range specified in the previous step to the static route table.

Web-base Manager – Router > Static > Static Route > Create New

Figure 7 – Define Static Route for Tunnel IP Range

Enter the IP Range defined in previous step as Destination IP/Mask and select ssl.root as Device and click

OK.

CLI – 10.0.0.1/24 for example:

config router static

edit 2

set device "ssl.root"

set dst 10.0.0.0 255.255.255.0

next

end


8

5. Load the private key and certificate to the box

This step involves creating the private key, generating CSR and obtaining a certificate from a trusted CA.

The author suggested not to use FortiGate on box feature to generate the private key and CSR – because

the certificate cannot be renewed (reimport the renewed certificate using the same key).

The author generated the private key and CSR on a linux box using OpenSSL, and obtained the certificate

from CACert.org. You can choose to trust any CA of your choice.

Web-base Manager – System > Certificates > Local Certificates > Import

Figure 8 – Import certificate and private key

Select the certificate file and key file and click OK.

CLI – You need to setup tftp server to store the certificate for import. Not demonstrated here.


9

6. Enable SSL VPN

This step aims to enable the SSL VPN service on the box.

Web-base Manager – VPN > SSL > Config

Figure 9 – Enable SSL-VPN

Check on Enable SSL-VPN, select the tunnel IP address range by clicking Edit from IP Pools, select the

certificate loaded from previous step, expand Advanced and type in the IP address of the internal interface

as DNS Server #1 and click Apply.

CLI – Internal interface IP address as 192.168.127.254 as an example

config vpn ssl settings

set sslvpn-enable enable

set dns-server1 192.168.127.254

set servercert "home"

set algorithm high

set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

end


10

7. Create Firewall Policy to allow SSL VPN and/or tunnel mode access

A number of firewall policies are required to be implemented.

internal > wan1 (accept) aims at internal to wan1 access

ssl.root > internal (SSL-VPN) aims at SSL VPN access to internal resource

ssl.root > internal (accept) aims at tunnel mode access to internal resource

ssl.root > wan1 (accept) aims at tunnel mode access to wan1

wan1 > internal (SSL-VPN) aims at SSL VPN access to internal resource

wan1 > ssl.root (SSL-VPN) aims at wan1 to access SSL VPN portal

wan1 > wan1 (SSL-VPN) aims at SSL VPN access to internet (e.g. outside website)

Web-base Manager – Firewall > Policy > Policy > Create New

Figure 10 – Final firewall policy layout

CLI – Configuring all the firewall policies stated above

config firewall policy

edit 1

set srcintf "internal"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ANY"

set nat enable

next

edit 2

set srcintf "wan1"


11

set dstintf "ssl.root"

set srcaddr "all"

set dstaddr "all"

set action ssl-vpn

set sslvpn-cipher high

config identity-based-policy

edit 1


set groups "UserGroup_VPN_SSL"

set service "ANY"

next

end

next

edit 3

set srcintf "ssl.root"

set dstintf "internal"

set srcaddr "all"

set dstaddr "all"

set action ssl-vpn



edit 1



set service "ANY"

next

end

next

edit 4



set srcaddr "all"

set dstaddr "all"

set action accept


set service "ANY"

next

edit 5

set srcintf "wan1"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "all"

set action ssl-vpn



edit 1



set service "ANY"

next

end

next

edit 6

set srcintf "wan1"



12

set srcaddr "all"

set dstaddr "all"

set action ssl-vpn



edit 1



set service "ANY"

next

end

next

edit 7


set dstintf "wan1"

set srcaddr "all"

set dstaddr "all"

set action accept


set service "ANY"

set nat enable

next

end


13

8. Specify web-base manager TCP port not to use 443

The author aims to use TCP 8443 for web-base manager, this makes TCP 443 available for SSL VPN

portal.

Web-base Manager – System > Admin > Settings > Web Administration Ports

Figure 11 – Web-base manager administrators settings (modify HTTPS)

CLI – Configure web-base manager to use TCP 8443

config system global

set admin-sport 8443

end


14

9. Specify SSL VPN portal TCP port to use 443

TCP 443 had been released from the previous steps. You can now use TCP 443 for SSL VPN portal.

Web-base Manager – System > Admin > Settings > Web Administration Ports

Figure 12 – Web-base manager administrators settings (modify SSLVPN Login Port)

CLI – Configure SSL VPN portal to use TCP 443

config system global

set sslvpn-sport 443

end


15

About the author

William Lee, CISA, has been in the information security industry for more than 12 years. The author can

be reached at [email protected].

Document Revision and Change History Version Comments Created/Changed By

GR1.0 – This Version First General Release (GR) of this document William Lee CISA

[No Other Version]

FortiGate SSLVPN Howto (GR 1.0) - Certified

Documents

Transcript of FortiGate SSLVPN Howto (GR 1.0) - Certified