Fortigate SSL VPN configuration on 5.2

First off the best documentation can be found at docs.fortinet.com

Fortigate has changed a lot in 5.2, one of the things that has been changed heavily is how to setup the SSL VPN. Some of the ways it has changed:

– Portal creation

– Settings

– Firewall policies (for interfaces)

So to enable and create needed policies for the SSL VPN to function we will create a scope 10.99.255.0/24 for our VPN subnet, and make sure our two local networks are being sent to the clients routing table VIA Split tunneling – our local subnets 10.32.250.0/24 and 10.32.251.0/24.

First lets create the address object for our SSL VPN clients

ssl-5-2-address

Portal Config

In the portal we can configure Split tunnel, IP Pools, bookmarks etc. 

You also have options to save the password and the allow more than one instance of that user to login.

SSL-5-2-portal

VPN Settings

Then we will start to configure settings for our VPN. Notice that it is much different than 5.0. We configure the port, VPN client addresses and who can access the VPN from here. Before it was in many different places. Also notice at the bottom there is the users who can log into this device, and what portal they will see. You can totally customize this so that domain admins get one portal and restricted users get another.

ssl-5-2-settings-2

You will see that after you configure what is needed, there is a red line that comes up and says “default users not configured” if you only have one profile then modify this. If you have multiple portals then add the most specific first, then make the standard catch all this profile.

Firewall Policies

Next we need to create firewall policies to allow traffic to and from our VPN. This is also a big change from 5.0 where you would need to create a default WAN-LAN policy and have the service be SSL, here that is really done in the vpn-settings page.

So lets allow VPN traffic to our LAN and make sure we are using the network address objects that are specified in the Split tunnel policy under the portal. Adding the local subnets basically allows VPN clients to have access to those networks. You could use Any here, I chose to use my local subnets.

SSL-5-2-Policy-1

Then create the opposite of that policy to allow traffic from the lan to access the SSL VPN interface.

SSL-5-2-policy-2

One more thing is needed – We need a route to that SSL VPN subnet.

SSL-5-2-Route

That should be pretty much it. There are some considerations that should always be taken into account. For one, always evaluate the security that you need. In this example I did not add any UTM or restrictions to who can access the VPN, and to what servers/addresses. Something else – Notice that in the VPN-Settings page, if you are doing Forticlient registration, you need to make sure that option is checked so registration can be used on that interface. One of the other things to think about is the amount of time users stay logged into the VPN.

After enabling that your VPN should work great!

Feel free to contact me if you have any problems

Advertisements

15 responses to “Fortigate SSL VPN configuration on 5.2

  1. Carlos October 7, 2014 at 10:26 pm

    I was able to configure following your instructions. Thanks a lot. Excellent Job!

  2. Geppo October 18, 2014 at 6:11 am

    My compliments to you for your excellent posts on Fortigate. I am a big fan of these devices and I frequently use their SSL VPN capabilities. Although I generally didn’t encountered any problems configuring the VPN SSL portal, there is still something I think I didn’t understand about the host name resolution in Web Portal mode (reverse proxy mode).
    While the name resolution of the host in the internal network works well in tunnel mode (adding the IP addresses of the internal DNS/WINS server in the appropriate fields), I didn’t find a simple way to get the name resolution working in Web Portal mode, that means I cannot use domain names adding a link to the portal but only IP addresses.
    Actually I found a solution adding the local domain name in the appropriate DNS field of the Fortigate, creating a DNS Database for the internal domain in the DNS Servers section on the Fortigate (Slave, Shadow, Authoritative), enabling recursion on the interface and enabling zone transfer on the Windows DNS server toward the Fortigate.
    Sincerely I found this procedure quite tricky and I cannot think does not exist a simpler solution like in tunnel mode…
    Have you any hints about it?

    • cjcott01 October 18, 2014 at 9:26 pm

      Thanks! and a great comment.
      So when you use web portal mode who responds to DNS queries? Its the fortigate – Under system – network – dns tab you can set your DNS servers and domain name for the device itself. this will make queries through the portal or explicit proxy work with internal names. Did that answer the question? If not I can help find the answer.

      • Geppo October 19, 2014 at 8:28 am

        Thank you for your suggestion.
        It matches exactly my first implementation (setting the internal DNS server as the first DNS entry in System-Network-DNS) and it works, but sincerely I don’t like too much this choice.
        Considering the Fortigate as a security gateway I think it is preferable to use it as a dns proxy for the internal dns server, so in such configuration I cannot specify the internal DNS server as the system dns of the fortigate…..

  3. Mark H November 4, 2014 at 10:46 am

    Thanks for writing this up. Great article.

    I’ve got mine all up and running now except we also have a Site to Site IPSec VPN tunnel and I would like the SSL VPN users to be able to reach the other site. I’ve created additional policies at both ends to allow the SSL VPN subnet to reach the other site subnet and vice-versa but no joy so far. Do you have a config with a similar situation?

    • cjcott01 November 4, 2014 at 6:31 pm

      Hey Mark,
      I have done this many times.

      You will need a route for both ends, policies from the VPN interface to to SSL.Root, and split tunnel route for this network.

      I would be happy to help – my number is 502-592-7189. We can do a remote screen share and get it working.

      • Mark H November 5, 2014 at 10:55 am

        Thanks Justin, I have sent you a Skype request as I’m in the UK. Far end of the VPN tunnel is a Cisco ASA for which I used the ASA VPN wizard. Let me know a good time and I can try to get everything ready on screen.

      • Mark H November 6, 2014 at 11:04 am

        Hi,
        I’ve got this working now. It was getting the right combination of policies and adding in the extra Phase 2 / quick-mode selector settings to match the SSL VPN user range. Thanks for the offer of help.

  4. DJO April 13, 2015 at 11:09 pm

    so i can can connect to the ssl portal, but it only loads the default portal even after ive created a custom portal.

  5. DJO April 13, 2015 at 11:10 pm

    even after ive configured a specific user for a specifc portal

    • cjcott01 April 13, 2015 at 11:43 pm

      Sounds like it might not be specified under – vpn -ssl -settings, then matched to your user group. Make sure its above the default, all users portal.

      Please let me know if you have any more questions. I would be happy to do a screenshare session, my skype is justin.cottrell7.

  6. EJ October 12, 2015 at 2:55 pm

    I have been cracking my head, and even after this I cannot ping internal network IP addresses when connected to SSL tunnel… Could I provide more info regarding my config? My static route has no gateway IP…which I find suspicious.

    • cjcott01 October 12, 2015 at 11:29 pm

      Hi EJ!
      So you have made sure that your networks have been pushed through firewall policy? Routes are good, and firewall policies are allowing traffic?

      my skype is justin.cottrell7 and my phone is 502-592-7189. Feel free to call me.

      • Eu-Juan October 13, 2015 at 8:27 am

        Thanks so much, I have sent you an invite. I am going to setup a test unit and configure as far as possible then contact you if that’s alright. Once I know what’s happening I’ll make further changes on live unit; as I’m working on it remotely and if something goes down client won’t be happy.

      • cjcott01 October 16, 2015 at 3:24 pm

        Great,let me know when you are ready.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: