Chapter 4- VPN

4-2 SSL VPN

Learning Objectives

  • Configure a tunnel-based SSL VPN
  • Configure a web-based SSL VPN (Web Portal)

 

Scenario: We are going to have SSL VPN from Windows to FortiGate Firewall. First, we will install FortiClient on Windows and then we will configure the firewall for FortiClient. We have two types of SSL VPN, Web based mode and Tunnel mode. Web based mode doesn’t need any agents and you should be able to reach WordPress and SSH Server from Windows. Tunnel mode is through FortiClient. The goal of this scenario is to have connectivity from Windows to WordPress and SSH Server.
SSL VPN main scenario
Figure 4-38: main scenario
Table 4-3: Devices configuration
Device IP address Access
FortiGate Port3: 192.168.1.1/24 – DHCP ( 192.168.1.20-192.168.1.30)

Port2: DHCP Client

 ICMP-HTTP-HTTPS
WebTerm(FMC) 192.168.1.2/24
KALI Linux (SSH Server) 192.168.1.3/24
WordPress 192.168.1.4/24
KALI-outside DHCP Client
Windows DHCP Client

Configure the interfaces of the firewall. Port2 and Port3 should be configured in the terminal to access the firewall.

Step1 – Port 3 Configuration:

Port3 settings
Figure 4-39: Port3 settings

Step 2- Port 2 Configuration:

Port2 settings
Figure 4-40: Port2 settings

Step 3- Configure DHCP Server on port3

Configure DHCP Server on port3
Figure 4-41: Enable DHCP Server on port3

Step 4- Configure user and user group

Go to User & Authentication> User Definition to create a local user sslvpnuser1.

Step1- Create a Local User
Figure 4-42: Step1- Create a Local User
Configure Login Credentials
Figure 4-43: Step2- Configure Login Credentials

Go to User & Authentication> User Groups to create a group sslvpngroup with the member sslvpnuser1.

Create a group
Figure 4-44: Create a group

Step 5- Configure SSL VPN web portal and Tunnel mode

Go to VPN > SSL-VPN Portals 

  • Split-Tunneling :Disabled
  • Source IP Pools: SSLVPN_TUNNEL_ADDR1
SSL-VPN Portal
Figure 4-45: SSL-VPN Portal

Go to VPN> SSL-VPN Portals, add KALI IP address(SSH Server- IP Address of Kali ) and WordPress( IP Address of WordPress) in the bookmark section.

Create a SSH bookmark
Figure 4-46: Create a SSH bookmark
Create a HTTP/HTTPS bookmark
Figure 4-47: Create a HTTP/HTTPS bookmark
Bookmark settings
Figure 4-48: Bookmark settings

Step 6- Configure SSL VPN settings

Go to VPN > SSL-VPN Settings:

  • For Listen on Interface(s), select Port2.
  • Set Listen on Port to 8080.
  • Server Certificate: Fortinet
  • In restrict Access, select “Allow access from any host”
  • Address range: Automatically assign address.
  • In Authentication/Portal Mapping All Other Users/Groups, set the Portal to MyPortal
  • Create new Authentication/Portal Mapping for group sslvpngroup mapping portal MyPortal.
Enable SSL-VPN Settings
Figure 4-49: Enable SSL-VPN Settings
Assign sslvpngroup to MyPortal
Figure 4-50: Assign sslvpngroup to MyPortal
Authentication/Portal Mapping
Figure 4-51: Authentication/Portal Mapping

Step 7- Configure SSL VPN firewall policy

  1. Go to Policy & Objects > Firewall Policy.
  2. Fill in the firewall policy name. In this example, SSLVPN full tunnel access.
  3. The incoming interface must be SSL-VPN tunnel interface(ssl.root).
  4. Choose an Outgoing Interface. In this example, port3
  5. Set the Source to all and group to sslvpngroup.
  6. Set the Destination to all
  7. Set Schedule to always, Service to ALL, and Action to Accept.
Configure SSL VPN firewall policy
Figure 4-52: Create a Firewall Policy for SSLVPN

Step 8 – Verify Configuration

Now connect to Kali outside and open the browser https://IP-PORT 2-Firewall:8080
Enter the username and password you have created in Step2. Then try to connect to the KALI SSH Server and WordPress through the browser.

SSL VPN Portal
Figure 4-53: SSL VPN Portal
SSL VPN Portal
Figure 4-54: SSL VPN Portal
Verify WordPress
Figure 4-55: Verify WordPress
Verify SSH
Figure 4-56: Verify SSH

Step 9 – Download FortiClient

Now, go to Windows and install FortiClient on Windows. Try to use FortiClient to connect through SSLVPN.

Download FortiClient
Figure 4-57: Step1- Download FortiClient
FortiClient Installation
Figure 4-58: Step2- FortiClient Installation
FortiClient Installation
Figure 4-59: Step3- FortiClient Installation

Step 10- Configure FortiClient

Configure FortiClient
Figure 4-60: Step 4- Configure FortiClient
Configure SSLVPN
Figure 4-61: Step 5- Configure SSLVPN

Step 11- Verify configuration

Enter the Username and Password you have set for SSLVPN.

SSLVPN Credentials
Figure 4-62: Step 6- SSLVPN Credentials

Accept the Certificate Issuer to have a secure connection

Accept the Certificate Issuer to have a secure connection
Figure 4-63: Click on Yes in Security Alert
Verify SSL VPN Connection
Figure 4-64: Verify SSL VPN Connection

Verify your connectivity by entering the IP address of WordPress.

Verify your connectivity by entering the IP address of WordPress
Figure 4-65: Verify WordPress

Verify your connectivity by entering the IP address of SSH Server

Verify your connectivity by entering the IP address of SSH Server
Figure 4-66: Verify SSH
Verify SSH connection
Figure 4-67: Verify SSH connection

 

License

Icon for the Creative Commons Attribution 4.0 International License

FortiGate Firewall: Practical Guidance and Hands-On Labs by Hamid Talebi is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book