Enable SSL VPN on FortiGate and Connect It With FortiClient (Free Lab) - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Sunday, April 28, 2024

Enable SSL VPN on FortiGate and Connect It With FortiClient (Free Lab)

A secure sockets layer VPN (SSL VPN) enables individual users to access an organization's network, client-server applications, and internal network utilities and directories without the need for specialized software. SSL VPNs provide safe, secure communication via an encrypted connection for all types of devices, regardless of whether access to the network is via the public internet or another secure network. 



SSL VPN Types

There are two major types of SSL VPNs:

SSL Portal VPN

In this type of SSL VPN, a user visits a website and enters credentials to initiate a secure connection. The SSL portal VPN allows for a single SSL connection to a website. Additionally, the user can access a variety of specific applications or private network services as defined by the organization.

Users can typically enter the gateway, or the hardware on a network that allows data to flow from one network to another, using any modern web browser, by entering the username and password provided by the VPN gateway service.

SSL Tunnel VPN

An SSL tunnel VPN allows a web browser to securely access multiple network services that are not just web-based via a tunnel that is under SSL. These services could be proprietary networks or software built for corporate use only that cannot be accessed directly via the internet. This VPN tunneling technology may require a browser with additional applications, such as JavaScript or Flash, installed to display active content.

In this post, we are using FortiGate VM in Azure to configure a SSL Tunnel VPN and using FortiClient to connect to it in our Test Drive environment.  

Diagram






For FortiGate Test Drive:


Go to https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortinet.fortinet-fortigate?ocid=FortiGate_202105_landingpage_en-us  or https://www.fortigate-azure.com/. Choose a Test Drive, sign in and agree to the terms of use.

Related Posts:


Enable SSL-VPN Feature


Log into FortiGate
Go to System -> Feature Visibility -> Core Features
Enable SSL-VPN

Now, you should be able to SSL-VPN Section under VPN menu.


SSL-VPN Settings

 

1 VPN -> SSL-VPN Settings

Most settings are default. But you will need to add interface on the listen list. Ideally, change Listen on Port to a different port from 443. In this example, I am using 4443. 


note: Default tunnel user range is only 10 ip addresses. If you have more than 10, you might want to increase it by customizing a larger range there.

2 Autentication/Portal mapping

Change All Other Users/Groups to have tunnel-access to Portal.

You can have an admin group / users to have full-access to Portal. 

3 SSL VPN Client Address Range

By default, it is automatically assigned by FortiGate.

In the above screenshot, it uses automatically assign range: 10.212.134.200 -10.212.134.210

The range can be customized for larger numbers based on your usage. 


Use Fortinet_Factory Server Certificate

 To make lab as simple as we can, we are gonna use Fortinet_Factory cert.


It is possible to directly create your own certificate using Let's Encrypt. 

You might get this cert warning message when you access the portal by using default cert since it wont be able verified:




Policies and Users

 

1 SSL VPN > LAN

This firewall rule is to allow SSL VPN network to access LAN (Internal) networks.

You will need to choose incoming interface, outgoing interface, source (including users), destination, and services. Others, you can keep it as default. 


You can use NAT with outgoing interface address, which is your FortiGate LAN interface IP, or you can completely disable NAT. 

Logging is also can be enabled for all sessions. 



Here is how the SSL VPN Firewall Policy rule looks like:


2 Remote Users and Group

Create a Remote Users group. Add a couple of remote users into this group. 


3 Check Forwarded Log since we enabled all sessions logging




FortiClient Configuration and Connect to Remote

 
1 Send SSL-VPN Configuration



2 Download FortiClient

https://www.fortinet.com/support/product-downloads

3 Install FortiClient

Double click the downloaded installation file "FortiClientVPNOnlineInstaller.exe" and follow installation wizard to complete installation.

4 Configure FortiClient to connect to remote FortiGate SSLVPN Gateway 
Make sure put right public ip address and SSLVPN Port. 


Remote Access VPN (IPSec)

 
This is remote IPSec VPN configuraiton.





Enable SSL VPN Web Portal

 

SSL VPN web mode gets the error as below when configured with SAML authentication.

 

Picture1.png

 

  1. Make sure web-mode is enabled in the SSL VPN portal:

 

config vpn ssl web portal

    edit "full-access"

        set web-mode enable

 

Warning: Please note that the legacy SSL VPN web mode feature is disabled by the global sslvpn-web-mode setting.

 

Picture2.png

 

  1. As the warning displayed, web mode is disabled globally so can not enable it in the full-access portal directly.

     

    Enable the web-mode globally first:

    config sys global

        set sslvpn-web-mode enable

    end

     

Now the web mode of SSL VPN should work as expected after enabling web-mode for specific portals. To enable the web mode for specific portals run the command as shown in step 1. 

 

If the issue persists, contact the TAC team.



Note:https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-web-mode-showing-403-Forbidden-error/ta-p/297377


FortiGate # show vpn ssl web portal 
config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set ipv6-tunnel-mode enable
        set web-mode enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    next
    edit "web-access"
        set web-mode enable
    next
    edit "tunnel-access"
        set tunnel-mode enable
        set ipv6-tunnel-mode enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    next
end

FortiGate # 


Quick test VPN tunnel by pinging to remote Ubuntu vm 10.0.3.4:
C:\Users\WDAGUtilityAccount>ping 10.0.3.4

Pinging 10.0.3.4 with 32 bytes of data:
Reply from 10.0.3.4: bytes=32 time=39ms TTL=63
Reply from 10.0.3.4: bytes=32 time=47ms TTL=63
Reply from 10.0.3.4: bytes=32 time=38ms TTL=63
Reply from 10.0.3.4: bytes=32 time=38ms TTL=63

Ping statistics for 10.0.3.4:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 38ms, Maximum = 47ms, Average = 40ms

C:\Users\WDAGUtilityAccount>tracert 10.0.3.4

Tracing route to 10.0.3.4 over a maximum of 30 hops

  1    33 ms    36 ms    37 ms  10.212.134.200
  2    34 ms    35 ms    34 ms  10.0.3.4

Trace complete.


SSL VPN FortiClient Connect to Azure VPN Gateway's Remote site

There is a special use case, which FortiGate firewall is providing SSL VPN connection, but Azure VPN Gateway provides Site to Site connection to remote site. How can we get our FortiClient to connect to remote site through Azure VPN tunnel?

1. SSL VPN Portal

Make sure add your remote site segment into Routing Address Override settings in your Tunnel-Access profile or other profiles

Note: The routing address override settings will be pushed to Forticlient machine's routing table.
You can check them using "route print" command from CMD window once you connected your Forticlient to Fortigate. 

2. Add one route into your FortiGate routing tables. 
The gateway will be the Azure LAN network's default gateway .1 ip address.



3. Firewall Rule in the FortiGate policy enabled NAT on LAN interface.
That is important in some cases to make your traffic passing through firewall. 



Password expiration policy for SSL VPN local user


Note: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Password-expiration-policy-for-SSL-VPN-local-user/ta-p/192723


To configure SSL VPN users to change their password in the local user database before it expires

The password policy is used to configure the password renewal frequency (every 2 days for instance) and the warning that normally occurs the day before the expiration date. Password policy can be applied to any local user password.

The password policy cannot be applied to a user group or a local remote user such as LDAP/RADIUS/TACACS+.

 

In FortiOS 7.0, users are warned as per warn-days set and they have to renew their password before it get expire, which is based on the expire-days mentioned in the password policy. The user cannot renew the password and need to contact the FortiGate administrator for assistance. 


In FortiOS 6.2, users are warned one day before the expiry date of the password and they have one day to renew it. When the password is expired, the user cannot renew the password and need to contact the FortiGate administrator for assistance.

In FortiOS 6.0/5.6, users are warned one day before the expiry date of the password. Users can still renew the password even after the password has expired.

Configure and assign the password policy using the CLI

The following commands are used to configure a password policy that includes an expiration date and a warning time. 

 

#config user password-policy
    edit "pwpolicy1"          <- password policy name.
        set expire-days 5     <- password expiry.
        set warn-days 3       <- warning notification for password going to be expire soon.
        set expired-password-renewal disable  <- if enable this option is, after the password expires, still end user can renew the password, with no need to depend upon FortiGate Administrator. 
    next

end

 

Assign the password policy to the newly created user.

 

#config user local

    edit "sslvpnuser1"     <- local username.
        set type password
        set passwd-policy "pwpolicy1"    <- applying password policy.
        set passwd-time 2021-11-26 22:46:15    <- the default start time for the password, this is the time when the user was created.
        set passwd  xyz   <- password.
    next
end

 

Once the user is reached warn-days, the user will get the below prompt, while connecting to SSL VPN by entering old username and password. It will redirect to enter a new password for the same.

KB-forticlient password change.PNG

 

Once a user changes his password,  'passwd-time' will get changed again. 

 

# config user local

    edit "sslvpnuser1"

     set type password
     set passwd-policy "pwpolicy1"
     set passwd-time 2021-11-30 23:34:30  <- passwd-time has been changed.
     set passwd ENC +sddai212=

    next

end

 

Note that, currently, the Password renewal for local users when using the Dial IPSec VPN is not supported.



As to the password complexity policy to apply to SSL VPN Users, here are some documents we can reference to:
  • https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/364729/password-policy
  • https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/544195/ssl-vpn-with-local-user-password-policy
  • https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Password-renewal-with-password-complexity/ta-p/294773

Password policy can be applied on the user level.

  1. Configure password policy:

 

config user password-policy

    edit "pwpolicy1"

         set expire-days 5

         set warn-days 3

         set expired-password-renewal enable

         set min-lower-case-letter 1

         set min-upper-case-letter 1

         set min-non-alphanumeric 1

         set min-number 1

         set min-change-characters 2

         set expire-status enable

         set reuse-password disable

    next

end


2.  password policy on the SSL VPN user.


config user local
    edit "pearlangelica"
        set type password
        set two-factor fortitoken
        set fortitoken "FTKMOB35D39832AD"
        set email-to "<email address>"
        set passwd-policy "pwpolicy1"   <----- Apply password policy.
        set passwd-time 2024-01-08 11:24:40   <----- Last password change.
        set passwd ENC QWp+uKQ7Mk1GOh+864tiS/zOVo/Wsx/4DcVRRMrfe3Ujre1lv0It45yD8S9mgl2BBPKl39hkZHSoto+akR9kIgpnIE9tU73yMdehp7Gq3KWUKeQoYnv8iWFUXQjmLTEp5gJ3Mb221tFtAYd9jumB/YS+v52QrGvWJdg3OQfxb3bdkgtpgGWMagTZojLj5gLv4kyM7A==
    next

end


Password policy can also be applied in global settings:


config user setting
    set default-user-password-policy 'pwpolicy1'
end

 



SSL VPN connection logout after 8 hours

Idle timeout means if there is no data being sent or received over VPN, the connection will drop. What you are talking about seems to be authentication timeout or auth-timeout. By default it is 8 hours in fortigate firewall. You can extend it till 72 Hours (259200 seconds).

By default, an SSL VPN connection logs out after 8 hours:
 
config vpn ssl settings
    set auth-timeout 28800
end



The auth-timeout is the period of time in seconds that the SSL-VPN will wait before re-authentication is enforced.
The default value is 28800 seconds (8 hours). The value can be between <0> to <259200>

A value of 0 indicates no timeout.
 
Adjust the idle-timeout period of time in seconds that the SSL-VPN will wait before timing out the user if not being active.
 
config vpn ssl settings
    set idle-timeout 300
end
 
The default value is 300 seconds (5 minutes). The value can be between <0> to <259200>.



Note: 

  • https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-connection-logout-after-8-hours/ta-p/191322
  • https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-timers-explanation-and-SSL-VPN-Login/ta-p/203615


Troubleshooting

NAT using IP Pool. Sometimes, using "outgoing interface address" this option, it doesn't work. If it happens, just specifize your range as show below. 




Advanced Features: Auto Connect, Always Up




This feature is unavailable in free versions of FortiClient. You can upgrade to the full version of FortiClient to access this feature. Contact sales to upgrade.

Feature

Description

Save Password

Allows the user to save the VPN connection password in FortiClient

Auto Connect

When FortiClient launches, the VPN connection automatically connects. Automatic connection to the VPN tunnel may fail if the endpoint boots up with a user profile set to automatic logon. See Appendix E - VPN autoconnect for configuration examples.

Always Up (Keep Alive)

When selected, the VPN connection is always up. If the connection fails, possibly due to network errors, FortiClient attempts to reconnect. If credentials (username and password) are saved, FortiClient attempts to reconnect silently. If credentials are insufficient (for instance, multifactor authentication is required or password is not saved), FortiClient prompts for credentials.


 Those 3 tick boxes only seem to appear once you've connected to the VPN for the first time. If you've not connected, do that then disconnect and the tick boxes appear after that.



Note:

The following features are not supported in the FortiClient v6.2.X - v7.0.12, v7.2.X and v7.4.X free versions:

  • VPN auto-connect/always-up.
  • VPN before logon.
  • On-net/off-net.
  • Host check features.
  • Central management
  • No feedback option & no diagnostic tool under help/info page.
  • IKEv2 is not supported on FortiClient 6.2.x free version.
  • TAC support.

Note: https://community.fortinet.com/t5/FortiClient/Technical-Tip-FortiClient-EMS-Auto-connect-a-VPN-Tunnel/ta-p/195552

Get a free version 6.0.10, those three options are free to use still. 

Free download 64b: 
Backup link.

Videos

Configure FortiGate SSL VPN and Connect it Using FortiClient (Free with Test Drive):





References




No comments:

Post a Comment