Fortigate client SSL VPN setup 5.6

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to Julian slab what I like to do today is to set up a client SSL VPN on a fortigate five six as you can see I have a 48 60 B and I'm on five six two and I'll move on with the first step in first step is to create the user name in the user group to be assigned now why would you be watching my SSL VPN setup and not FortiGate or you can watch that there's two I'm going to be adding a lot of extra details that FortiGate managed to skip through so I'll get going SSL VPN group and I'll go I'm going to add my username that I already created so I have a group and a user name on that group that is going to be part of my SSL VPN client now on the second step we're going to enable the SSL VPN portal and that's under VPN SSL VPN portal and we're going to work with SSL I'm sorry with the full access portal which I'm going to edit now here there are a few details that I'll like to discuss this enables split download if you enable that so I'll go over what split tunnel in full tunnel mode means now full tunnel means once you VPN then you're forcing all the traffic through this firewall that I'm setting up right now so if you're doing split tunnel mode it means that just the private traffic that is on this source I people you're going to be able to access access I'm sorry all the public traffic is going to be going through your local router or firewall so if you're at your home or hotel that's how you're going to be browsing the traffic which is less secure so our preferred option is going to be not to enable split tunneling so we can force all the traffic through the firewall and we can get the benefit of all the UTM features in the security that the fire won't suffering so they'll be my preferred option so here we just need to make a note about the address subject that is being used and we can leave pretty much everything by default with a quick mention that enabled 40 client download it literally means you can log into the file public IP and download the client from the Pharaoh himself not necessarily from the FortiGate website next and the ssl VPN settings I'll go over a few details so the interface that client VPN is going to be listening on to which typically is going to be our public IP pop public interface with the public IP and the port want to change that from the management part of the firewall ten forward three is going to be a good choice and as you can see the fire road is already pre filling this line for us and it's letting us know how can we connect against the public IP and the port now restrict access limit access to specific host means you can create here let's just say certain public eye piece that you're allowing that this port and IP to be accessed on to so what I'm trying to say what that is let's just say if you are in United States and you create Geo IP and you're blocking all the countries except TSA you can use that Geo IP filtering right right there if you don't choose allow access from any house later it means anyone is going to be able to let you say if they do port scan they're going to see the sport open on this IP so they might be able to try a brute force you know the username and password now enable this idle logout what that means here the 300 seconds of the five minutes if the firewall doesn't see any traffic is going to log that user out but one more time is not on the keyboard movement or mouse movement like my mouse right now it's actually on the traffic so if you're doing the tunnel all any broadcast that your machine does if I was going to see so you're not going to go idle never ever so I'm changing that let's just say one hour and one more time that actually means never if your computer does any kind of broadcast on a side note here there is another timer that you cannot see and what this family does it's called authentication timeout that means from the moment that the user is getting logged in a timer starts going by default this timer is set up at 8 hours and you can change that and the settings are hidden under config ppm SSL settings and command for the timeout is set I would timeout then here you can set up your number of seconds so in my case 36 thousand seconds it's 10 hours you also have to type end in order to apply the settings up about now down below we like to specify the same other subject that was being selected on the portal we want to make sure that it's matching as if it's not obviously your VPN client is not going to work DNS you can use the system DNS I do recommend that you use like an internal DNS at least you can have at least you know you can have three DNS servers so two you can add here the third one you can go on the command line in added via CLI and the last part here on the SSL became settings we have two and here the group that we created the sslvpn group in the portal that we just set up apply and move on with the next step now this create routes for VPN we need to identify the other subject that was being used on the portal in VPN settings and we can see the other subject name and the network so I need to match this route pointing to the SSL VPN so I'll go to network static routes and create new adding the address object the network that is matching the other subject that we just checked moments ago choosing the interface where this network lives were residing gateway is not mean it you can put a comment SSL VPN and that's pretty much it with this step so we can see our address object pointing back to the SSL VPN remain on the pulse is an object ipv4 policy we need to create two policies one for accessing local traffic so from the PM tool in another one accessing from VPN to win since we have done not the split panel but we've done the tunnel all I'll start with VPN twin so my incoming interface is going to be the SSL VPN you can put the name SSL [Music] incoming interface obviously my SSL VPN the other one is going to be my LAN source needs to be the other subject as a Cell VPN address subject and we need to specify a user group the one that we've been working with destination is going to be my Network so my 10.0 what ports Jana allow typically all should be just fine now I'll spend some time over this NAT NAT checkbox here so if you disable this box you're going to allow this traffic the stand up to 1/2 to access your 10 dot network or any other network that you might have behind its firewall with this private IP 10 to 1 to 134 okay if you do enable this NAT check box it says use outgoing interface address which that means you're going to be browsing with the private IP of the file also in my case 1000 19 so when I'm VPN in from my home let's just say and if I need to access inside of my network here I'll see that 1000 19 it's accessing whatever resources you're having behind this firewall so it's up to you how are you going to use this net so down below all the UTM features that you need to enable as needed you know as secure as you want to be a comment in all section if you need to see the traffic on the on the log in report now be creating the other policies of from SSL VPN the win I'll be naming this one as a selfie p.m. to women incoming interface also is going to be the same SSL VPN interface outgoing the win interface him I'll just make this quick notes if you need to access something on a DMZ or Wi-Fi or if you have any other interfaces keep in mind if you don't build the policy the VPN client is not going to be able to access those resources so you need to build all the other policies that that you need so so SSL VPN twin source same other subject that we create or we used earlier with the same user group in destination in all and what ports you wanna use so in instance if you wanna just gave web traffic access to the VPN user that should be fine so I'm going to use all in my case and here the net tick box is not an option I mean obviously if you're going to come from VPN with the private IP address that is being assigned to you and you know you need to go on the internet you need to be hiding behind the firewall in all the UTM features that the father is providing you know that include includes what filter IPS and and so forth whatever your security settings must be so here are my two policies SSL VPN to win and to win and now I guess we need to go to the final part which is to be doing like now how can we test real quick without installing the client we go to VPN SSL VPN settings we figure out what public IP we have listed here in the port and if you go to that public IP and in the port you should be getting a login prompt if all the setup went well you login in this should be successful and as you can see I'm being logged in and now in order to actually use this in a proper way you should be downloading the client like I said either from this portal or from FortiGate website it's the same one or from the website you might get the latest one and then you can do a full test and actually using the tunnel mode that so before I'll wrap up my video I like to go under configure a VPN SSL settings I'll do a quick show and what I want to emphasize here set source interface is the interface that your SSL VPN is going to be listening in my cases six in your case maybe one one if you have more than one you need to have both in here also like from a practical perspective once you VPN in I want you to think more like DHCP and you need to assign DNS suffix which is and I don't have that in just yet command is set DNS suffix same whatever your local domain is and now if I'll do a show you can see said DNS suffix so your client is going to get this domain whenever they ping some local resource along with the local DNS whatever that might be so I just want to say thank you for watching
Info
Channel: Julian
Views: 37,832
Rating: undefined out of 5
Keywords: fortigate, SSL VPN
Id: hRbGbmymVY0
Channel Id: undefined
Length: 13min 58sec (838 seconds)
Published: Sun Feb 11 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.