FortiGate SSL VPN Configuration (FortiOS 6.4.0 Basic)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in today's video we're going to talk about how to set up remote access to your network using SSL VPN it's included in the FortiGate it's very straightforward and it'll make your remote work infinitely better for you and your organization stay tuned [Music] good evening ladies and gentlemen so I had a few people send out requests asking specifically about remote access to their network a lot of the questions had to do with whether or not to use IPSec tunnels for for dial-up users or SSL VPN and basically the stance on that is I personally prefer SSL VPN because it tends to get through networks easier I've run into some situations for hotels and whatnot were blocking the necessary ports and protocols for IPSec to go out so even though it's faster normally SSL VPN tends to be the most successful and basically what we're going to do in this video is we're going to cover everything necessary to configure remote access to your work network via your FortiGate free of charge other vendors charge licensing fees and things like that for this so this is one of the really good benefits of the FortiGate a couple of things you need to take into consideration this video is going to be a very simple deployment this is our crawl before we walk before we run scenario so what we're looking at here is local Ithaca ssin meaning that you have to create user accounts on the device itself we're also configuring this device so that you're accessing resources via the IP not by hosting this is going to be the bare metal most simplistic view for you to set up an entry level SSL VPN remote access connection to your FortiGate in future videos we'll talk about how to configure DNS suffixes specific DNS servers for those users specific subnets and access for those users etc but this is basically just so you can get it install it on your device and play with it and get familiar so we're going to need to create SSL VPN user groups SSL VPN users and assign them to safe groups we're also going to have to configure the portal which we'll go over in this video as well as mapping that group to that portal and then of course we need policy configured to allow this traffic digiverse another thing that we're doing on this video is something called split tunnel that means only traffic that's interesting to the network we'll go over this connection so if your office network is 10 100 100 0/24 and your remote on a 192.168.1.0 7 that basically that what what that means is we're going to configure it so that a 10.1 hundred 100 route gets installed whenever you connect meaning only traffic destined to that subnet will go over the tunnel for those of you that may not know there are two different types of tunneling there's split routing split route tunneling which basically means only interesting traffic goes out and then there's full tunnel which forces all traffic over the SSL VPN connection full tunnel makes sense in organizations where you have higher security standards and you have to make sure that those users are using your set web filter or proxy or things like that so with that being said we're going to jump into our lab 61 for to Wi-Fi 4 to Wi-Fi 61 II and we're going to configure those steps as mentioned so that it'll listen for us to sell VPN accordingly so let's go ahead and we'll jump in and handle that so what we're looking at here is I'm logged in to my for to Wi-Fi 61 II this device is running code 6.4 but this doesn't change much between the versions the local subnet on this one from the inside are those two test subnets from the other other day so we have one on 2.16 8.1 and dot - that's Wi-Fi and our data is kind of inconsequential for this video because it could be anything that's a variable that you can update so if your home network or your office network is 10 0 10 or 10 to 5000 you know etc you can you can set that up the same way you just change the actual subnet in question so what we're looking at here as first things first we need to create the group and basically under user and then ocation user groups we're going to create an SSL VPN group now remember this is a basic deployment we're not trying to get fancy here so whilst our group is going to be simply named we're going to call it SSL VPN so we'll create a firewall group titled SSL VPN and then we'll click OK you'll notice that there's various types here firewall is the one that you want for this scenario you can actually have your FortiGate used for it in that single sign-on using the single sign-on agent you can have it use radius and you can also have it use remote groups via LDAP authentication firewall groups are able to be used for a multitude of things one of which is authentication for SSL VPN so like I said for this one we're gonna use firewall and we're just going to name an SSL VPN to keep it simple so we click ok here so now we have our user group this is the group we're going to tie to our SSL VPN but just for giggles we're going to take this Mike account and we're going to assign it to that user group actually even better we're gonna create a new user so you can get walked through that process just like with the user group there's a multitude of options that you can use when creating your user this scenario is going to use a local user we'll do more videos in the future that discuss the other options and where they may or may not be viable for you so we click local user go to next I'm gonna say SSL VPN user from my username this is just a dummy account that we're using SSL VPN password for the password is easy click Next for contact information I'm going to enter tests that come tocome to bring out my Microsoft fun you are able to configure two-factor on this as well as SMS and things like that for now we're going to leave it blank because like I said this is our basic entry just getting started right and then we'll click Next and you see that there's an extra info section the extra info section is where you would say whether or not the account is active enabled or disabled and then the user group that you wish to place it in upon creation we're going to check that checkbox for user group and then we're going to select this little empty box here and it'll populate this right pane this right pane the only group that exists on this particular FortiGate is sslvpn so we will select that and as you can see it gets populated over here on the left and then we will click close and then click Submit so our accounts created our user group has created our account is a member of that user group so now we have to configure our actual portal so if we come over here to VPN on the left side we can click SSL VPN settings which is overall settings for the device you can make it listen to any interface for sslvpn you can also make it listen to specific interfaces for sslvpn so for instance to finally wanted this to listen to the outside it would listen since my device is gripped by zones I only have inside and outside as options but basically that means it's going to listen to any and any interface that is in the outside zone it'll actually listen to that interface for sslvpn so as you may have noticed I don't use the standard four four three port for administration I use ten four four three on this particular device I do that because SSL VPN uses 443 and usually when you're deploying this in an environment where you have n users that may not be as technically savvy or anything like that usually keeping it as straight as possible is the best route to go so we have our interface that we're listening on is the outside so both win one and win two if they were both had IPs we're listening on port 443 which is the default for SSL VPN and then of course we can restrict access to specific hosts or we can allow any host to connect for the sake of this video we're going to use allow access for many hosts but you could whitelisted we're only certain external IPS could actually connect to this connection our idle logout is three hundred seconds which means three five minutes or so without any access or traffic going across and it's going to disconnect the user server certificate this is the built-in for Dannette cert if you have a domain that you were going to point your users to maybe VPN dot you know domain comm you could get a wild-card cert or a cert specific to that sub domain installed it on your FortiGate and choose that here and I'll keep the certificate error from showing up for the sake of this video that we don't have that it's a little bit more drawn in it's a convenience thing it's absolutely not necessary but if you want to have a polished look and you want people to trust your VPN especially if it's for a work or an organization like that it's best to have a certificate installed there we don't require a client certificate because we're not using our certificates for authentication our tunnel mode settings you can do two things you can have it automatically assign IP addresses which means it's going to pull from whatever the default range is or you can select a specific range so here I have it set to use SSL VPN tunnel address 1 this is a default address object range that comes on the FortiGate and for the sake of this video it's 10.2 12.1 3 4.2 hundred through dot 210 and just for reference it's been that way for years you can expand this range so if you need more than 10 users to connect at once you can I usually make it the whole slash 24 but as you can see we have this configured accordingly so basically whenever you connect the SSL VPN you will pull an IP address within this range next we'll have DNS server same as client system DNS so we're going to leave that as a default for now now if you were in a situation where you had internal DNS you could define it here and actually have your internal DNS used it helps make and resolve resolution of items via hostname easier but for the sake of this video we're using IPS we're not using fqd ends our thin ocation portal mapping this is where we need to map the user to a portal that we're going to create we're going to come back to this later so we just go ahead and click apply our settings are saved so now we need to create our portal the FortiGate out-of-the-box comes with two different access modes web access and full access well then not access modes their portals that have been pre-configured to facilitate certain types of access so for full access you can actually go to you know your IP : 443 and it'll show you a web portal where you can log-in to SSL VPN that way it's very good for users that don't know how to use SSL VPN clients and maybe you only want them to have access to certain resources so you can create a portal that has bookmarks RDP bookmarks and turn that website style but once things of that nature I'll go ahead and edit here list you can create predefined bookmarks and as you can see I have a bookmark to fortinet guru com you can create more and they can be FTP RDP SFTP etc so if you want maybe it's a mainframe person and they only need to ssh access to a very specific device you don't want them connecting via full tunnel so you just let them use the web portal you could set up the bookmark for them ahead of time this video we're going to act like we're letting them use SSL VPN to connect so they can you know dive in RDP RDP to their desktop hit internal web resources use printers things of that nature so so we're going to take the default full access and we're going to click Edit and we're just going to look through as you can see the tunnel mode by default is set to full tunnel it's not split routing at all we're gonna fix that for this this is just the default portal web mode is enabled which lets us do those things that I mentioned previously and then tunnel mode is enabled which lets forward a client actually build a connection to the FortiGate so we're going to create a new portal and we're just going to call it SSL VPN it's usually really good to name these things based on function so for instance the defaults are full access and web access so we'll just call this one SSL VPN full for the sake of the video we're going to enable tunnel mode connections and we're going to split tunneling because we only want interesting traffic which is traffic that's trying to go to 192 168 dot one or one nine two one six eight dot to those two slash 24 is to access this network so for routing address which is where we'll actually enter the subnets that we wish to push down to the forticlient we'll go ahead and set those up here and these are just address objects so when I create these really quick for the sake of time then we got dot two so we have our to address objects we'll select both of them and click close on this pane now what you see here is split tunneling is enabled so their Internet's not going to go over this pipe only stuff that's destined to these two subnets please take note by the way while we're talking about this if there is subnet overlap between your home network or your remote network and the network that you're trying to remote access shenanigans almost always occurs the best way and the most straightforward way to actually alleviate this in simple setups is just to make sure that you use a non-standard network for your work or your home or whatever almost everybody uses 192.168.1 or 192.168.0 so I like to use 10 dot what Evers and go higher up in the range so our source IP pools are the IP that we're going to assign I know we configured it on the SSL VPN settings page but that's a global command the portal can actually be more specific so for instance you have SSL VPN DNS searching or suffix configured on the global parameter you can actually specifically set certain DNS as certain suffixes various servers things of that nature at the portal level so maybe user as a member of SSL VPN gets DNS service 1 maybe SSL VPN test its DNS servers 2 there's a lot you can do there you can enable your client to save their password it's easier for most best security practice I usually keep it off house check is how you're actually able to make sure that they have certain parameters installed on their device do they have antivirus is a real-time do they have a firewall but are both enabled etc and it'll actually keep them from connecting if they don't meet your security parameters you can also limit it to where only certain versions of Windows are allowed for instance Windows 7 is no longer supported it's usually good to just block that 6.4 and 6.2 made it much easier to configure this in the GUI usually you set these parameters in the CLI on older versions but we're not doing house check or OS version checking because this is the basic setup I just wanted to cover that with you web mode will be enabled we will leave it as is so we will click OK and that's our portal so now we'll go back to SSL VPN settings which in theory we probably could have just did the portal first but it's good to discuss both of them anyways because of the global setting versus the portal specific and then down here in the authentication portal mapping section we'll click create new we're going to select our SSL VPN user group and we're going to assign them to the SSL VPN portal which is the one that we just created you could just throw them in the full access portal that's there by default and then make edits to that portal to meet your needs but to follow suit on this video like this and as you can see it populates it here which means if a user is a member of the sslvpn group and they try to connect with forticlient they will get assigned to this portal and whatever permissions are all out there look like a fly so we've created our ssl VPN user group we've created the user we've added the user to said group we've configured our portal and we've configured the SSL VPN settings to listen on the appropriate ports and to assign a specific portal to a certain user group now the only thing that's left is our policy to allow the actual users to connect simply go to policy and objects firewall policy and go to create new we'll call this SSL VPN in now remember this is only split tunnel traffic so the only subnets they're going to be able to access are 192.168.1 and 192.168.20.10 are as the firewalls concerned terminated on that interface that SSL VPN interface in that IP range good enough right but you also have to define the user group this is where you can actually get pretty granular on settings maybe you want SSL VPN users to only be able to access certain resources you could set that here but this is a simple one so we're just doing an SSL VPN so if they're coming from the sslvpn interface to the outs to the inside interface and there are a member of the sslvpn address space and the sslvpn user we're gonna allow them the attack or not attack to access these two networks if you tried to click all here it would complain because it's not a full tunnel connection when you're using split routing you have to be specific with your subnet if this was a full tunnel without split routing you could select all because you would also have to connect or create an SSL VPN to internet connection policy because otherwise they wouldn't deal with access to the Internet our service we're gonna let this be all we're not gonna net it's a network that terminates on the firewall so it's not like we have to hide it or address it or scheme in there anything like that and then we will apply our appropriate policy set here we're not doing DNS filtering because DNS traffic will not be reaching this we're not going to do web filtering either simply antivirus to make sure if it is a you know a machine that has a bug on it or something and app control so that we can make sure only what we want comes across and we'll click OK and and that's basically it we've run through everything that we need to do in order for this to connect let's see here I'm gonna add a new connection what I call it SSL begin test this is how you configure the forticlient by the way so you launch for the client you got to add a new connection let's start you can name the connection whatever you wish whatever's relevant for you my remote gateway is Tim not 100-120 it's listening on the default port so I don't have to change this do not warn on invalid server certificate because I do not have an actual non revoked non device specific certificate installed and I just don't want to see the error message there's no client certificate because we're not doing that for part of our authentication and click Save and then we use SSL VPN user and I think it was SSL VPN password was the password Connect and in theory this will connect right up and it does so it's in there and now if I pull up command prompt I'm able to ping 192.168.1.1 I don't know if I have being enabled on this one yeah so let's check that yeah I don't have ping enabled on that one but as you can see I'm able to hit the appropriate resources if there were devices behind it it would work like a champ so there you have it remote access to your fortigate from anywhere there's no licensing limitations or anything like that you're basically limited by the capability of the box for Danette has maximum SSL VPN user counts but they're recommended they're not hard set counts meaning you could if you're not doing much with the box other one is you can get a lot out of it so you know just remember you got to create your users and your user group users have to be inside user group configure your portals configure your settings and map set portals and then configure your policy and test that's how you set up remote access to your FortiGate from afar you don't have to pay for any crappy licensing like you do with Cisco and other vendors affording that did a good job in that regard so hopefully that helps you out if you have questions or comments please as always post them in the comments below I'd love to see them that's what we use to get the channel Rocking so if you like videos like this and you would like to see more like it please do me a favor and subscribe and hit the notify Bell so you get notified when new videos come out that helps build the channel and of course your collaboration and correspondence with me also help build this into what it is we've crossed 6,000 users and we're steadily growing we're very happy with that but I'm only as good as what you guys need right my use cases might be different so yeah post below like subscribe thumbs up and until next time guys stay safe [Music]

Info

Channel: Fortinet Guru

Views: 73,982

Rating: undefined out of 5

Keywords: fortigate ssl vpn, ssl vpn on fortigate, fortios 6.4 vpn, ssl vpn remote access, remote access on fortigate

Id: gUJ8zR6XXqI

Channel Id: undefined

Length: 26min 26sec (1586 seconds)

Published: Mon May 04 2020