Fortinet: Connect with FortiClent SSL VPN to FortiGate Firewall

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we will explain and configure both tunnel mode and web mode with fortigate's ssl vpn and we'll have a troubleshooting session at the end let's get into it so tunnel mode will require that you install a 40 client vpn on whether it's your laptop desktop or mobile smartphone and once installed then there's really no limitations to your vpn it's really you know based off of the applications that your client and your corporate network support alternatively or in addition to tunnel mode we can use web mode with ssl vpn so you know the difference between web mode and tunnel mode is web mode does not actually require you to install 40 client vpn software onto onto the the user's machines they can simply use a web browser now there are a couple important considerations um that we should mention about web mode so first things first with web mode the limitation is that you have to use the protocols that are supported based off of the the ssl vpn portal on the fortigate so we're no longer using our windows our mac our linux machine um the client applications on that device we're using the client applications available to us by the fortigate another item to consider is that now we are making our firewall with web mode uh we're essentially making it a thin client so that now all the resources are coming from our firewall instead of what would have previously been our client machine right so we need to be careful of the resource utilization on our firewall right and make sure that we're monitoring that and considering that certain applications for example something like rdp might be taking more load from our firewall versus something like http or https so just keep that in mind as well so we want to take this user named ttp fortinet which resides in the ssl vpn user group and allow that user to authenticate via ssl vpn to do this we need to create an ssl vpn interface if we haven't already so how we can do that is go to vpn ssl vpn settings and just make sure that we fill out all these fields here so first we're going to be ensuring that we listen on our wan interface or our public ip or public ips in my case 166.166.1.2 and then we want to listen on a port this can be really any port that you choose just note if you do use the same port as the https administrative https that that will be a conflict there so let's just use you know 10443 in this particular case we can use the default 48 certificate everything else we can leave default here this is this is going to be the ip range that the 40 client machine will will actually receive you can change this if you'd like and then we're going to configure the authentication and portal mappings so brief explanation on how this works is what we do is we create a mapping between our user group and then the portal that we want the users that map that authenticate to this user group to to have access to so we'll get into the specifics of the portal in just a moment here and then as sort of a catch-all if we have an authenticated user that is not within any other predefined group and we're going to hit this all other users groups user group here which matches up to the web access portal so let's hit apply great and we'll just quickly go to our firewall policy section here and just to show you this is kind of what we've created right now since we've configured what we just did a moment ago now we have an ssl vpn tunnel interface that we can reference in firewall policies so for example right now if we were to let's create this firewall policy quickly here we'll just go you know create ssl vpn we're going to say any user that authenticates ssl vpn we're going to allow them access to the internal internal network on our firewall and we're going to have to define that same ssl vpn user group that we did just a moment ago in our ssl vpn settings and this is going to be the destination network that we want to have access to which is part of the internal subnet here and we're going to disable that and enable that firewall policy all right so just like that we are ready to start testing now but before we do so let's explain what the ssl vpn portal is and how we can configure it let's go over full access so we can see under the full access section there's there's a couple main headings that we can focus on so we're going to be looking at the tunnel mode and the web mode items here so starting with the tunnel mode we can see how the split tunneling configuration is set up so by default what's going to happen is whatever is identified in the firewall policies those are going to be the routes that are injected onto the actual 40 client windows machine that's going to direct traffic to this particular firewall so in our case currently 192.168.112.0 which is the destination address that is going to be injected into the windows machine to direct this this specific traffic towards the fortigate over the vpn tunnel now going back to that same section again if we were to for example if we were to click disable here then all traffic including internet traffic would be routed over the vpn once a tunnel is established another option which is pretty popular is also maybe you don't want you want to have a bit of a hybrid so you do want to have a split tunnel but you don't want the split tunnel to be based on the policy destination by going to this policy and objects firewall policy section in which case you can just specify whatever specific addresses that you want to be injected into that windows 40 client machine to direct traffic towards this 40k so you have a lot of options there now going over web mode this is going to be specific to you know using your web browser to authenticate to the ssl vpn so we see some of these default options here you know a cool one to to go over here would be the pre-defined bookmarks so and we'll show it in the example in just a moment here so let's say we have a you know a windows 10 pc that's connected on that internal network that we created the firewall policy for and we want to have rdp access to that machine the machine ip is 192.168112.2 so and this this may vary depending on how your windows machine is set up but for the most part you can start by trying with ts tls encryption and then change it if it does not work but here based on what we've configured now when the user authenticates to ssl vpn via web mode they're going to see a bookmark option for windows 10 pc another item to go over quickly here would be our dns configuration so as we can see from our ssl vpn settings by default the client machine so this would be the 4d client machine it's going to receive the dns address defined on the fortigate under system dns so that would be under network dns these these default dns servers so if we want to change that we absolutely can do so and that would just be by us specifying any type of dns server so let's say i have a dns server on my network that's 192.168.112. let's say 105. maybe i can have a backup server as a public one and there we go now what if our internal dns server is responding to dns queries for the following domain so let's say the domain is domain.com well what happens if if we want to be able to for example reach certain internal resources without having to specify the whole entire dns host name which would be server123.domain.com what if we for example want the fortigate to assist the the windows machine so that instead all we have to do is enter server 123 to reach that particular resource i'll show you how to do that now so back to the fortigate here so this configuration setting is not available by default in the gui here but we can access it via cli and via cli we're pretty much accessing this ssl vpn settings section we're just trying to do it in in the command line here so we would type in config vpn ssl settings and then what we will do is set the dns suffix to be in this case using our example it's going to be domain.com okay perfect and then we hit we type in end to save our configuration okay let's start by testing ssl vpn with tunnel mode and using 40 clients so if you don't already have it you can go to the support website for fortinet and then download it will be the 40 client vpn only version this is assuming that you just want to have the free version for 4d client there are other other options but that's a bit outside of the scope of this this tutorial anyway so yeah let's start by just downloading the the windows vpn and then installing it once installed let's configure 40 client okay so we're mostly using the same configuration that we've already set on the fortigate now i'll just put in the the user credentials perfect now we're connected so here's some relevant information from the pc post connect so we can see that the dns suffix was passed along to the machine based on the configuration from the fortigate same with the ip address configuration and the dns server as well as the the the route the destination route which is 192.168.112.0.24 and then via in this case a dummy ip is created for the the next hop gateway and we can confirm that we can actually ping resources on the other side of the fortigate after after connecting over the vpn now if we try to use remote desktop to that same machine perfect we have access now for the web mode portion of this test let's access the public ip using our our customize port here perfect okay so we have access to our ssl vpn portal as we can see that the predefined bookmark that's been created for us is already available we also have the option to create a quick connection based on certain protocols that we have access to via this this web-based portal so let's just go ahead and click that bookmark that was pre-created for us already and see if we can access the machine perfect so i suppose we could enter our username and password here but what i'll do here is just log in click login just to just to get access to the machine and then at that point we're going to be challenged for additional authentication okay and to give you some idea as to some troubleshooting tools that would be available to us here would be you know one would be the 40 client vpn software itself you know and as we can see here those if we do have the free version then you know to have more diagnostic features as well as you know reach out to technical support for assistance we do need the full version but what we could do if we're limited which is the free option for now then we could export the logs um so that's one way from the 40 client software itself but let's take a look at the 40 gate which which might even be a better place to start so on the ford gate what we can do is we can look at our ssl vpn dashboard you know to take a look at which users are currently authenticated uh to ssl vpn you know as we can see here too two-factor authentication is not enabled definitely something we should consider down the road uh you know in the future i'll make a video on this as well but for now this is an idea of where we can see who's currently connected another item we can do is go to login report events vpn events here we can see all of the activity with ssl and even ipsec tunnels but in this case you know for example i can see you know about 10 minutes ago at 1 55 you know a user failed to authenticate and we can look at a bit of the details here okay in this particular case i you know we added an extra t so the username was incorrect and that's why the user could not authenticate another option we have for for real-time troubleshooting would be to use the debug so diag debug application ssl vpn minus one die debug enable to enable the debug and then also diag debug console timestamp enable so we can associate a timestamp to all logs so let's just you know if for example i'm trying to just type in any random credentials we just want to generate traffic on that debug there we go right so we can you know sift through here and based on the timestamp identify maybe where an issue could be lying additionally another item that we have available to us as always is going to be our network packet capture so maybe we would create a packet capture to you know look for destination traffic going to you know 192.168.112.2 protocol one uh if we're going to be you know trying to sniff for ping traffic so let's start that capture and let's run a ping okay there we go let's do our ping here okay and this is the view of the packet capture on the internal interface in my case obviously it worked but in your case if it doesn't maybe this can help you identify where the issue is another item that we could do too is we could go to our firewall policy and maybe we want to enable nat even just for troubleshooting purposes right what nat will do is the traffic that even though the traffic originates from the ssl vpn tunnel the the actual end device will see the packets coming from 192.168.112.1 which is the internal interface in this particular case this might help us you know try and identify maybe if there's possibly you know a different routing configuration that we have on the end device or if there's something that's in between the 40 gate and the end machine we're trying to communicate with that has a different routing table a different acl configuration it may also just end up helping us identify if there you know maybe there's a firewall that's configured on the end machine that we're trying to communicate with but just a good troubleshooting tool here and then you know we could leave it enabled uh full time but you know a lot of times we we can disable it as well in the case that we want um all of our end you know destination devices to be able to identify which source ip of traffic arrived on on the server machine so that wraps up this tutorial we will be going over two-factor authentication and authenticating to say an ldap or radius server in the future but for now we have an idea of how to you know configure ssl vpn in tunnel mode and web mode thanks for joining

Info

Channel: ToThePoint Fortinet

Views: 6,587

Rating: undefined out of 5

Keywords: fortinet, remote work, vpn, work from home, work at home, how to, ssl vpn, fortinet ssl, fortinet vpn, fortigate vpn, fortigate ipsec, remote worker, fortigate remote, vpn tutorial, vpn how to, ttp fortinet, tothepoint, to the point fortinet, telework, tunnel mode, web mode, dns suffix, vpn windows, vpn mac, vpn android, vpn ios, vpn linux

Id: C7dl1iYbGv8

Channel Id: undefined

Length: 15min 35sec (935 seconds)

Published: Mon Jan 31 2022