How to Configure SSL VPN on FortiGate FortiOS 7 - FortiGate Remote Access

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys this is d igoro tech today we are going to configure ssl vpn on fordigate 40 os version 7. ssl vpn will allow remote users to connect to the fortigate device to access the internal network using ford client for android ios windows and even some linux operating system internet traffic can also flow to the fortigate for security scanning we have two option option one is we will only allow remote users to connect to the network and access the internal network 192.168.1.0 with slash 24 subnet the next option we will allow remote users to access the internal network and also we will allow internet traffic to pass through the fortigate for security scanning this will based on your topology or on your preferences if you are new to my channel please don't forget to like share subscribe and click on the notification bell for more amazing tutorials thank you i'm currently running 40 os version 7.0 this version have some new amazing features which is very interesting let's check the interfaces you can see our internal network which is 192.1 with slash 24 subnet and my internet facing interface or my one is the maxis which is running through vlan and it's a sub interface let's proceed first we have to create ssl vpn user account go to user and authentication user definition create new for new account set type to local user then click next enter your desired username and password click next we're not going to enable the two-factor authentication for now click next we will leave it enabled since we are going to use the account click submit you can see the account created next is we are going to create a group and add the user which we just created go to user groups create new we will give a name of ssl vpn to make it simple type is firewall to add members click on the plus sign then add the account created you can add multiple accounts once done click ok you can see the group created and also the members of the group you can double click to edit or add more users next is adding or editing the ssl vpn portal go to vpn ssl vpn portals you can create new to create new portal you can also edit the pre-configured portals we have three options the full access tunnel mode only and web access only we will choose the full access to allow tunnel and web access this is one of the new update for version 7. you have three options for split tunneling you can disable all client traffic will be directed over the ssl vpn tunnel even your internet traffic will pass through the fortigate enabled based on policy destination only client traffic in which the destination matches the destination of the configured firewall policies will be directed over the ssl vpn tunnel this policy will allow you to access internal network but you will use your own internet connection to browse internet lastly enabled for trusted destinations only client traffic which does not match explicitly trusted destinations will be directed over the ssl vpn tunnel you can choose option 2 if you want to access the internal network only and you want to use your own internet connection to browse internet this will also reduce the fortigate workload we will go through the other option later on under routing address override we will select the lan ip netmask since we want to access only the internal network click on the plus sign create address enter your preferred name type is subnet ipnetmask is 192.168 click ok now add the new created address next is the source ip pools this ip range will be the ip address received by the ssl vpn remote users you can use the pre-configured ssl vpn address or you can change it based on your preference click on the plus sign create address we will make it simple ssl vpn address type is subnet enter your preferred address for this demo we will use 10.0.0.0.24 now add the new created address make sure that this ipnet mask is not in used or it won't conflict with the remote user's address it's better not to use common ipnetmask scroll down you can allow client to save their password allow client to connect automatically allow client to keep connection alive you can also enable dns split tunneling you can also create your new predefined bookmarks once done click ok to apply next is we are going to configure the ssl vpn settings for the listen on interface select your internet facing interface or your one in my case it's the maxis you can add more if you have multiple one connections for the listen on port we will configure it as 10 43 to avoid conflict with the web access you can configure based on your preference it will tell you that the web mode access will be listening to this link for the idle logout the ssl vpn remote user will be automatically disconnected if inactive or no activity for 300 seconds or 5 minutes you can modify it if you want leave server certificate to default you can enable require client certificate for the address range we must match it from the address range of the ssl vpn portal we configured earlier click on the plus sign then select the ssl vpn address we have configured earlier for the dns server you can set it as default or you can input your preferred dns server or if you have internal dns server for the authentication portal mapping click on create new enter the ssl vpn user group we have created set the portal to the one we edited which is the full access once done click ok to apply for other users and groups you can select any don't save it yet scroll up and you will see these new features of 4d os 7 the api preview click on it and you will see the changes we are about to apply you can copy to clipboard you will also have the option to edit from cli here notice that there's no changes yet because we haven't applied the configuration scroll down and click apply now go back to edit in cli you can now see the changes and you can edit it from here next is we will create ssl vpn policy go to firewall policy create new you can leave or edit the id number name would be ssl vpn to lan incoming interface would be the ssl vpn interface outgoing would be the internal or lan for the source you have to add the ssl vpn address we created also you have to add the ssl vpn user group for the destination select the internal address schedule to always services to all since we're not going out of the internet then we will disable the nat you must enable the appropriate security profiles the antivirus for spyware and other content level threats this policy is not going out of the internet so we don't need web filter and dns filter we will enable the application control for application restrictions ips for malware attack and underlying vulnerabilities this all based on your preference for the log allowed traffic better choose all session for troubleshooting purposes once done click ok to apply you can now see the created policy policy name the source the destination schedule services nat the security profiles running etc now open your forde client you can check my video on how to download and install the 4d client i uploaded the video for version 6.4 and for this version 7. since we configured the ssl vpn then we will add it on the ssl vpn tab you can check my other video on how to configure ipsec vpn enter your preferred connection name description is optional for the remote gateway you will enter the dynamic dns or the public ip address of the remote site we have customized the port so check the box and enter the port number click on save login for you not to enter your username every time you want to connect enter the username then click save now enter your password then click connect you can see the connection name the ip address which we configured on the fortigate the username time duration bytes received and bytes sent let's check the interfaces notice the gateway is 192.168.1.1 we should be able to ping and access this ip since the ping and https access has been enabled ping 192.168.1.1 success now let's access the fortigate through web https 192.168.1.1 success you can check the firewall policy and you can see the traffic for the ssl vpn policy for the next process this is if you want your internet traffic to go through the fortigate for security scanning disconnect first the forda client go back to ssl vpn portals double-click to edit the full access we will disable the split tunneling all client traffic will be directed over the ssl vpn tunnel the routing address override will be automatically removed click ok to save next is go to firewall policy we will create a new policy for ssl vpn to access internet you must change the policy id since xero is in used you will receive an error if the id is already in used give a name of ssl vpn to one incoming interface will be the ssl vpn interface outgoing interface will be the internet-facing interface or the one which in my case is the maxis source will be the ssl vpn address and also the ssl vpn group destination will be all we can now select all since the split tunneling is disabled services to all enable nat since this policy is going out of the internet now enable the appropriate security profiles it is recommended that you enable all of the security profiles available for better security but again this will be based on your preferences or customers request for the log allowed traffic select all sessions once done click ok to save you can now see the ssl vpn policy for internal network access and also for internet access now let's reconnect the ford client notice that we have option to save password auto connect and always up since we enabled these features from the fortigate let's test to access 4dnet.com now let's check the policy notice that there's a traffic for the ssl vpn to one you can check your ip address and it will be changed to the remote site public ip address now let's check the logs go to dashboard then 40 view sources you can see the ssl vpn username and ip address double click on it you can verify the username and ip address of the ssl vpn user to destinations and you can see the website fortynet.com which we just accessed well that's all for today's demonstration feel free to leave your comments and suggestions below please don't forget to like share subscribe and click on the notification bell for more amazing tutorials thank you and see you in the next video
Info
Channel: D' IgoroTech
Views: 5,375
Rating: undefined out of 5
Keywords: how to configure ssl vpn, fortigate ssl vpn configuration, fortigate ssl vpn, fortigate ssl vpn configuration guide, ssl vpn, fortios 7 ssl vpn, fortios 7, fortigate ssl vpn guide, ssl vpn configuration, sslvpn configuration, how to configure ssl vpn on fortigate, ssl vpn tutorial, fortigate training, fortigate tutorial, fortigate firewall ssl vpn, forticlient, ipsec vpn, sslvpn, how to configire, fortinet sslvpn, fortios 7 sslvpn, install forticlient, configure ssl vpn
Id: EODHJq59iTI
Channel Id: undefined
Length: 14min 55sec (895 seconds)
Published: Sat Jun 19 2021
Related Videos
How to Configure IPsec VPN Remote Access on FortiGate Firewall FortiOS 7
D' IgoroTech
6.1K
FortiGate SSL VPN Configuration (FortiOS 6.4.0 Basic)
Fortinet Guru
73K
How to Download & Install FortiGate Firewall into GNS3 | Latest Release v6.4.5 with Download Link
D' IgoroTech
8K
Fortigate client SSL VPN setup 5.6
Julian
37K
How to Configure IPSec VPN on FortiGate | IPSec VPN Configuration - Easy Steps
D' IgoroTech
3.3K
Deploy Fortinet on AWS Cloud | Step by Step | Forti OS 7.0
Gene Bytes
842
#4: FortiGate: Basic Config of the firewall | VLAN, WAN, DHCP, IPv4 Policies | My Home Network
KBTrainings
37K
18. Fortigate IPSEC VPN with Forticlient
Donghowa Network
2.8K
Fortigate Firewall Configuration Step by Step (FortiOS 7) - PPPoE, PPPoE w/ VLAN, NAT, DHCP & DDNS
D' IgoroTech
4.4K
VPNs Explained | Site-to-Site + Remote Access
CertBros
328K
How to configure VPN Client to Site on FortiGate
NETVN
6.6K
Fortinet: How to setup SSL VPN to Remotely/Securely connect to LAN / network using Fortinet firewall
Gene Bytes
195
Fortigate Firewall Troubleshooting : Become Expert in 30 minutes.
Technical_Scoop
48K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.