Technical Tip: Hardening FortiGate SSL VPN - best practices for enhanced security
Description
This article describes essential steps to harden FortiGate SSL VPN configurations. It covers key practices such as changing the default SSL VPN ports, implementing DoS policies to block port scans, disabling unnecessary portal modes, and blocking port mapping applications. Additionally, it emphasizes the importance of enabling Multi-Factor Authentication (MFA) or using certificate-based authentication to secure VPN access. Advanced IPS sensor configurations are also recommended to detect post-attack anomalies.
Scope
FortiGate.
Solution
- Create a Local-In Policy.
- Change SSL VPN Ports.
- Create a DoS Policy.
- Create an Application Control Policy.
- Create an IPS Sensor for Post-Attack Detection.
- Create a No-Tunnel Portal and Disable Modes.
- Use Realms.
- Enable Multi-Factor Authentication (MFA).
- Ban Weak Encryption and Cipher Suites for SSL VPN.
- Use Signed SSL Certificates.
- Additional Security Considerations.
First: Create a Local-In Policy.
Purpose.
Local-in policies control the traffic that reaches the FortiGate unit itself, allowing administrators to specify which traffic is permitted or denied based on source address groups. In the example below, GeoIP is utilized to restrict SSL VPN access to specific countries only.
Command Line.
config firewall address
edit "US"
set type geography
set country "US"
next
end
config firewall addrgrp
edit "AllowedCountries"
set member "US"
next
end
Create a service for custom Ports.
config firewall service custom
edit "SSLVPN Port"
set tcp-portrange 10443
next
end
Local-in policy config.
config firewall local-in-policy
edit 1
set intf "port1" # WAN interface
set srcaddr "AllowedCountries"
set dstaddr "all"
set service "SSLVPN Port" <----- If using default, set to 443. Otherwise, change to the custom SSL VPN port number.
set action accept
set schedule "always"
next
edit 2
set intf "port1" # WAN interface
set srcaddr "all"
set dstaddr "all"
set service "SSLVPN Port" <----- If using default, set to 443. Otherwise, change to the custom SSL VPN port number.
set action deny
set schedule "always"
next
end
Explanation.
- AllowedCountries: This address group includes IPs from Singapore, allowing only trusted sources.
- Policy 1: Accepts traffic from allowed countries.
- Policy 2: Denies all other traffic on the WAN interface.
Alternatively, a single local-in policy rule can also be created by using the 'Negate' option and will perform the same task. Here is the configuration when using the srcaddr-negate enable option.
config firewall local-in-policy
edit 0
set intf "port1" <----- WAN interface.
set srcaddr "AllowedCountries"
set dstaddr "all"
set service "SSLVPN Port" <----- If using default, set to 443. Otherwise, change to the custom SSL VPN port number.
set action deny
set srcaddr-negate enable <----- This command will negate the rule and will block all source addresses except those defined in the 'srcaddr' field.
set schedule "always"
next
end
To further enhance security, limit access through the SSL VPN settings.
Command line.
config vpn ssl settings
set source-address "AllowedCountries"
end
As an added protective measure, Threat Feeds may be integrated to prevent connections from known malicious IP addresses, domains, URLs and file hashes maintained in trusted threat intelligence repositories.
This configuration enables automated blocking of indicators of compromise (IOCs) sourced from reputable internal or external intelligence providers. Integration of these feeds helps mitigate SSL VPN abuse attempts, brute-force attacks, TOR exit nodes, botnet infrastructure and other known malicious sources before access to firewall services is established.
To configure this, refer to:
- Technical Tip: How to use a Threat Feed with SSL VPN
- Technical Tip: Prevent Malicious IP addresses from accessing SSL VPN with brute-force attacks on FortiGate
Examples of publicly available third-party threat intelligence feeds (not maintained by Fortinet) include:
- WallaceBRF ASN IP List
- Borestad AbuseIPDB Blocklist
- Borestad FireHOL Mirror Blocklists
- BruteForceBlocker IP Blacklist
- Tor Exit Node IP List
- Emerging Threats Compromised IP Blocklist
- Spamhaus DROP List
- CINS Army Bad Guys IP List
- Stamparm IPSum Malicious IP List
- ShadowWhisperer Malicious IP Lists
- Romain Marcoux Malicious IP List
- ThreatFox IOC IP Blocklist
Additionally, this configuration aligns conceptually with IP Reputation filtering, where built-in IP Reputation Database Objects under the Internet Service Database can be leveraged.
These reputation objects are maintained by FortiGuard Labs, which aggregates malicious IP intelligence from multiple global sources.
IP Reputation Database Objects may be used as a Source Address in a Local-in Policy to block malicious IP addresses before access to services such as SSL VPN, administrative interfaces or other exposed services is allowed.
To properly configure this feature, refer to Technical Tip: IP Reputation Database Objects as Source Address in Local-in policy.
Second: Change SSL VPN ports.
Purpose.
Changing the default SSL VPN port enhances security by reducing exposure to automated attacks.
Command line.
config vpn ssl settings
set port <custom port>
end
Explanation.
Replace '<custom port>' with the desired port number. Ensure it is not in use by other services.
Third: Create a DoS Policy.
Purpose.
Denial of Service (DoS) policies help protect against port scanning and other malicious activities.
Command line.
config firewall DoS-policy
edit 1
set name "Block-PortScanner"
set interface "port1" # WAN interface
set srcaddr "all"
set dstaddr "all"
set service "ALL"
config anomaly
edit "tcp_port_scan"
set status enable
set log enable
set action block
set quarantine attacker
set quarantine-expiry 1m <----- Default is 1 minute, can be changed to 0d0h1m (d=day, h=hours, m=minutes).
set threshold 200
next
edit "udp_scan"
set status enable
set log enable
set action block
set quarantine attacker
set quarantine-expiry 1m <----- Default is 1 minute, can be changed to 0d0h1m (d=day, h=hours, m=minutes).
set threshold 500
next
edit "sctp_scan"
set status enable
set log enable
set action block
set quarantine attacker
set quarantine-expiry 1m <----- Default is 1 minute, can be changed to 0d0h1m (d=day, h=hours, m=minutes).
set threshold 300
next
end
end
Explanation.
- Action Block: Denies traffic that exceeds the defined thresholds for scanning.
- Quarantine Attacker: Temporarily bans offending IP addresses.
Fourth: Create an Application Control Policy.
Purpose.
To block specific applications that may pose a risk or are not required for business operations.
Command Line.
config application list
edit "BlockPortMappingApps"
set comment "Block PortMappings"
config entries
edit 1
set application 16267 <----- PortMap Application ID.
next
end
next
end
Explanation.
This policy will block applications that use port mapping, enhancing the network's integrity. Apply this Application Control Profile to all internet-facing policies.
Fifth: Create an IPS sensor for Post-Attack detection
Purpose.
An Intrusion Prevention System (IPS) sensor helps detect and respond to suspicious activities on the network.
Command Line.
config ips sensor
edit "PostAttackSensor"
config entries
edit 1
set rule 107937793 24903681 12880
set action block
next
end
next
end
Explanation.
This IPS sensor is configured to block traffic matching known attack signatures, including:
- TCP.Bad.Flags.
- ICMP.Invalid.Packet.Size.
- ICMP.Oversized.Packet.
Sixth: Create a No-Tunnel Portal and Disable tunnel mode, Web mode, and FortiClient.
Purpose.
A no-tunnel portal simplifies SSL VPN access while enhancing security by limiting access modes.
Command Line.
config vpn ssl web portal
edit "no-tunnel"
set forticlient-download disable
next
end
config vpn ssl settings
set default-portal "no-tunnel"
end
Explanation.
This configuration disables web access and tunnel mode for non-VPN user groups, reducing complexity and potential vulnerabilities.
Seventh: Use Realms.
Purpose.
Realms can be used to authenticate a certain group to a certain portal/realm with specific settings.
It can also be used to hide, to a certain extent, the URL on which the SSLVPN service is publicly available.
config vpn ssl settings
set port 44444
set default-portal "no-access" <<<
config authentication-rule
edit 6
set groups "Ldap-Tunnel-Users"
set portal "full-access"
set realm "tun"
next
config vpn ssl web portal
edit "no-access"
set forticlient-download disable
next
Explanation.
The 'Ldap-Tunnel-Users' group is configured with the portal 'full-access', which by default gives access to the tunnel and web portal.
But in order to access this service, the user must append to the SSL VPN server URL/tun.
If the user or the atacker do not specify the correct URL, https://<fortigate-ip-fqdn>:44444/tun in this example, they will end up with the default portal that does not have an SSL VPN service running.
Eighth: Enable Multi-Factor Authentication (MFA).
Purpose.
Multifactor authenticator adds an additional layer of security, requiring users to provide two or more verification factors.
Knowledge base articles:
SSL VPN with Azure plus Microsoft Multifactor Authenticator.
- Create SSL VPN with Azure SAML SSO Authentication
- SSL VPN with Azure SAML Authentication with Multi-Factor Authentication
- Configuring FortiClient VPN with Multifactor Authentication
- How to Configure MFA with NPS Extension
SSL VPN with FortiToken as Multifactor Authenticator.
Okta Multifactor Authenticator for Fortinet VPN.
Fortinet SSL VPN with G Suite MFA using SAML | SSO.
Duo 2FA for Fortinet FortiGate SSL VPN and FortiClient with RADIUS Automatic Push.
SAML SSL VPN using Duo.
SSL VPN with Certificate Authentication.
Email Two-Factor Authentication
Explanation.
Ensure that users are enrolled in Multifactor Authentication to enhance the security of the SSL VPN.
Ninth: Ban Weak Encryption and Cipher Suites for SSL VPN to be more compliant.
Purpose.
To enhance the security of SSL VPN connections by controlling the allowed TLS versions and cipher suites.
Command Line.
config vpn ssl settings
set algorithm {high | medium | low}
set ssl-max-proto-ver tls1-3
set ssl-min-proto-ver tls1-2
set ciphersuite TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305
set banned-cipher RSA
end
Cipher suite options.
- low: Use any cipher suite; AES, 3DES, RC4, or DES.
- medium: Use a 128-bit or greater cipher suite; AES, 3DES, or RC4.
- high: Use a cipher suite greater than 128 bits; AES or 3DES.
Algorithm options.
- default: High and medium algorithms.
- high: High algorithms only.
- low: All algorithms.
Important note.
Removing old ciphers and SSL versions may impact clients using outdated browsers or older versions of FortiClient. Verify the SSL versions and ciphers supported by clients before making these changes.
Knowledge base articles:
- Technical Tip: How to control the SSL version and cipher suite for SSL VPN
- Technical Tip: Disable AES CBC ciphers for SSL VPN and Admin GUI (HTTPS) Access
- Technical Tip: Understanding the cipher suite 1.2 supported by Fortinet devices
Tenth: Use Signed SSL Certificates.
Purpose.
To prevent SSL VPN users from encountering security warnings, a valid SSL certificate signed by a trusted certificate authority (CA) should be installed.
Procuring and Importing a Signed SSL Certificate in FortiGate
Eleventh: Additional security considerations.
Disable web mode.
If it is not being used, disable web mode in SSL VPN to reduce the attack surface Technical Tip: How to disable SSL VPN Web Mode or Tunnel Mode in SSL VPN portal.
Limit simultaneous logins.
Restrict the number of concurrent logins for a user to three and implement a retry timeout of 24 hours. Additionally, disable simultaneous logins and restrict the operating system versions.
Command Line:
config vpn ssl web portal
edit "portal-name"
set limit-user-logins enable
next
end
config vpn ssl settings
set login-attempt-limit 3
set login-block-time 86400 <----- 24 hours in seconds.
end
OS restrictions.
Go to VPN -> SSL-VPN Portals -> Portal Name -> Restrict to specific OS versions.
SSL VPN Web Portal Path Traversal via Bookmarks.
While configuring the SSL VPN Web Portal, be aware that HTTP/HTTPS bookmarks can potentially allow path traversal and unauthorized access if not properly controlled. Bookmarks are not a filtering or access control mechanism - they simply define convenience shortcuts for users.
To mitigate risk:
- Do not rely on bookmarks for access restriction, as their purpose is not filtering.
- Always enforce granular firewall policies to explicitly deny unwanted traffic to internal resources not intended for VPN access.
- Review and validate any bookmark destinations to ensure they do not inadvertently expose sensitive systems.
- Implementing strict firewall rules in combination with VPN portal configuration is essential for comprehensive protection.
Conclusion.
By implementing these configurations on a FortiGate, it is possible to significantly enhance the network's security posture. Regularly review and update policies to adapt to evolving threats.
Notes:
Starting from FortiOS v7.6.3, the SSL VPN tunnel mode feature is no longer available in the GUI and CLI. Settings will not be upgraded from previous FortiOS versions. This applies to all FortiGate models. See Migration from SSL VPN tunnel mode to IPsec VPN.
Also, starting from FortiOS v7.4.8, FortiGate G-Series Entry-Level models (including 50G, 70G, 90G, and variants), the GUI and CLI will not support the SSL VPN web and tunnel mode feature. See SSL VPN not supported on FortiGate G-series Entry-Level models.