SSL VPN Vulnerabilities and Best Practices Discussion

Hi @SusanEmelia ,

Here are some best practices to secure the SSL VPN : 

-Integrate with Authentication servers

-Use a non factory certificate (you already generated a certificate)
-Use multi factor authentication

-Deploy user certificates for remote SSL VPN users

-Define the minimum supported TLS version

-If you have multiple groups and portals is wise to configure SSL VPM multi-realm

Hello @SusanEmelia 

> You can Implement multifactor authentication for user logins.

> Regularly update the FortiGate firmware and Forticlient to patch known vulnerabilities and ensure you're using the latest security features.

> Set session timeout limits and idle logout policies to automatically disconnect inactive sessions, reducing the window for unauthorized access.
> Enable logging and monitoring features to track user activities, detect anomalies, and respond to security incidents promptly.
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/28104/ssl-vpn-monitor
> Educate users about best practices for VPN usage, including safeguarding credentials, recognizing phishing attempts, and reporting suspicious activities.

let us know if you have any queries.

Thanks
 Pavan

Hi,

as @dbu wrote use two-factor-authentication...

Good to know: You do not need to buy any FortiTokens, if you use method via mail.

But you can only set this via CLI:

config user local

edit <username>

set two-factor email

set email-to <email address>

Of cource you need a SMTP server for your firewall.

But I have only done that with local users (you can ask by any problems...).

Additionally I would use security profiles like SSL-Inspection and IPS (especially the users use their own hardware...).

Non-or-less-security aspect

And nobody has mentioned split tunneling yet. I suggest you to make use of split tunneling.

So traffic which is designated for the internet gets routed through the router e.g. in HomeOffice instead of your firewall.