FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JNDias
Staff
Staff
Article Id 258665
Description

 

This article describes how most web pages are dynamic. For example, javascript is used to construct dynamic URL links.
This makes it much more difficult to locate the URL in the returned page from HTTP(s) servers (sometimes it is simply impossible to do it properly).

The complexity of such URL rewrite is getting worse and it is becoming a recommendation to use alternatives as presented in this article.

 

All the alternatives presented in this article support AV/WF/DLP/IPS features, different from the SSL VPN web mode which has very limited support for those features.

Recommendation reminder: VPN or not it is always a good practice long passwords together with 2FA/MFA.

 

Scope

 

FortiGate v7.0, v7.2, v7.4.

 

Solution
 
Those options are listed per the most recommended levels.
 
  1. Non-VPN remote access (ZTNA access proxy feature) and (FortiSASE)

ZTNA requires additional configuration with EMS, it is considered the most secure option.
 
Related documents for this alternative:
 
FortiSASE (Secure Access Service Edge) can include ZTNA as well:

 

  1. Use IPsec remote access.
IPsec is very flexible and has multiple clients, this traffic is offloaddable to the NPU (Network Processor).
There are many implementation validates, refer to Remote access on the admin guide.
 
  1. Use SSL-VPN Tunnel mode.
With this method, the user installs a FortiClient to access the internal network and authenticate with his credentials.
It can be configured to use Full Tunnel or Split Tunnel modes
 
Related documents for this alternative:
 
  1. A VIP, PAT, or 'Virtual Server' together with 'firewall policy authentication'.
This is very useful for those who already have an authentication process in place.
With this method, the user does not need to install anything on the client side.
The server would be exposed but with authentication (VPN or not it is always a good practice for long passwords together with 2FA/MFA).
 
Related documents for this alternative: