| Description | This guide illustrates the common SSL VPN best practices that should be taken into consideration while configuring the SSL VPN on the FortiGate to further strengthen the security. |
| Scope | FortiGate. |
| Solution |
Note:
Changing the default port: By default, 443 is the port used for SSL VPN connections. It is recommended to change the port to something other than 443, 10443, or 8443.
These are the most common ports that are usually used.
From CLI:
config vpn ssl settings set port 11243 end
Restrict Access:
Make sure to restrict access to only a certain number of hosts. This can be done in two ways:
Users should either be authenticated by 2FA or authenticated elsewhere (LDAP, RADIUS, SAML).
The recommendation is to always have two-factor authentication enabled if the users are defined locally. However, any form of MFA (if the users are getting authenticated elsewhere) should be in place, as it adds another layer of security. There is also an option to configure PKI certificates as MFA. For more details, see this section of the administration guide.
Creating a local-in policy: Often, failed attempts are made for the SSL VPN connection. To stop FortiGate from generating the logs and stop the traffic at the interface level, configuring a local-in policy is advised.
To create a local-in policy, see the administration guide As of FortiOS v7.6 and above, the local-in policy can be created from the GUI as well. See Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI
If we are not able to restrict it via a geography block, a good option is to create a script based on SSL-login-fail attempts. For more information, refer to this KB article: Technical Tip: How to permanently block SSL VPN failed logins using an Automation Stitch
Limit SSL VPN login attempts, set block duration, and set parallel login. The default login-attempt-limit for SSL VPN is set at 2, and the block duration is 60 seconds.
Increase or decrease the parameters accordingly to avoid any brute force attack.
See Technical Tip: How to limit SSL VPN login attempts and block duration.
As a best practice, limit a user to one login only. Go to VPN -> SSL VPN -> Select a portal: 'Limit Users to One SSL-VPN Connection at a Time'.
In the CLI:
config vpn ssl web portal edit "<Portal Name>" set limit-user-logins enable end
This will ensure that a user can just login once and, if the login attempt is made for the same user, the connected user will get disconnected.
Disabling web-mode and replacement message.
If web mode is not in use, it is always recommended to disable the web-mode under the portal that is defined for the user group:
Moreover, since the web mode is not in use, as a safety measure, remove the replacement message from under the SSL VPN Login Page.
For more details, see Technical Tip: How to prevent the SSL VPN web login portal from displaying when SSL VPN web mode is ... and Technical Tip: How to create a blank page for SSL VPN Portal with replacement messages
config vpn ssl web portal edit "NO_ACCESS" set forticlient-download disable next end set default-portal "NO_ACCESS" end
Disabling weak ciphers and TLS protocols for SSL VPN: FortiGate supports multiple SSL/TLS versions and cipher suites. It is recommended to use at least 1.2 or 1.3.
config vpn ssl settings set ssl-max-protocol-ver tls1-0 TLS version 1.0. tls1-1 TLS version 1.1. tls1-2 TLS version 1.2. tls1-3 TLS version 1.3.
Related articles: FortiGate encryption algorithm cipher suites - FortiGate administration guide Troubleshooting Tip: SSL VPN Troubleshooting Technical Tip: SSL VPN with external DHCP Server Technical Tip: Reasons for the 'iprope_in_check() failed' error in SSL VPN Troubleshooting Tip: Error 'SSL-VPN slow file transfer issue' Troubleshooting Tip: Checking maximum number of SSL VPN users using ‘diagnose vpn ssl statistics’ |
