FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 224968



This article describes the configuration of the FortiGate acting as a SSLVPN client.




FortiOS 7.0 and newer versions




FortiGate as the SSLVPN client feature was introduced as a part of FortiOS 7.0.0.

Note: Any other Certificate Authority for generating SSLVPN Server Certificate can be used. Within this KB Microsoft Certificate Services will be used as a CA


Components used:


FortiGate A - as an SSLVPN Server

FortiGate B - as a SSLVPN Client

AD - Acting as LDAP and Root CA (Certificate Authority)




1) Retrieve and Upload CA Certificate of the Microsoft CA to the FortiGate:


Log on to Root Certification Authority Web Enrollment Site.

Usually, the Web Enrollment Site resides in the following links:

http://<ip_address>/certsrv or http://<fqdn>/certsrv


 ip_address = Root Certification Authority Server IP.

fqdn = Fully qualified domain name of the Root Certification Authority Server.


Select Download CA certificate.

Save the file 'certnew.cer' in local disk store.

Upload CA Certificate to the Fortigate A and Fortigate B:




2) Generate Certificate Sign Request on the FortiGate A for the SSLVPN server certificate.




IP address(es) of the Interface(s) configured to accept SSLVPN connections on FortiGate A should be resolved as FQDN sslvpn.test.local in order to avoid certificate warnings while trying to connect to the sslvpn.


3) Download Certificate Sign Request and upload it to CA in order to generate the certificate

Download CSR file (file will be saved as sslvpn-server-cert.csr)




 Log on to Root Certification Authority Web Enrollment Site with the domain Admin account.






Edit sslvpn-server-cert.csr with the test editor, copy the certificate request and paste it to the 'Saved Request' field




Once submitted, download the certificate




After downloading the certificate, upload it to the FortiGate A:




4) Configure SSLVPN on FortiGate and use freshly imported certificate as a Server Certificate:




Be sure to configure SSLVPN authentication rules and firewall policies:


# config user group

       edit "sslvpn-users"

           set member "spoke1" "spoke2"



# config vpn ssl settings

        set servercert "sslvpn-server-cert"

        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

        set port 1443

        set source-interface "port1"

        set source-address "all"

        set source-address6 "all"

        set default-portal "no-access"

        config authentication-rule

            edit 1

               set groups "sslvpn-users"

               set portal "tunnel-access"




# config firewall policy

       edit 1

           set name "sslvpn tunnel mode access"

           set srcintf "ssl.root"

           set dstintf "port1"

           set srcaddr "all"

           set dstaddr "all"

           set groups " sslvpn-users"

           set action accept

           set schedule "always"

           set service "ALL"


      edit 2

          set name "sslvpn tunnel mode access"

          set srcintf "ssl.root"

          set dstintf "port2"

          set srcaddr "all"

          set dstaddr "all"

          set groups " sslvpn-users"

          set action accept

          set schedule "always"

          set service "ALL"





5) On FortiGate B configure pki peer, SSLVPN tunnel interface, SSLVPN client and appropriate firewall rules:


Note: CA_Cert_2 is the CA Certificate that was imported previously on FortiGate B


# config user peer

       edit "peer"

           set ca "CA_Cert_2"




# config system interface

       edit "sslvpn_tun"

           set vdom "root"

           set type ssl

           set snmp-index 9

           set interface "port1"




# config vpn ssl client

       edit "sslvpn-tunnel"

           set interface "sslvpn_tun"

           set user "spoke1"

           set psk ENC **********

           set peer "peer"

           set server "sslvpn.test.lab" <- Make sure to define the address of the sslvpn server as the FQDN

           set port 1443




# config firewall policy

       edit 1

           set name "11"

           set srcintf "port2"

           set dstintf "sslvpn_tun"

           set action accept

           set srcaddr "all"

           set dstaddr "all"

           set schedule "always"

           set service "ALL"

           set nat enable





On FortiGate A


# diag vpn ssl list

[191:root]sconn=0x7f5a1c0e4f00, from( task=tunnel2_loop, fd=31(1:1),35(1:1),-1(0:0),-1(0:0),-1(0:0), pending=0


 # get vpn ssl monitor

SSL-VPN Login Users:

 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth

 0       spoke1          sslvpn-users   16(1)            294    26499        0/0     0/0     0


SSL-VPN sessions:

 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP

 0       spoke1          sslvpn-users          2301    104880/0


On FortiGate B


FortiGate B # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

       O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       V - BGP VPNv4

       * - candidate default


Routing table for VRF=0

S* [10/0] is directly connected, sslvpn_tun, [1/0]

C is directly connected, sslvpn_tun

C is directly connected, port1


Details of the SSLVPN connection on the SSLVPN client can be checked via command:

diag vpn ssl client peer list