Description
This article describes essential steps to harden FortiGate SSL VPN configurations. It covers key practices such as changing the default SSL VPN ports, implementing DoS policies to block port scans, disabling unnecessary portal modes, and blocking port mapping applications. Additionally, it emphasizes the importance of enabling Multi-Factor Authentication (MFA) or using certificate-based authentication to secure VPN access. Advanced IPS sensor configurations are also recommended to detect post-attack anomalies.
Scope
FortiGate.
Solution
- Create a Local-In Policy.
- Change SSL VPN Ports.
- Create a DoS Policy.
- Create an Application Control Policy.
- Create IPS Sensor for Post-Attack Detection.
- Create a No-Tunnel Portal and Disable Modes.
- Use Realms.
- Enable Multi-Factor Authentication (MFA).
- Ban Weak Encryption and Cipher Suites for SSL VPN.
- Use Signed SSL Certificates.
- Additional Security Considerations.
First: Create a Local-In Policy.
Purpose.
Local-in policies control the traffic that reaches the FortiGate unit itself, allowing administrators to specify which traffic is permitted or denied based on source address groups. In the example below, GeoIP is utilized to restrict SSL VPN access to specific countries only.
Command Line.
config firewall address
edit "US"
set type geography
set country "US"
next
end
config firewall addrgrp
edit "AllowedCountries"
set member "US"
next
end
Create Service for Custom Ports.
config firewall service custom
edit "SSLVPN Port"
set tcp-portrange 10443
next
end
Local-In Policy Config.
config firewall local-in-policy
edit 1
set intf "port1" # WAN interface
set srcaddr "AllowedCountries"
set dstaddr "all"
set service "SSLVPN Port" <- If using default, set to 443. Otherwise, change to the custom SSL VPN port number.
set action accept
set schedule "always"
next
edit 2
set intf "port1" # WAN interface
set srcaddr "all"
set dstaddr "all"
set service "SSLVPN Port" <- If using default, set to 443. Otherwise, change to the custom SSL VPN port number.
set action deny
set schedule "always"
next
end
Explanation.
- AllowedCountries: This address group includes IPs from Singapore, allowing only trusted sources.
- Policy 1: Accepts traffic from allowed countries.
- Policy 2: Denies all other traffic on the WAN interface.
To further enhance security, limit access through the SSL VPN settings.
Command Line.
config vpn ssl settings
set source-address "AllowedCountries"
end
Second: Change SSL VPN Ports.
Purpose.
Changing the default SSL VPN port enhances security by reducing exposure to automated attacks.
Command Line.
config vpn ssl settings
set port <custom port>
end
Explanation.
Replace '<custom port>' with the desired port number. Ensure it is not in use by other services.
Third: Create a DoS Policy.
Purpose.
Denial of Service (DoS) policies help protect against port scanning and other malicious activities.
Command Line.
config firewall DoS-policy
edit 1
set name "Block-PortScanner"
set interface "port1" # WAN interface
set srcaddr "all"
set dstaddr "all"
set service "ALL"
config anomaly
edit "tcp_port_scan"
set status enable
set log enable
set action block
set quarantine attacker
set quarantine-expiry 1m <- Default is 1 minute, can be changed to 0d0h1m (d=day, h=hours, m=minutes).
set threshold 200
next
edit "udp_scan"
set status enable
set log enable
set action block
set quarantine attacker
set quarantine-expiry 1m <- Default is 1 minute, can be changed to 0d0h1m (d=day, h=hours, m=minutes).
set threshold 500
next
edit "sctp_scan"
set status enable
set log enable
set action block
set quarantine attacker
set quarantine-expiry 1m <- Default is 1 minute, can be changed to 0d0h1m (d=day, h=hours, m=minutes).
set threshold 300
next
end
end
Explanation.
- Action Block: Denies traffic that exceeds the defined thresholds for scanning.
- Quarantine Attacker: Temporarily bans offending IP addresses.
Fourth: Create an Application Control Policy.
Purpose.
To block specific applications that may pose a risk or are not required for business operations.
Command Line.
config application list
edit "BlockPortMappingApps"
set comment "Block PortMappings"
config entries
edit 1
set application 16267 <- PortMap Application ID.
next
end
next
end
Explanation.
This policy will block applications that use port mapping, enhancing the network's integrity. Apply this Application Control Profile to all internet-facing policies.
Fifth: Create IPS Sensor for Post-Attack Detection.
Purpose.
An Intrusion Prevention System (IPS) sensor helps detect and respond to suspicious activities on the network.
Command Line.
config ips sensor
edit "PostAttackSensor"
config entries
edit 1
set rule 107937793 24903681 12880
set action block
next
end
next
end
Explanation.
This IPS sensor is configured to block traffic matching known attack signatures, including:
- TCP.Bad.Flags
- ICMP.Invalid.Packet.Size
- ICMP.Oversized.Packet
Sixth: Create a No-Tunnel Portal and Disable tunnel mode, Web mode, and FortiClient.
Purpose.
A no-tunnel portal simplifies SSL VPN access while enhancing security by limiting access modes.
Command Line.
config vpn ssl web portal
edit "no-tunnel"
set forticlient-download disable
next
end
config vpn ssl settings
set default-portal "no-tunnel"
end
Explanation.
This configuration disables web access and tunnel mode for non-VPN user groups, reducing complexity and potential vulnerabilities.
Seventh: Use Realms.
Purpose.
Realms can be used to authenticate a certain group to a certain portal/realm with specific settings.
It can also be used to hide to a certain extent the URL on which the SSLVPN service is publicly available.
config vpn ssl settings
set port 44444
set default-portal "no-access" <<<
config authentication-rule
edit 6
set groups "Ldap-Tunnel-Users"
set portal "full-access"
set realm "tun"
next
config vpn ssl web portal
edit "no-access"
set forticlient-download disable
next
Explanation.
The 'Ldap-Tunnel-Users' group is configured with the portal 'full-access' which by default gives access to tunnel and web portal.
But in order to access this service the user must append to the SSL VPN server url /tun.
If the user or the atacker do not specify the correct URL, https://<fortigate-ip-fqdn>:44444/tun in this example, they will end up with the default portal that does not have an SSLVPN service running.
Eighth: Enable Multi-Factor Authentication (MFA).
Purpose.
Multifactor authenticator adds an additional layer of security, requiring users to provide two or more verification factors.
Knowledge base articles:
SSL VPN with Azure plus Microsoft Multifactor Authenticator.
- Create SSL VPN with Azure SAML SSO Authentication
- SSL VPN with Azure SAML Authentication with Multi-Factor Authentication
- Configuring FortiClient VPN with Multifactor Authentication
- How to Configure MFA with NPS Extension
SSL VPN with FortiToken as Multifactor Authenticator.
Okta Multifactor Authenticator for Fortinet VPN.
Fortinet SSL VPN with G Suite MFA using SAML | SSO.
Duo 2FA for Fortinet FortiGate SSL VPN and FortiClient with RADIUS Automatic Push.
SAML SSL VPN using Duo.
SSL VPN with Certificate Authentication.
Explanation.
Ensure that users are enrolled in Multifactor Authentication to enhance the security of the SSL VPN.
Ninth: Ban Weak Encryption and Cipher Suites for SSL VPN to be more compliant.
Purpose.
To enhance the security of SSL VPN connections by controlling the allowed TLS versions and cipher suites.
Command Line.
config vpn ssl settings
set algorithm {high | medium | low}
set ssl-max-proto-ver tls1-3
set ssl-min-proto-ver tls1-2
set ciphersuite TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305
set banned-cipher RSA
end
Cipher Suite Options.
- low: Use any cipher suite; AES, 3DES, RC4, or DES.
- medium: Use a 128-bit or greater cipher suite; AES, 3DES, or RC4.
- high: Use a cipher suite greater than 128 bits; AES or 3DES.
Algorithm Options.
- default: High and medium algorithms.
- high: High algorithms only.
- low: All algorithms.
Important note.
Removing old ciphers and SSL versions may impact clients using outdated browsers or older versions of FortiClient. Verify the SSL versions and ciphers supported by clients before making these changes.
Knowledge base articles.
Tenth: Use Signed SSL Certificates.
Purpose.
To prevent SSL VPN users from encountering security warnings, a valid SSL certificate signed by a trusted certificate authority (CA) should be installed.
Eleventh: Additional Security Considerations.
Disable Web Mode.
If it is not being used, disable web mode in SSL VPN to reduce the attack surface.
Limit Simultaneous Logins.
Restrict the number of concurrent logins for a user to three and implement a retry timeout of 24 hours. Additionally, disable simultaneous logins and restrict the operating system versions.
Command Line:
config vpn ssl web portal
edit "portal-name"
set limit-user-logins enable
next
end
config vpn ssl settings
set login-attempt-limit 3
set login-block-time 86400 <- 24 hours in seconds
end
OS restrictions.
Go to VPN -> SSL-VPN Portals -> Portal Name -> Restrict to Specific OS Versions
Conclusion.
By implementing these configurations on a FortiGate device, it is possible to significantly enhance the network's security posture. Regularly review and update policies to adapt to evolving threats.
