Description

 

This article describes essential steps to harden FortiGate SSL VPN configurations. It covers key practices such as changing the default SSL VPN ports, implementing DoS policies to block port scans, disabling unnecessary portal modes, and blocking port mapping applications. Additionally, it emphasizes the importance of enabling Multi-Factor Authentication (MFA) or using certificate-based authentication to secure VPN access. Advanced IPS sensor configurations are also recommended to detect post-attack anomalies.

 

Scope

 

FortiGate.

 

Solution

 

• Create a Local-In Policy.
• Change SSL VPN Ports.
• Create a DoS Policy.
• Create an Application Control Policy.
• Create IPS Sensor for Post-Attack Detection.
• Create a No-Tunnel Portal and Disable Modes.
• Use Realms.
• Enable Multi-Factor Authentication (MFA).
• Ban Weak Encryption and Cipher Suites for SSL VPN.
• Use Signed SSL Certificates.
• Additional Security Considerations.

 

First: Create a Local-In Policy.

 

Purpose.

 

Local-in policies control the traffic that reaches the FortiGate unit itself, allowing administrators to specify which traffic is permitted or denied based on source address groups. In the example below, GeoIP is utilized to restrict SSL VPN access to specific countries only.

 

Command Line.

 

config firewall address

edit "US"

set type geography
set country "US"

next

end

config firewall addrgrp

edit "AllowedCountries"

set member "US"

next

end

 

Create Service for Custom Ports.

 

config firewall service custom

edit "SSLVPN Port"

set tcp-portrange 10443

next

end

 

Local-In Policy Config.

 

config firewall local-in-policy

edit 1

set intf "port1" # WAN interface
set srcaddr "AllowedCountries"
set dstaddr "all"
set service "SSLVPN Port" <- If using default, set to 443. Otherwise, change to the custom SSL VPN port number.
set action accept
set schedule "always"

next

edit 2

set intf "port1" # WAN interface
set srcaddr "all"
set dstaddr "all"
set service "SSLVPN Port" <- If using default, set to 443. Otherwise, change to the custom SSL VPN port number.
set action deny
set schedule "always"

next

end

Explanation.

• AllowedCountries: This address group includes IPs from Singapore, allowing only trusted sources.
• Policy 1: Accepts traffic from allowed countries.
• Policy 2: Denies all other traffic on the WAN interface.

 

To further enhance security, limit access through the SSL VPN settings.

 

Command Line.

 

config vpn ssl settings

set source-address "AllowedCountries"

end

 

Second: Change SSL VPN Ports.

 

Purpose.

 

Changing the default SSL VPN port enhances security by reducing exposure to automated attacks.

 

Command Line.

 

config vpn ssl settings

set port <custom port>

end

 

Explanation.

 

Replace '<custom port>' with the desired port number. Ensure it is not in use by other services.

 

Third: Create a DoS Policy.

 

Purpose.

 

Denial of Service (DoS) policies help protect against port scanning and other malicious activities.

 

Command Line.

config firewall DoS-policy

edit 1

set name "Block-PortScanner"
set interface "port1" # WAN interface
set srcaddr "all"
set dstaddr "all"
set service "ALL"

config anomaly

edit "tcp_port_scan"

set status enable
set log enable
set action block
set quarantine attacker
set quarantine-expiry 1m <- Default is 1 minute, can be changed to 0d0h1m (d=day, h=hours, m=minutes).
set threshold 200

next

edit "udp_scan"

set status enable
set log enable
set action block
set quarantine attacker
set quarantine-expiry 1m <- Default is 1 minute, can be changed to 0d0h1m (d=day, h=hours, m=minutes).
set threshold 500

next

edit "sctp_scan"

set status enable
set log enable
set action block
set quarantine attacker
set quarantine-expiry 1m <- Default is 1 minute, can be changed to 0d0h1m (d=day, h=hours, m=minutes).
set threshold 300

next

end

end

 

Explanation.

• Action Block: Denies traffic that exceeds the defined thresholds for scanning.
• Quarantine Attacker: Temporarily bans offending IP addresses.

 

Fourth: Create an Application Control Policy.

 

Purpose.

 

To block specific applications that may pose a risk or are not required for business operations.

 

Command Line.

 

config application list

edit "BlockPortMappingApps"

set comment "Block PortMappings"

config entries

edit 1

set application 16267 <- PortMap Application ID.

next

end

next

end

Explanation.

 

This policy will block applications that use port mapping, enhancing the network's integrity. Apply this Application Control Profile to all internet-facing policies.

 

Fifth: Create IPS Sensor for Post-Attack Detection.

 

Purpose.

 

An Intrusion Prevention System (IPS) sensor helps detect and respond to suspicious activities on the network.

 

Command Line.

 

config ips sensor

edit "PostAttackSensor"

config entries

edit 1

set rule 107937793 24903681 12880
set action block

next

end

next

end

 

Explanation.

 

This IPS sensor is configured to block traffic matching known attack signatures, including:

• TCP.Bad.Flags
• ICMP.Invalid.Packet.Size
• ICMP.Oversized.Packet

 

Sixth: Create a No-Tunnel Portal and Disable tunnel mode, Web mode, and FortiClient.

 

Purpose.

 

A no-tunnel portal simplifies SSL VPN access while enhancing security by limiting access modes.

 

Command Line.

 

config vpn ssl web portal

edit "no-tunnel"

set forticlient-download disable

next

end

config vpn ssl settings

set default-portal "no-tunnel"

end

 

Explanation.

 

This configuration disables web access and tunnel mode for non-VPN user groups, reducing complexity and potential vulnerabilities.

 

Seventh: Use Realms.

 

Purpose.

 

Realms can be used to authenticate a certain group to a certain portal/realm with specific settings.

It can also be used to hide to a certain extent the URL on which the SSLVPN service is publicly available.

 

config vpn ssl settings
    set port 44444
    set default-portal "no-access" <<<
        config authentication-rule
            edit 6
                set groups "Ldap-Tunnel-Users"
                set portal "full-access"
                set realm "tun"
            next

        config vpn ssl web portal
            edit "no-access"
                set forticlient-download disable
            next

Explanation.

 

The 'Ldap-Tunnel-Users' group is configured with the portal 'full-access' which by default gives access to tunnel and web portal.
But in order to access this service the user must append to the SSL VPN server url /tun.

If the user or the atacker do not specify the correct URL, https://<fortigate-ip-fqdn>:44444/tun in this example, they will end up with the default portal that does not have an SSLVPN service running.

 

Eighth: Enable Multi-Factor Authentication (MFA).

 

Purpose.

 

Multifactor authenticator adds an additional layer of security, requiring users to provide two or more verification factors.

 

Knowledge base articles:

SSL VPN with Azure plus Microsoft Multifactor Authenticator.

• Create SSL VPN with Azure SAML SSO Authentication
• SSL VPN with Azure SAML Authentication with Multi-Factor Authentication
• Configuring FortiClient VPN with Multifactor Authentication
• How to Configure MFA with NPS Extension

SSL VPN with FortiToken as Multifactor Authenticator.

• SSL VPN with FortiToken Mobile Push Authentication

Okta Multifactor Authenticator for Fortinet VPN.

• SSL VPN with Okta as SAML IdP

Fortinet SSL VPN with G Suite MFA using SAML | SSO.

• Fortinet SSL VPN with G Suite MFA using SAML | SSO

Duo 2FA for Fortinet FortiGate SSL VPN and FortiClient with RADIUS Automatic Push.

• Duo 2FA for Fortinet FortiGate SSL VPN and FortiClient with RADIUS Automatic Push

SAML SSL VPN using Duo.

• SAML SSL VPN using DUO

SSL VPN with Certificate Authentication.

• SSL VPN with LDAP-Integrated Certificate Authentication
• SSL VPN with Certificate Authentication

Email Two-Factor Authentication

• Email Two-Factor Authentication on FortiGate 

 

Explanation.

Ensure that users are enrolled in Multifactor Authentication to enhance the security of the SSL VPN.

 

Ninth: Ban Weak Encryption and Cipher Suites for SSL VPN to be more compliant.

 

Purpose.

 

To enhance the security of SSL VPN connections by controlling the allowed TLS versions and cipher suites.

 

Command Line.

 

config vpn ssl settings

set algorithm {high | medium | low}
set ssl-max-proto-ver tls1-3
set ssl-min-proto-ver tls1-2
set ciphersuite TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305
set banned-cipher RSA

end

 

Cipher Suite Options.

 

• low: Use any cipher suite; AES, 3DES, RC4, or DES.
• medium: Use a 128-bit or greater cipher suite; AES, 3DES, or RC4.
• high: Use a cipher suite greater than 128 bits; AES or 3DES.

 

Algorithm Options.

 

• default: High and medium algorithms.
• high: High algorithms only.
• low: All algorithms.

 

Important note.

 

Removing old ciphers and SSL versions may impact clients using outdated browsers or older versions of FortiClient. Verify the SSL versions and ciphers supported by clients before making these changes.

 

Knowledge base articles.

• How to Control the SSL Version and Cipher Suite
• Disable AES-CBC Ciphers for SSL VPN and Admin GUI
• Understanding the cipher suite 1.2 supported by Fortinet devices

 

Tenth: Use Signed SSL Certificates.

 

Purpose.

 

To prevent SSL VPN users from encountering security warnings, a valid SSL certificate signed by a trusted certificate authority (CA) should be installed.

• Guide to Procuring and Importing a Signed SSL Certificate in FortiGate

 

Eleventh: Additional Security Considerations.

 

Disable Web Mode.

 

If it is not being used, disable web mode in SSL VPN to reduce the attack surface.

• Disabling SSL VPN Web Mode and Tunnel Mode in FortiGate: A Technical Guide

Limit Simultaneous Logins.

 

Restrict the number of concurrent logins for a user to three and implement a retry timeout of 24 hours. Additionally, disable simultaneous logins and restrict the operating system versions.

 

Command Line:

 

config vpn ssl web portal
    edit "portal-name"
        set limit-user-logins enable

    next

end

 

config vpn ssl settings
    set login-attempt-limit 3
    set login-block-time 86400 <- 24 hours in seconds

end

 

OS restrictions.

 

Go to VPN -> SSL-VPN Portals -> Portal Name -> Restrict to Specific OS Versions

 

 

 

SSL VPN Web Portal Path Traversal via Bookmarks

While configuring the SSL VPN Web Portal, be aware that HTTP/HTTPS bookmarks can potentially allow path traversal and unauthorized access if not properly controlled. Bookmarks are not a filtering or access control mechanism - they simply define convenience shortcuts for users.

To mitigate risk:

Do not rely on bookmarks for access restriction, as their purpose is not filtering.

Always enforce granular firewall policies to explicitly deny unwanted traffic to internal resources not intended for VPN access.

Review and validate any bookmark destinations to ensure they don’t inadvertently expose sensitive systems.

Implementing strict firewall rules in combination with VPN portal configuration is essential for comprehensive protection.

 

Conclusion.

 

By implementing these configurations on a FortiGate, it is possible to significantly enhance the network's security posture. Regularly review and update policies to adapt to evolving threats.

 

Note: 

For v7.6 until v7.6.2, models with 2GB or less RAM, SSL VPN web and tunnel mode are removed from the GUI and CLI. See SSL VPN to dial-up VPN migration - FortiGate 7.4.6 administration guide

For v7.6.3 and later, tunnel mode will be removed, and web mode only works for other devices, see Migration from SSL VPN tunnel mode to IPsec VPN 7.6.3 - FortiGate 7.6.0 new features