Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kvimaladevi
Staff
Staff

Created on ‎03-09-2023 02:37 AM

Article Id 248563

Technical Tip: How to secure the FortiGate public IP and port used for SSL VPN connection

Description

 

This article describes how to secure the FortiGate public IP and port linked with SSL VPN.

 

Scope

 

FortiGate.

 

Solution

 

FortiGate will listen to the SSL VPN connection requests over the public IP of the interface mapped in the SSL VPN settings. As the public IP and port cannot be blocked for unknown users below are a few possible options to restrict unknown users.

1) Implement Two-factor authentication for all accounts:

Two-factor authentication prevents an attacker from being able to log in to an account only with a username and password. With the third factor, the attacker needs access to additional information like the smartphone (in case of push token) or a 6-digit number (in case of mobile or hardware Tokens).

2) Ensure that admin users have no access to the SSL VPN portal
It is recommended to differentiate between user accounts that are allowed to access VPN solutions and administrative accounts that are only allowed to access the administrative interfaces.

3) Change the listening Port for the SSL-VPN portal

Using another port is an easy but effective measurement if an attacker is only probing the default port of an application. Do not forget to change the port on all VPN clients too. Otherwise, the connection will break.

4) Limit the count of failed login attempts until the user is banned:
Fortinet has a KB article regarding the implementation of a login limit for SSL VPN under:

https://community.fortinet.com/kb/documentLink.do?externalID=FD48714

5) Restrict the source IP address area:
If users only need access to the SSL VPN portal from a specific source address or range, it is possible to limit the allowed source addresses to those addresses:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-by-country-or-geolocation/ta-...

6) Also consider implementing local-in policies to prevent the traffic from reaching the FortiOS in any way:

https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/363127/local-in-policies

7) Ensure, that a no-access profile is enabled for 'All other users/groups':
At the bottom of the table in the 'SSL-VPN Settings' where the Authentication/Portal Mapping is configured, there is an option for 'All Other Users/Groups'. It is recommended to disallow access to the SSL VPN for groups that were not explicitly allowed on the mappings above:

 

# config vpn ssl web portal
    edit "no-access"
        set tunnel-mode disable
        set ipv6-tunnel-mode disable
        set web-mode disable
        set allow-user-access ping
        set limit-user-logins enable
        set forticlient-download disable
    next
end


# config vpn ssl settings
    set default-portal "no-access"
end

 

In addition to disallowing access for 'All Other Users/Groups', it is also possible to restrict access for users and groups inside the firewall policies.


Configure those policies as selective and restrictive as possible.

1838
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.