|
Step 1: Create a local user on the FortiGate.
Navigate below:
To create users from the GUI:
- Select User & Authentication, then go to User definition.
- Select + create new.
- Enter the user name, then enter the password and select OK.
Step 2: SSL VPN User Groups:
- Go to User & Authentication -> User Group.
- Select + Create new and enter the name, then select Next.
- Add the user to the member list.
- Select OK.
Step 3: SSL VPN portal settings:
- If the tunnel is full access, then disable the split tunnel (in that case, the internet traffic from the user will also reach the FortiGate).
- If the user wants access to only the internal server, it must have the LAN enabled on the split tunnel.
- In the source IP pools, enter the SSL VPN address (the source pool on the SSL VPN portal takes precedence over the source pool present in the SSL VPN settings).
- Select OK.
Step 4:
- Enter the listing port (internet link).
- Enter the listen port (like 443).
- Choose the server certificate.
- Enter the SSL address Range (tunnel address 10.212.134.200-10.212.134.230).
- Add the SSL VPN users and Groups under the Authentication/portal mapping.
Use port 443 for FortiGate GUI access, then use a different custom port for the SSL VPN listen port.
Step 5:
Create a policy for SSL VPN to the WAN (Internet).
The same thing needs to be created for a policy for SSL VPN to the LAN.
Step 6: FortiClient settings.
Note:
After connecting the VPN successfully, the Tunnel users will receive IPs in the range of 10.212.134.200 - 10.212.134.230.
Make sure mode-cfg is enabled to receive an IP address from the SSL VPN.
To configure SSL VPN using the CLI:
Step 1: Configure the user and the user group.
config user local
edit "sslvpnuser1"
set type password
set passwd your-password
next
end
config user group
edit "sslvpngroup"
set member "sslvpnuser1"
next
end
Step 2: SSL VPN portal settings:
config vpn ssl web portal
edit "my-full-tunnel-portal"
set tunnel-mode enable
set split-tunneling disable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
next
end
Note: If the tunnel is full access, then disable the split tunnel (in that case, the internet traffic from the user will also reach the FortiGate.
Step 3: Configure SSL VPN settings:
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set source-interface "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
config authentication-rule
edit 1
set groups "sslvpngroup"
set portal "my-full-tunnel-portal"
next
end
end
Step 5:
- Create a policy for SSL VPN to the LAN.
- Create a policy for SSL VPN to the WAN (Internet)
config firewall policy
edit 1
set name "ssl vpn to lan"
set srcintf "ssl.root"
set dstintf "port2"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "all"
set groups "sslvpngroup"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "ssl vpn to wan"
set srcintf "ssl.root"
set dstintf "port1"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "all"
set groups "sslvpngroup"
set action accept
set schedule "always"
set service "ALL"
next
end
Useful commands:
get vpn ssl monitor
diagnose vpn ssl list
diagnose firewall auth list
diagnose vpn ssl statistics
exec vpn sslvpn list
get system status
diagnose vpn ssl stats
Useful commands for SSL VPN connection troubleshooting:
diagnose debug application fnbamd -1
diagnose debug application sslvpn -1
diagnose debug application tvc -1
diagnose debug console timestamp enable
diagnose debug enable
Related document:
SSL VPN full tunnel for remote user
|
