Description |
This article describes challenges associated with securing SSL VPN access for a distributed user base. It is commonplace that users originate from IP addresses unknown to the Administrator. To help Administrators mitigate the risks unique to their environment, the following comprehensive list of references has been compiled. |
Scope | All versions of FortiGate. |
Solution |
Authenticating servers:
For networks with many users, integrate the user configuration with existing authentication servers through LDAP, RADIUS, or FortiAuthenticator. By integrating with existing authentication servers such as Windows AD, there is a lower chance of making mistakes when configuring local users and user groups. Administration effort is also reduced.
Articles:
MFA:
General information: https://docs.fortinet.com/multi-factor-authentication/7.2.
FortiToken (requires FortiToken license purchase) https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/458581/ssl-vpn-with-fortitok....
Mail-Free: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Forticlient-SSLVPN-using-email-two-factor/....
Certificates: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/266506/ssl-vpn-with-certific... https://community.fortinet.com/t5/FortiClient/Technical-Tip-SSL-VPN-with-client-authentication-using....
Using a non-factory SSL certificate: https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/825073/procure-and-import-a-signed-ssl-....
Limit access to specific hosts:
User source IP, DDNS: https://community.fortinet.com/t5/FortiGate/Technical-Tip-set-source-address-in-SSL-VPN-settings/ta-....
Geolocation: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-SSL-VPN-connectivity-from-cert....
Negate access limits for specific hosts: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-SSL-VPN-Connection-from-a-cer....
Local in policies to deny by geoIP or addresses:
Using host check software (using FortiClient 7.0.3 or higher): https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enabling-periodic-host-check/ta-p/189806.
Web portal (if not used):
Most attack attempts use the web portal to try to login, which generates VPN event logs for this attempt. If web portal is not being utilized, prevent the login page from appearing.
Delete login page from the replacement messages settings: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-prevent-the-SSL-VPN-web-login-porta....
Web portal or Forticlient (in use):
Use realms: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/724772/ssl-vpn-multi-realm.
Control SSL version and cipher suite: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-control-the-SSL-version-and-cipher-....
MAC address check: https://community.fortinet.com/t5/FortiGate/Technical-Tip-MAC-Address-check-on-SSL-VPN-connections/t....
Limit the count of failed login attempts and ban the user: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-limit-SSL-VPN-login-attempts-and-bl....
Migrating from SSL VPN to ZTNA:
ZTNA can be used to replace VPN-based teleworking solutions to enhance the user experience and to increase security.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.