Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Shadi
Staff
Staff

Created on ‎05-23-2023 05:53 AM Edited on ‎05-23-2023 09:22 PM By Community Manager

Article Id 257561

Technical Tip: Optional security considerations for FortiOS SSL VPN access

Description

This article describes challenges associated with securing SSL VPN access for a distributed user base. It is commonplace that users originate from IP addresses unknown to the Administrator. To help Administrators mitigate the risks unique to their environment, the following comprehensive list of references has been compiled.
Scope All versions of FortiGate.
Solution

Authenticating servers:

 

For networks with many users, integrate the user configuration with existing authentication servers through LDAP, RADIUS, or FortiAuthenticator.

By integrating with existing authentication servers such as Windows AD, there is a lower chance of making mistakes when configuring local users and user groups. Administration effort is also reduced.

 

Articles:

https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/490351/ssl-vpn-authenticatio...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-restrict-SSL-VPN-user-to-tunnel-mod...

 

MFA:

 

General information: https://docs.fortinet.com/multi-factor-authentication/7.2.

 

FortiToken (requires FortiToken license purchase) https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/458581/ssl-vpn-with-fortitok....

 

Mail-Free: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Forticlient-SSLVPN-using-email-two-factor/....

 

SMS: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SMS-Two-Factor-Authentication-....

              

Certificates: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/266506/ssl-vpn-with-certific...  https://community.fortinet.com/t5/FortiClient/Technical-Tip-SSL-VPN-with-client-authentication-using....

 

Using a non-factory SSL certificate: https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/825073/procure-and-import-a-signed-ssl-....

 

Limit access to specific hosts:

 

User source IP, DDNS: https://community.fortinet.com/t5/FortiGate/Technical-Tip-set-source-address-in-SSL-VPN-settings/ta-....

 

Geolocation: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-SSL-VPN-connectivity-from-cert....

 

Negate access limits for specific hosts: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-SSL-VPN-Connection-from-a-cer....

              

Local in policies to deny by geoIP or addresses:

- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-Allowing-access-to-the-FortiGa....

- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restrict-unauthorized-access-on-the-SSL-VP....

              

Using host check software (using FortiClient 7.0.3 or higher):

- https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/32970/configuring-os-and-hos....

- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Details-about-host-check-list-and-host-che....

- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Adding-custom-host-check-definitions-for-F....

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enabling-periodic-host-check/ta-p/189806.

 

Web portal (if not used):

 

Most attack attempts use the web portal to try to login, which generates VPN event logs for this attempt.

If web portal is not being utilized, prevent the login page from appearing.

 

Delete login page from the replacement messages settings: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-prevent-the-SSL-VPN-web-login-porta....

 

Web portal or Forticlient (in use):

 

Use realms: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/724772/ssl-vpn-multi-realm.

 

Control SSL version and cipher suite: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-control-the-SSL-version-and-cipher-....

 

MAC address check: https://community.fortinet.com/t5/FortiGate/Technical-Tip-MAC-Address-check-on-SSL-VPN-connections/t....

 

Limit the count of failed login attempts and ban the user: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-limit-SSL-VPN-login-attempts-and-bl....

 

Migrating from SSL VPN to ZTNA:

 

ZTNA can be used to replace VPN-based teleworking solutions to enhance the user experience and to increase security.

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/78050/migrating-from-ssl-vpn...
600
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.