FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Shashwati
Staff
Staff
Article Id 328376

 

Description

This article describes how to use an SSL VPN connection to a Loopback Interface using Virtual IP and some SSL VPN hardening recommendations.

Scope FortiGate.
Solution
  1.  Configure Loopback Interface.

 

1.PNG

 

  1. CLI Reference:


config system interface
    edit "Loopback"
        set vdom "root"
        set ip 10.10.10.10 255.255.255.0
        set allowaccess ping
        set type loopback
        set role lan
        set snmp-index 31
    next
end

 

  1. FortiGate WAN Interface and static route (port2 in this example).  

 

POrt2.png   static route.png

 

CLI Reference:


config system interface
    edit "port2"
        set ip 192.168.12.12 255.255.240.0
        set allowaccess ping https ssh http ftm
    next
end


config router static
    edit 1
        set gateway 192.168.12.1
        set device "port2"
    end

 

Configure Virtual IP using External IP address (port2) and loopback Interface and Port forwarding to VPN port.

 

21.JPG

 

CLI Reference:

 

config firewall VIP
 edit "VPN-Interface"
  set extip 192.168.12.12
  set mappedip 10.10.10.10
  set extintf "any"
  set portforward enable
  set extport 10443
  set mappedport 10443
 next
end

 

 

Configure SSL VPN using Loopback Interface.

 

22.PNG

CLI Reference:

 

config vpn ssl settings
 set servercert "Fortinet_Factory"
 set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
 set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
 set source-interface "Loopback"
 set source-address "all"
 set source-address6 "all"
 set default-portal "test"
end 

 

Configure the Firewall policy for VIP access from outside.

 

23.PNG

CLI Reference:

 

config firewall policy
  edit 14
  set name "Loopback"
  set srcintf "port2"
  set dstintf "Loopback"
  set action accept
  set srcaddr "all"
  set dstaddr "VPN-Interface"
  set schedule "always"
  set service "ALL"
 next

 

Configure the Firewall policy for SSL VPN users.

 

24.PNG

 

CLI Reference:


config firewall policy
    edit 12
        set name "sslvpn"
        set srcintf "ssl.root"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set groups "Guest-group
    next
end

 

To harden the SSL VPN service to protect against failed login attempts, further restrictions can be put on the source on the WAN to Loopback policy to specify allowed Geographical locations.

 

25.PNGCLI Reference:


config firewall policy
    edit 14
        set name "Loopback"
        set srcintf "port2"
        set dstintf "Loopback"
        set action accept
        set srcaddr "SSLVPN_Whitelist_countries"
        set dstaddr "VPN-Interface"
        set schedule "always"
        set service "ALL"
    next
end

 

 Connect to the SSL VPN using the Virtual IP.       

                                                                                                      FCT-settings-new.JPG

 

7.PNG

 

SSL VPN user list:       

                                                                                                                                        
8.PNG

Note:

Even with this setup, Banned-IP or Quarantine IP feature will not be able to block SSL VPN connection attempt. Banned-IP or Quarantine IP feature is only applied on real forwarding traffic, traffic that goes through FortiGate.