Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vempativ
Staff
Staff

Created on ‎11-24-2022 07:59 AM Edited on ‎02-05-2024 04:45 AM By Moderator

Article Id 230801

Technical Tip: How to disable SSL VPN functionality on FortiGate

Description

This article explains the procedure to disable SSL VPN functionality on FortiGate.
Scope FortiGate.
Solution

Different methods are available to disable the SSL VPN functionality on FortiGate in both the GUI and CLI, depending on the FortiOS version.

 

Configure SSL VPN settings in the GUI (for 7.2.x, 7.0.x, 6.4.9 and later).

 

Go to VPN -> SSL VPN Settings, then deselect 'Enable SSL VPN' as shown below:

vpalli_2-1670955980887.png

 

Note that when 'Enable SSL VPN' is enabled but no interface is assigned to the configuration (under 'Listen on interface'), SSL VPN is effectively disabled. The GUI does not allow disabling the 'Enable SSL VPN' option without a working configuration, which requires an interface assigned to the configuration.

 

Configure SSL VPN settings in the CLI (for 7.2.x, 7.0.x, 6.4.9 and later).

 

Run the following commands:

 

- On a FortiGate without VDOMs:

 

# config vpn ssl settings

    set status disable

end

 

- On a FortiGate with VDOMs:

 

# config vdom

    edit <vdom name>

    config vpn ssl settings

        set status disable

end

 

Configure the ssl.<vdom> in the CLI (for 6.4.8 and earlier, 6.2.x, and 6.0.x).

 

For older releases like 6.4.8 and earlier, 6.2.x, and 6.0.x, the simplest method to disable SSL VPN functionality is to shut down the ssl.<vdom> interface.

 

Run the following commands:

 

- On a FortiGate without VDOMs:

 

# config system interface

    edit ssl.root

        set status down

end

 

- On a FortiGate with VDOMs:

 

# config vdom

    edit <vdom name>

    config system interface

        edit ssl.<vdom name>

            set status down

end

 

Note that shutting down ssl.X interfaces will block access to the portal but sslvpnd will continue running until references for the ssl.X interfaces are removed from all policies from all VDOMs or the relevant policies are disabled. To disable sslvpnd, continue to the next step.

 

Disable relevant Firewall policies in the GUI.

 

In any version of FortiGate, it is possible to also disable ALL of the firewall policies referencing the 'ssl.<vdom>' interface to disable SSL VPN.

 

vpalli_3-1670956002098.png

 

Disable relevant Firewall policies in the CLI.

 

To perform the same operation from the CLI, edit all policies referencing 'ssl.<vdom>' to include 'set status disable'. Similar to the above, this method applies to all versions of FortiGate.

 

Run the following commands:

 

- FortiGate without VDOMs:

 

# config firewall policy

    edit <policy number>

        set status disable

    next

end

 

- FortiGate with VDOMs:

 

# config vdom

    edit <vdom name>

    config firewall policy

        edit <policy number>

            set status disable

        next

    end

end

Verification.

To confirm the SSL VPN service is disabled, execute the following command in the CLI:

 

# diagnose sys process pidof sslvpnd 

 

The output of the command should not list any process IDs for the 'sslvpnd' process.

 

Alternatively, confirm by executing the following command in the CLI:

 

# diagnose sys tcpsock | grep sslvpnd

 

The output of the command should not list any socket bound to the 'sslvpnd' process.
Labels:
74272
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.