Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gilfalko
New Contributor III

Closing SSL-VPN port

Hi, I need to disable SSL-VPN and close it' s port due to a HeartBleed suspicion. I wasnt able to find a way to do that... Anyone? Thanks
5 REPLIES 5
AndreaSoliva
Contributor III

Hi One possibility (the best from my point of view) is to implement a Local-In policy. This means a lot of people do not know that on a FortiGate you are working actually with 3 Policy' s which means: 1. Manual Local In Policy 2. Automatic Local In Policy 3. Regular Policy The flow of each traffic goes exact in this way (1 - 3) through the policy. This means also if you have something to block even it is allowed in Automatic Policy you can block it within the Manual Local In Policy. Also for this 3 Policy' s the rule is " top down first match wins" . A Local In Policy can only be done on CLI which means: # config firewall local-in-policy # edit 1 # set intf [Interface name example " wan1" # set srcaddr [Address Objekt or " all" ] # set dstaddr [Address Objekt or " all" ] # set action deny # set service [Service Objekt example " UDP-5246" und " UDP-5247" ] # set schedule " always" # set auto-asic-offload enable # set status enable # end The Automatic Local In Policy you can see with the details (but you can not manipulate) within the Gui under Policy if you activated the feature under " System > Config > Feature > Show More > Local-In Policy" . Hope this helps have fun Andrea
gilfalko

So all I' ll have to do is create such policy and replace the service withthe port iI have open? BBTW a friend mentioned something about killing the SSL process. Is that also a viable option?
ede_pfau
SuperUser
SuperUser

All of this, of course, only in FortiOS v5.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
gilfalko
New Contributor III

Someone gave me this which seems to work: config vpn ssl settings set sslvpn-enable disable end this closed the vpn entirely.
AndreaSoliva
Contributor III

Hi this what is mentioned is true but another way to go. Keep in mind that if you disable the vpn on all interfaces the vpn portal/function is closed. By default the ssl-vpn portal is listening on each interface including internal. From this point of view you can leave -if you want- the ssl-vpn portal internal and close only the wan. It is important to understand the local in policy to be used for higher security. Example: If you look to the VPN local in policy automatic you will recognize that as source is given ALL. If you have only one Site2Site vpn you can restrict with the local in policy manual the request to IKE 500 and/or NAT Traversal 4500 etc. From this point of view a lot of enterprise env./engineers have there set of local in policies which restricts more closly the services given on the wan etc. keep this in mind...! hope this helps. have fun Andrea
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors