Hello
After pentests we have issue about showing SSLVPN webpage. I need use SSLVPN only in tunnel mode (this is not problem), but without showing any page in browser. I looked on cli and gui and can`t still found any solution, how disable web page, but still have actvite tunnel mode.
Do you have any idea?
Thank you
NSE8 #3111
Solved! Go to Solution.
Hey guys,
I searched info about disabling SSL-VPN and found this.
What I have done is unsetting the options configured through CLI, for example:
config vpn ssl settings unset port unset source-interface "wan1"
Regards!
There is no option to disable Web GUI access for SSL VPN
But you can edit the replacement Message for SSL-VPN login page.
SYSTEM> Replacement Message > SSL-VPN login page.
You can Deleted the Body of HTML. then when you try to access your web portal(SSL-VPN) the login page will not show.
I have a fix guys!!!!
Do the following and your SSL-VPN login HTML page will be blank and the FortiClient will still be able to sign in to the SSL VPN! even with FortiToken.
====
At the top of the HTML add the lines:
<style>
.prompt {
display: none;
}
</style>
=====
At the top of the HTML remove the single line:
<link href="/css/main-blue.css" rel="stylesheet" type="text/css">
=======
Example snippet from the top of the HTML including both fixes above.
<!DOCTYPE html>
<html lang="en" class="main-app">
<head>
<style>
.prompt {
display: none;
}
</style>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=8; IE=EDGE">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="apple-itunes-app" content="app-id=1475674905">
<link href="/css/main-blue.css" rel="stylesheet" type="text/css">
<title>
Please Login
</title>
That does not disable the page fwiw just making a page blank is just that "blank" but the page is still present but here's what you can do to improve the pentest. Just deployed client-side certificates and added bonus of MFA and explain that.
Ken Felix
PCNSE
NSE
StrongSwan
Hi emonc,
Thanks for that info, yes I know the page is technically in place and accessible but its better than seeing a logon page :)
We have MFA via FortiToken already but I want to also have certificate's.
How did you deploy your cert's and what type of cert did you use? More interested on the Fortigate side of the config as I played with certs before and it was not simple.
Regards
Nick
certs are easy as 1-2-3 if you have Microsoft your almost at 3 ;)
Just issue certificates to each users and the domain root CERt should already been in winOS computers.
import the caRoot into the fortigate and certificate for the sslvpn
enable require cert for ssl vpn settting and auth rule with a peer-group that expects that rootCA. You can refer to this recently added blog entry
http://socpuppet.blogspot.com/2020/04/sslvpn-fortigate-with-certificates.html
Nothing you will do that will stop the webage port if you need to enforce something just change the sslvpn certificate and set the fail-login timeout to some ridiculous value.
e.g in ssl-vpn settings
set login-block-time 86400
Ken Felix
PCNSE
NSE
StrongSwan
Hello,
I just did nbutt solution, on my fortiwifi 60d v 6.0.8 and the web page is now blank so no robots can try to log on the webportal and my VPN SSL Tunnel is still working.
Thanks
Guillaume.
Hello
Great weakness for fortinet Year is 2021 and we can't turn off web mode, we solve it by making changes on the replacement message screen
Regards
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.