Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ron_Uss
New Contributor III

Disable SSLVPN webportal page

Hello

After pentests we have issue about showing SSLVPN webpage. I need use SSLVPN only in tunnel mode (this is not problem), but without showing any page in browser. I looked on cli and gui and can`t still found any solution, how disable web page, but still have actvite tunnel mode.

Do you have any idea?

Thank you

NSE8 #3111

NSE8 #3111
3 Solutions
Pacolo

Hey guys,

 

I searched info about disabling SSL-VPN and found this.

 

What I have done is unsetting the options configured through CLI, for example:

 

config vpn ssl settings unset port unset source-interface "wan1"

Regards!

View solution in original post

leo1
New Contributor II

There is no option to disable Web GUI access for SSL VPN 

But you can edit the replacement Message for SSL-VPN login page. 

SYSTEM> Replacement Message > SSL-VPN login page.

 

You can Deleted the Body of HTML. then when you try to access your web portal(SSL-VPN) the login page will not show.

View solution in original post

nbutt
New Contributor II

I have a fix guys!!!!

 

Do the following and your SSL-VPN login HTML page will be blank and the FortiClient will still be able to sign in to the SSL VPN! even with FortiToken.

 

 

====

At the top of the HTML add the lines:

<style>

      .prompt {

        display: none;

      }

     

    </style>

 

 

=====

At the top of the HTML remove the single line:

 

<link href="/css/main-blue.css" rel="stylesheet" type="text/css">

 

 

 

=======

Example snippet from the top of the HTML including both fixes above.

 

 

 

<!DOCTYPE html>

<html lang="en" class="main-app">

 

  <head>

   

    <style>

      .prompt {

        display: none;

      }

     

    </style>

   

    <meta charset="UTF-8">

   

    <meta http-equiv="X-UA-Compatible" content="IE=8; IE=EDGE">

   

    <meta name="viewport" content="width=device-width, initial-scale=1">

   

    <meta name="apple-itunes-app" content="app-id=1475674905">

 

    <link href="/css/main-blue.css" rel="stylesheet" type="text/css">

  

    <title>

      Please Login

    </title>

View solution in original post

15 REPLIES 15
emnoc
Esteemed Contributor III

That does not disable the page fwiw just making a page blank is just that "blank" but the page is still present but here's what you can do to improve the pentest. Just deployed client-side certificates and added bonus of MFA and explain that.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
nbutt
New Contributor II

Hi emonc,

 

Thanks for that info, yes I know the page is technically in place and accessible but its better than seeing a logon page :)

 

We have MFA via FortiToken already but I want to also have certificate's.

 

How did you deploy your cert's and what type of cert did you use? More interested on the Fortigate side of the config as I played with certs before and it was not simple.

 

Regards

Nick

 

emnoc
Esteemed Contributor III

certs are easy as 1-2-3 if you have Microsoft your almost at 3 ;)

 

Just issue certificates to each users and the domain root CERt should already been in winOS computers.

 

import the caRoot into the fortigate and certificate for the sslvpn

 

enable require cert for ssl vpn settting and auth rule with a peer-group that expects that rootCA. You can refer to this recently added blog entry

 

http://socpuppet.blogspot.com/2020/04/sslvpn-fortigate-with-certificates.html

 

 

Nothing you will do that will stop the webage port if you need to enforce something just change the sslvpn certificate and set the fail-login timeout to some ridiculous value.

 

e.g in ssl-vpn settings

 

    set login-block-time 86400

  

 

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
firewall
New Contributor

Hello,

 

I just did nbutt solution, on my fortiwifi 60d v 6.0.8 and the web page is now blank so no robots  can try to log on the webportal and my VPN SSL Tunnel is still working.

 

Thanks

Guillaume.

 

 

hakan_erol

Hello

 

Great weakness for fortinet Year is 2021 and we can't turn off web mode, we solve it by making changes on the replacement message screen

 

Regards

cyberadius

Update for FortiOS 7.4+ (may work in older versions)


a) The hackerish 8) approach (and a bit funny):
Building on the older posts, you can write the HTML code in the replacement message so as to immediately redirect to any URL you want! I have chosen The Last Page of the Internet! :beaming_face_with_smiling_eyes:
This effectively drives off any attacker immediately instead of having them landing on a void web page. The formerly proposed solution allows to casually interact with the server for as long as one wants even if the entry point (the login form) has been taken away. Rest assured that a knowledgeable blackhat has things to try to mess up an exposed webserver even if it displays nothing visible to the naked eye. He/she could even try a DoS/DDoS attack on the webserver to degrade the overall firewall's performance or cause a crash. 
Surely redirecting even if a bit more sophisticated it's just another workaround, which provides a better way to fend off casual attempts to work with the firewall's webserver. 

A sample html code you may use is: 

 

 

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="refresh" content="0; url=http://www.internetlastpage.com">
    <title></title>
</head>
<body>
</body>
</html>

 

 

 

Note: The above code is tested and works fine with Forticlient (tunnel mode) with ZTNA and FortiToken enabled.


b) The serious approach. Fortinet has provided for a simpler way to have the webserver return a Forbidden response when it's not required for the SSLVPN while still allowing for the tunnel mode to work via Forticlient.
It is not as effective as shutting down the webserver, but it is a step in the right direction. 


To enable this you may just do:

 

 

Firewall # config system global 

Firewall (global) # set sslvpn-web-mode disable 

Firewall (global) # end

 

 


For both approaches to further lock down your SSLVPN you should implement a 'no-access' SSLVPN portal which shall have 1) Tunnel mode, 2) Web mode and 3) Forticlient download disabled for any user not matching any Authentication/Portal Mapping in SSLVPN settings effectivey negating the access to unauthenticated users (thanks Kostas for that).

 

Disclaimer: you should not rely on these two approaches solely to secure your SSLVPN! These approaches provide for securing the webserver, not access altogether. Fortinet provides ZTNA and MFA add-on solutions that can effectively lock down this remote access pathway into your network. 

Dimitris G.
Dimitris G.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors