Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rodeca
New Contributor

FGT60 only one SSL Portal

Fortigate 60C When in Fortios4, I had two or three VPN-SSL Portals configured (just for fiddling), but only one in " production" . After upgrade to v5.3 (as stated in the release notes; I hadn' t seen it: my fault), only one could exist. Luckily, that one was The one " in production" . So everything kept working. Now, - when looking in the GUI, only " full access" web portal appears (not The one) - editing FGT60Cxxxx.conf, I can see three default portals defined and The one. My questions: - Must I edit " FGT60Cxxxx.conf" , delete every portal but The one, save and load it? Would it then appear in the GUI? - Any other way, any hint, any advice? Thank you all
6 REPLIES 6
Christopher_McMullan

Under System > Config > Features, have you enabled Multiple UTM Profiles?

Regards, Chris McMullan Fortinet Ottawa

rodeca
New Contributor

Christopher, you are the BOSS! Now I can see them all. But I cannot find how to select which one clients will connect to (presently not an issue: when I go to https://my-forti:10443 I get then correct one; it is the only with a policy). Thank you Rodeca P.S. There were too much changes (hidings) in this v5 GUI: somewhat Apple-ish
Christopher_McMullan

In 4.3, you had to choose the portal in the user group settings. In 5.0, the web portal was chosen in the identity-based policy per-group or per-user. In 5.2, it changes once again: now there is a separate area for portal selection, authentication, etc. The policies are simply ssl.vdom_name > resource and vice versa. It' s unfortunate if you' re averse to change, since SSLVPN is one of the most-often modified concepts! I' m still getting used to the regime under 5.2, so you wouldn' t be alone. _____________________________ Regards, Chris McMullan BOSS

Regards, Chris McMullan Fortinet Ottawa

rodeca
New Contributor

I' ll do some research to understand all this. As I only have to see my SSL config only once a year (or less), I have time. Most of my VPN are IPsec. I' m not averse (well, a little) to changes but to " hidingness" . And perhaps a little " lazy" to changes as well. Thank you again, Rodeca
AndreaSoliva
Contributor III

Hi if you like to confiure under 5.2.x a SSL VPN Portal I suggest to do it over CLI because it is easier and more visible how it works. Following has to be done: Basics Are: Address Object internal LAN net-lan-192.168.0.0-24 Address Object IP-Pool' s net-ip-pool-10.10.0.0-24 User user-1 (member of gr-ssl-vpn-tunnel / gr-ssl-vpn-portal Groupe gr-ssl-vpn-tunnel Groupe gr-ssl-vpn-portal NOTE To activate REALM Function activate position: System > Config > Features > Show More > SSL-VPN Realms After that you can find REALM under: VPN > SSL > Realms VPN SSL Settings Web Portal # config vpn ssl web portal # edit [Name of WebPortal " web-acces.local" ] # set tunnel-mode disable # set ipv6-tunnel-mode disable # set web-mode enable # set cache-cleaner disable # set host-check none # set limit-user-logins enable # set mac-addr-check disable # set os-check disable # set virtual-desktop disable # set auto-prompt-mobile-user-download disable # set display-bookmark enable # set user-bookmark enable # set config bookmark-group # set edit " Intranet-Kategorie" # set config bookmarks # set edit " Intranet" # set set description " Intranet Site" # set set url " www.mydomain.intra" # set end # set display-connection-tools enable # set display-forticlient-download disable # set display-history enable # set display-history-limit 10 # set display-status enable # set heading " Welcome to mydomain.ch" # set page-layout double-column # unset redir-url # set theme blue # set custom-lang en # end VPN SSL Settings Tunnel Mode # config vpn ssl web portal # edit [Name of the Portal " tunnel-acces.local" ] # set tunnel-mode enable # set ipv6-tunnel-mode disable # set web-mode disable # set cache-cleaner disable # set host-check none # set limit-user-logins enable # set mac-addr-check disable # set os-check disable # set virtual-desktop disable # set ip-mode range # set auto-connect disable # set keep-alive enable # set save-password enable # set ip-pools [Address Object for IP Pool SSL VPN exampel " net-ip-pool-10.10.0.0-24" ] # set split-tunneling enable # set split-tunneling-routing-address [Address Object for destination LAN example " net-lan-192.168.0.0-24" ] # set dns-server1 [IPv4 Addresse for DNS Server] # set dns-server2 0.0.0.0 # set wins-server1 0.0.0.0 # set wins-server2 0.0.0.0 # end VPN SSL Settings Realm # config vpn ssl web realm # edit [Name of Realm example " tunnel" ] # set max-concurrent-user 100 # set login-page " <html> <head> <meta http-equiv=\" Content-Type\" content=\" text/html; charset=UTF-8\" > <title> login </title> <meta http-equiv=\" Pragma\" content=\" no-cache\" > <meta http-equiv=\" cache-control\" content=\" no-cache\" > <meta http-equiv=\" cache-control\" content=\" must-revalidate\" > <link href=\" /sslvpn/css/login.css\" rel=\" stylesheet\" type=\" text/css\" > <script type=\" text/javascript\" > if (top && top.location != window.location) top.location = top.location; if (window.opener && window.opener.top) { window.opener.top.location = window.opener.top.location; self.close(); } </script> </head> <body class=\" main\" > <center> <table width=\" 100%\" height=\" 100%\" align=\" center\" class=\" container\" valign=\" middle\" cellpadding=\" 0\" cellspacing=\" 0\" > <tr valign=middle> <td> <form action=\" %%SSL_ACT%%\" method=\" %%SSL_METHOD%%\" name=\" f\" autocomplete=\" off\" > <table class=\" list\" cellpadding=10 cellspacing=0 align=center width=400 height=180> <tr class=\" dark\" > <td colspan=2> <b> <br> WARNING: <br> <p style=\" text-align:justify; margin-left:0px; margin-right:0px\" > You must have prior authorization to login to this system. All connections are logged and monitored. By login to this system you fully consent to all monitoring. Unauthorized login or use will be prosecuted to the full extent of the law. You have been warned! </p> <br> </b> </td> </tr> %%SSL_LOGIN%% <tr> <td> </td> <td id=login> <input type=button name=login_button id=login_button value=\" Login\" onClick=\" try_login()\" border=0> </td> </tr> </table> %%SSL_HIDDEN%% </form> </td> </tr> </table> </center> </body> <script> document.forms[0].username.focus(); </script> </html>" # end VPN SSL Settings # config vpn ssl settings # set reqclientcert disable # set sslv2 disable # set sslv3 enable # set tlsv1-0 enable # set tlsv1-1 enable # set tlsv1-2 enable # set ssl-big-buffer disable # set ssl-insert-empty-fragment enable # set ssl-client-renegotiation disable # set force-two-factor-auth disable # set servercert self-sign # set algorithm default # set idle-timeout 1800 # set auth-timeout 28800 # set auto-tunnel-static-route disable # set tunnel-ip-pools [Address Object for IP Pool SSL VPN example" net-ip-pool-10.10.0.0-24" ] # set dns-server1 [IPv4 Addresse for DNS Server] # #set dns-server2 0.0.0.0 # #set wins-server1 0.0.0.0 # #set wins-server2 0.0.0.0 # set route-source-interface disable # set url-obscuration disable # set http-compression disable # set http-only-cookie enable # set port 10443 # set port-precedence enable # set auto-tunnel-static-route disable # set source-interface [Interface Definition for SSL Listening example " wan1" ] # set source-address [Definition Address Object or " all" ] # set source-address-negate disable # unset source-address6 # set default-portal " web-access.intra" # config authentication-rule # edit 1 # set source-interface [Interface ISP example " wan1" ] # set source-address [Definition Address Object or " all" ] # set source-address-negate disable # unset source-address6 # set source-address6-negate disable # set groups " gr-ssl-vpn-tunnel" # set portal " tunnel-acces.local" # set realm tunnel # set client-cert disable # set cipher any # set auth local # next # edit 2 # set source-interface " wan1" # set source-address " all" # set source-address-negate disable # unset source-address6 # set source-address6-negate disable # set users local # set groups " gr-ssl-vpn-portal" # set portal " web-acces.local" # unset realm # set client-cert disable # set cipher any # set auth local # next # end # end At least implement a Firewall Policy Rule: hope this helps have fun Andrea
rodeca
New Contributor

My apologies. I am presently working on other matters and the SSL problem was not an urgent issue: I don' t know why my present configuration works, but it works. Although I appreciate very much all your work (thank you too, Andrea), I haven' t now the time for analyzing it and testing it. And applying it: in fact, I' ll have to reconfigure my present VPNs to adapt it to the new fortios. But it' ll not be before a week or more. Regards Ro
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors