Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dsbit
New Contributor

ForgitGate SSL-VPN Web Mode - add option to password protect page

Hello.  It would be nice to have some sort of logic in the configuration of the SSL-VPN Web Mode such that you could enable an additional authentication method that is used "before" you get to the page where you provide credentials.  Maybe something as simple as a password/passphrase, or more sophisticated where an access request could be completed and sent to a designated person or persons.  Or, a way to pre-configure access for individuals for a period of time, where they could enter in a username and pass through if a match occurs.  This could potentially help to prevent bot/bad actor logon attempts. FortiGate

5 REPLIES 5
AEK
SuperUser
SuperUser

Hi @dsbit 

Something like this already exists, I mean 2FA/MFA, like add a mobile token for the user.

AEK
AEK
dsbit
New Contributor

Thanks, @AEK !  In this case I think it's a bit different scenario where third-party vendor access is needed on occasion, and we'd want to stop bots from even getting to the point where they have access to the credentials box/control (to make attempts prior to MFA).

hbac
Staff
Staff

Hi @dsbit,

 

Web mode is not secure and not recommended. When it is enabled, anyone can access it on the browser and enter random credentials. From what I know, the only way to avoid it is to disable web mode and remove the login page as per this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-prevent-the-SSL-VPN-web-login-porta...

 

Regards, 

dsbit
New Contributor

Thanks @hbac !  Agreed for sure (we use it sparingly).  It could definitely be enhanced!

AEK
SuperUser
SuperUser

I think about two possible solutions that may suit you:

  • Use local-in policy to limit IP addresses that can access your Web mode VPN, or if not possible then at least use GeoIP
  • Use a third party reverse proxy before reaching VPN server, even free opensource like nginx, you can use it just for http authentication as an additional security barrier before accessing FG Web VPN
AEK
AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors