Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tedew
New Contributor

Proctect VPN gateway

Hello,

On Fortigate we have configured VPN for our users (Tunel mode, web mode) and everything is working. 

But we have doubts regarding security level for this VPN gateway. 

Is possible to install/ add somethnig more (like some proxy) between VPN gateway and clients ?? to be more secure...

 

 

thank you 

7 REPLIES 7
adambomb1219
Contributor III

Huh?  What do you mean?  Are firewall policies not enough for your use-case?  Are you doing full tunnel or split tunnel?

tedew
New Contributor

hello,

yes, 

Theoretically everybody in the Internet can try to access to our SSL VPN web page (and try some attacks)  - is possible to limit only to authorized device (company devices) ?? 

For Tunel mode we are not using split tunnel. 

 

Thanks,

 

adambomb1219

Are you using MFA?  There are also some device posture checks built into FortiGate to ensure the device meets criteria for your organization.  What version of FortiOS are you running?  You can also look at FortiNAC to control device posture before providing VPN access.

 

Do you mean the SSL webpage itself?  If so, then frontend the SSL VPN page with a WAF.

Debbie_FTNT
Staff
Staff

Hey tedew,

it's a bit tricky to protect a VPN gateway from the internet - the whole point is that your VPN users can access the gateway from anywhere, essentially.
That being said, you can do a few things to protect the gateway:
- put a Web Application Firewall in front, as suggested by Adam
- create local-in policies on FortiGate to block certain source addresses/IP blocks (like IP ranges associated with specific geographic locations)
- in the SSLVPN settings, limit access to specific source IPs:

Debbie_FTNT_0-1676386269647.png

-> this would only be an option if you know the IPs your users will connect with, or at least a broader range your users will utilize

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
tedew
New Contributor

Hello,

Thanks for sugestions.

I heard that some organizations put some kind of proxy (server or appliance  + yubikey,  i don't know exactly) before vpn. So my understanding was that user first authenticate with proxy then in vpn. It looks like layered model of authenticate, did You hear about something like this ?? 

 

I will read about FortiNAC. 

Thanks, 

 

adambomb1219

Yes but why?  What are you trying to solve?  Why not just do Yubiey MFA with the FortiClient VPN?

gfleming
Staff
Staff

You could create a loopback IP address and have the VPN listening on this interface. Now you can create a FW policy from WAN->Loopback interface and apply protection on this policy.

 

 

Cheers,
Graham
Top Kudoed Authors