Hello,
On Fortigate we have configured VPN for our users (Tunel mode, web mode) and everything is working.
But we have doubts regarding security level for this VPN gateway.
Is possible to install/ add somethnig more (like some proxy) between VPN gateway and clients ?? to be more secure...
thank you
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Huh? What do you mean? Are firewall policies not enough for your use-case? Are you doing full tunnel or split tunnel?
hello,
yes,
Theoretically everybody in the Internet can try to access to our SSL VPN web page (and try some attacks) - is possible to limit only to authorized device (company devices) ??
For Tunel mode we are not using split tunnel.
Thanks,
Are you using MFA? There are also some device posture checks built into FortiGate to ensure the device meets criteria for your organization. What version of FortiOS are you running? You can also look at FortiNAC to control device posture before providing VPN access.
Do you mean the SSL webpage itself? If so, then frontend the SSL VPN page with a WAF.
Hey tedew,
it's a bit tricky to protect a VPN gateway from the internet - the whole point is that your VPN users can access the gateway from anywhere, essentially.
That being said, you can do a few things to protect the gateway:
- put a Web Application Firewall in front, as suggested by Adam
- create local-in policies on FortiGate to block certain source addresses/IP blocks (like IP ranges associated with specific geographic locations)
- in the SSLVPN settings, limit access to specific source IPs:
-> this would only be an option if you know the IPs your users will connect with, or at least a broader range your users will utilize
Hello,
Thanks for sugestions.
I heard that some organizations put some kind of proxy (server or appliance + yubikey, i don't know exactly) before vpn. So my understanding was that user first authenticate with proxy then in vpn. It looks like layered model of authenticate, did You hear about something like this ??
I will read about FortiNAC.
Thanks,
Yes but why? What are you trying to solve? Why not just do Yubiey MFA with the FortiClient VPN?
You could create a loopback IP address and have the VPN listening on this interface. Now you can create a FW policy from WAN->Loopback interface and apply protection on this policy.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.