Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SusanEmelia
New Contributor

Created on ‎12-29-2023 01:34 AM

SSL VPN Vulnerabilities and Best Practices Discussion

I'm currently experimenting with SSL VPN on my FortiGate 40F at home. I've taken some precautions by implementing a self-generated CA/cert PKI How do you approach SSL VPN security? 

Labels:
2231
0 Kudos
5 REPLIES 5
dbu
Staff
Staff

Created on ‎12-29-2023 01:46 AM Edited on ‎12-29-2023 01:46 AM

Hi @SusanEmelia ,

Here are some best practices to secure the SSL VPN : 

-Integrate with Authentication servers

-Use a non factory certificate (you already generated a certificate)
-Use multi factor authentication

-Deploy user certificates for remote SSL VPN users

-Define the minimum supported TLS version

-If you have multiple groups and portals is wise to configure SSL VPM multi-realm

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
2222
0 Kudos
SusanEmelia
New Contributor
In response to dbu

Created on ‎01-01-2024 09:17 PM Edited on ‎01-01-2024 09:18 PM

Thank you for the suggestion I'll check with this  https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/28104/ssl-vpn-monitor MyGreatLakes 

2103
0 Kudos
pavankr5
Staff
Staff

Created on ‎12-29-2023 01:48 AM

Hello @SusanEmelia 

 

> You can Implement multifactor authentication for user logins.

> Regularly update the FortiGate firmware and Forticlient to patch known vulnerabilities and ensure you're using the latest security features.

> Set session timeout limits and idle logout policies to automatically disconnect inactive sessions, reducing the window for unauthorized access.
> Enable logging and monitoring features to track user activities, detect anomalies, and respond to security incidents promptly.
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/28104/ssl-vpn-monitor
> Educate users about best practices for VPN usage, including safeguarding credentials, recognizing phishing attempts, and reporting suspicious activities.

let us know if you have any queries.

Thanks
 Pavan

 

2220
Immu
New Contributor III

Created on ‎12-29-2023 03:13 AM Edited on ‎12-29-2023 03:15 AM

Hi,

 

as @dbu wrote use two-factor-authentication...

Good to know: You do not need to buy any FortiTokens, if you use method via mail.

But you can only set this via CLI:

config user local

edit <username>

set two-factor email

set email-to <email address>

 

Of cource you need a SMTP server for your firewall.

But I have only done that with local users (you can ask by any problems...).

 

Additionally I would use security profiles like SSL-Inspection and IPS (especially the users use their own hardware...).

 

Non-or-less-security aspect

And nobody has mentioned split tunneling yet. I suggest you to make use of split tunneling.

So traffic which is designated for the internet gets routed through the router e.g. in HomeOffice instead of your firewall.

2198
0 Kudos
dbu
Staff
Staff
In response to Immu

Created on ‎12-29-2023 03:33 AM Edited on ‎12-29-2023 03:34 AM

adding further, it is worth mentioning that you have also two free Fortitoken mobile.

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
2186
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.