Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SusanEmelia
New Contributor

SSL VPN Vulnerabilities and Best Practices Discussion

I'm currently experimenting with SSL VPN on my FortiGate 40F at home. I've taken some precautions by implementing a self-generated CA/cert PKI How do you approach SSL VPN security? 

5 REPLIES 5
dbu
Staff
Staff

Hi @SusanEmelia ,

Here are some best practices to secure the SSL VPN : 

-Integrate with Authentication servers

-Use a non factory certificate (you already generated a certificate)
-Use multi factor authentication

-Deploy user certificates for remote SSL VPN users

-Define the minimum supported TLS version

-If you have multiple groups and portals is wise to configure SSL VPM multi-realm

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
SusanEmelia

pavankr5
Staff
Staff

Hello @SusanEmelia 

 

> You can Implement multifactor authentication for user logins.

> Regularly update the FortiGate firmware and Forticlient to patch known vulnerabilities and ensure you're using the latest security features.

> Set session timeout limits and idle logout policies to automatically disconnect inactive sessions, reducing the window for unauthorized access.
> Enable logging and monitoring features to track user activities, detect anomalies, and respond to security incidents promptly.
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/28104/ssl-vpn-monitor
> Educate users about best practices for VPN usage, including safeguarding credentials, recognizing phishing attempts, and reporting suspicious activities.

let us know if you have any queries.

Thanks
 Pavan

 

Immu
New Contributor III

Hi,

 

as @dbu wrote use two-factor-authentication...

Good to know: You do not need to buy any FortiTokens, if you use method via mail.

But you can only set this via CLI:

config user local

edit <username>

set two-factor email

set email-to <email address>

 

Of cource you need a SMTP server for your firewall.

But I have only done that with local users (you can ask by any problems...).

 

Additionally I would use security profiles like SSL-Inspection and IPS (especially the users use their own hardware...).

 

Non-or-less-security aspect

And nobody has mentioned split tunneling yet. I suggest you to make use of split tunneling.

So traffic which is designated for the internet gets routed through the router e.g. in HomeOffice instead of your firewall.

dbu

adding further, it is worth mentioning that you have also two free Fortitoken mobile.

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors