I'm currently experimenting with SSL VPN on my FortiGate 40F at home. I've taken some precautions by implementing a self-generated CA/cert PKI How do you approach SSL VPN security?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @SusanEmelia ,
Here are some best practices to secure the SSL VPN :
-Integrate with Authentication servers
-Use a non factory certificate (you already generated a certificate)
-Use multi factor authentication
-Deploy user certificates for remote SSL VPN users
-Define the minimum supported TLS version
-If you have multiple groups and portals is wise to configure SSL VPM multi-realm
Created on 01-01-2024 09:17 PM Edited on 01-01-2024 09:18 PM
Thank you for the suggestion I'll check with this https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/28104/ssl-vpn-monitor MyGreatLakes
Hello @SusanEmelia
> You can Implement multifactor authentication for user logins.
> Regularly update the FortiGate firmware and Forticlient to patch known vulnerabilities and ensure you're using the latest security features.
> Set session timeout limits and idle logout policies to automatically disconnect inactive sessions, reducing the window for unauthorized access.
> Enable logging and monitoring features to track user activities, detect anomalies, and respond to security incidents promptly.
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/28104/ssl-vpn-monitor
> Educate users about best practices for VPN usage, including safeguarding credentials, recognizing phishing attempts, and reporting suspicious activities.
let us know if you have any queries.
Thanks
Pavan
Hi,
as @dbu wrote use two-factor-authentication...
Good to know: You do not need to buy any FortiTokens, if you use method via mail.
But you can only set this via CLI:
config user local
edit <username>
set two-factor email
set email-to <email address>
Of cource you need a SMTP server for your firewall.
But I have only done that with local users (you can ask by any problems...).
Additionally I would use security profiles like SSL-Inspection and IPS (especially the users use their own hardware...).
Non-or-less-security aspect
And nobody has mentioned split tunneling yet. I suggest you to make use of split tunneling.
So traffic which is designated for the internet gets routed through the router e.g. in HomeOffice instead of your firewall.
adding further, it is worth mentioning that you have also two free Fortitoken mobile.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.