FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Purpose

This article describes a solution where multiple customers require to have their own portal in tunnel mode to be able to access their internal resources.


Scope

FortiGate
SSL VPN


Diagram

rmetzger_FD33950_a_FD33950.jpg



Expectations, Requirements

Customer1 and Customer2 need a customized SSL VPN portal allowing tunnel mode.  They need to access the resources located behind their respective VDOMs.  Spilt-tunneling is required.

A perimeter VDOM (the default root VDOM) is used for the Internet connection and SSL-VPN termination.  Inter-vdom links will carry traffic from the perimeter VDOM to Customer VDOMs


Configuration


root VDOM configuration framework :

  • SSL VPN IP Pool for each Customer
  • SSL VPN portals
  • Users and Users groups with assignment to respective SSL VPN portal
  • SSL VPN firewall policy (identity based)
  • Firewall policies for traffic between root VDOM and Customer VDOMs via the inter-VDOM links
  • Static routes towards the virtual SSL VPN interface
  • Static routes towards the Customer's subnets


Customers VDOM configuration framework :

  • Static routes towards the SSL VPN IP Pools subnets
  • Firewall policies for traffic between root VDOM and Customer VDOM via the inter-VDOM links

Customers VDOM configuration is not provided here since they contain standard routing and firewall policies settings.

 


root VDOM configuration

FGT (root) # show  firewall address
config firewall address
    edit "SSLVPN_TUNNEL_cust1"
        set subnet 10.20.20.0 255.255.255.240
    next
    edit "SSLVPN_TUNNEL_cust2"
        set subnet 10.20.20.16 255.255.255.240
    next
     edit "cust1-vlan"
        set subnet 172.10.1.0 255.255.255.0
    next
    edit "cust2-vlan"
        set subnet 172.20.2.0 255.255.255.0
    next
end


FGT (root) # show vpn ssl settings
config vpn ssl settings
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" "SSLVPN_TUNNEL_cust1" "SSLVPN_TUNNEL_cust2"
end


FGT (root) # show vpn ssl web portal Portal1
config vpn ssl web portal
    edit "Portal1"
        set heading "Welcome to SSL VPN Customer1"
        set page-layout double-column
            config widget
                edit 4
                    set name "Session Information"
                    set type info
                next
                edit 1
                    set name "Bookmarks"
                    set allow-apps web ftp smb telnet ssh vnc rdp citrix rdpnative portforward
                next
                edit 3
                    set name "Tunnel Mode"
                    set type tunnel
                    set tunnel-status enable
                    set split-tunneling enable
                        set ip-pools "SSLVPN_TUNNEL_cust1"                     
                next
                edit 2
                    set name "Connection Tool"
                    set type tool
                    set allow-apps web ftp smb telnet ssh vnc rdp ping citrix rdpnative portforward
                next
            end
    next
end

FGT (root) # show vpn ssl web portal Portal2
config vpn ssl web portal
    edit "Portal2"
        set heading "Welcome to SSL VPN Customer2"
        set page-layout double-column
            config widget
                edit 4
                    set name "Session Information"
                    set type info
                next
                edit 3
                    set name "Tunnel Mode"
                    set type tunnel
                    set tunnel-status enable
                    set split-tunneling enable
                        set ip-pools "SSLVPN_TUNNEL_cust2"                     
                next
            end
    next
end


FGT (root) # show user local
config user local
    edit "customer1"
        set type password
        set passwd ENC Lm1RcvRBCJCDnnM1AX1zqnfr7tXMJFfrIZr18L6P+gHjLBjbuoGk/jmGZbggBEJnb3+S6XYUf5m7YfNnHQNenYI6itWcR5SLm098bqqO+DCBboXo
    next
    edit "customer2"
        set type password
        set passwd ENC QOAlC3B2fKsrp12v+SkT7CWyiJRUlJ7KRrhuVPNpxn3R3Hycx7M//91SRUAU98z9cxMTb78kUiw9aHOpIOnQtTgVPF9iYaPCMhDQA/NxoICCnZ5P
    next
end

FGT (root) # show user group
config user group
    edit "portal1-users"
        set sslvpn-portal "Portal1"
            set member "customer1"
    next
    edit "portal2-users"
        set sslvpn-portal "Portal2"
            set member "customer2"
    next
end

FGT (root) # show router static
config router static
    edit 5
        set device "ssl.root"
        set dst 10.20.0.0 255.255.0.0
    next
    edit 6
        set device "VDL-Cust10"
        set dst 172.10.1.0 255.255.255.0
    next
    edit 7
        set device "VDL-Cust20"
        set dst 172.20.2.0 255.255.255.0
    next
end


FGT (root) # show firewall policy
config firewall policy
    edit 8
        set srcintf "ssl.root"
        set dstintf "VDL-Cust10"
            set srcaddr "SSLVPN_TUNNEL_cust1"
            set dstaddr "cust1-vlan"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 9
        set srcintf "ssl.root"
        set dstintf "VDL-Cust20"
            set srcaddr "SSLVPN_TUNNEL_cust2"
            set dstaddr "cust2-vlan"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 10
        set srcintf "port1"
        set dstintf "VDL-Cust10"
            set srcaddr "all"
            set dstaddr "cust1-vlan"
        set action ssl-vpn
        set identity-based enable
            config identity-based-policy
                edit 1
                    set schedule "always"
                        set groups "portal1-users"
                        set service "ANY"
                next
            end
    next
    edit 11
        set srcintf "port1"
        set dstintf "VDL-Cust20"
            set srcaddr "all"
            set dstaddr "cust2-vlan"
        set action ssl-vpn
        set identity-based enable
            config identity-based-policy
                edit 1
                    set schedule "always"
                        set groups "portal2-users"
                        set service "ANY"
                next
            end
    next
end


Verification


Customer1 accessing Portal1 :

Windows IP Configuration

PPP adapter fortissl:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.20.20.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :


IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
     0.0.0.0               0.0.0.0  192.168.100.254  192.168.171.180     20
    10.20.20.1     255.255.255.255          On-link       10.20.20.1    276
    172.10.1.0       255.255.255.0       10.20.20.2       10.20.20.1     20


C:\Users\>ping 172.10.1.1

Pinging 172.10.1.1 with 32 bytes of data:
Reply from 172.10.1.1: bytes=32 time=13ms TTL=254
Reply from 172.10.1.1: bytes=32 time=1ms TTL=254
Reply from 172.10.1.1: bytes=32 time=1ms TTL=254

Customer2 accessing Portal2 :

Windows IP Configuration

PPP adapter fortissl:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.20.20.17
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :


IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
    0.0.0.0                0.0.0.0  192.168.100.254  192.168.171.180     20
   10.20.20.17     255.255.255.255          On-link      10.20.20.17    276
   172.20.2.0        255.255.255.0      10.20.20.18      10.20.20.17     20

C:\Users\>ping 172.20.2.1

Pinging 172.20.2.1 with 32 bytes of data:
Reply from 172.20.2.1: bytes=32 time=1ms TTL=254
Reply from 172.20.2.1: bytes=32 time=1ms TTL=254
Reply from 172.20.2.1: bytes=32 time=1ms TTL=254

Contributors