SSL VPN with certificate authentication

This topic provides a sample configuration of SSL VPN that requires users to authenticate using a certificate.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address.

Port1 interface connects to the internal network.

1. Go to Network > Interface and edit the wan1
2. Set IP/Network Mask to 20.120.123/255.255.255.0.
3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
4. Click OK.
5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
6. Install the server certificate.

The server certificate is used for encrypting SSL VPN traffic and will be used for authentication. a. Go to System > Feature Visibility and ensure Certificates is enabled.

1. Go to System > Certificates and select Import > Local Certificate.
   • Set Type to Certificate. l Choose the Certificate file and the Key file for your certificate, and enter the Password.
   • If desired, you can change the Certificate Name.

The server certificate now appears in the list of Certificates.

3. Install the CA certificate.

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.

1. Go to System > Certificates and select Import > CA Certificate.
2. Select Local PC and then select the certificate file.

The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.

4. Configure PKI users and a user group.

To use certificate authentication, PKI users must be created in the CLI. Use the CLI console to enter the following commands:

config user peer

edit pki01

set ca CA_Cert_1 set subject User01

end l Ensure the subject matches the name of the user certificate. In this example, User01. Now that you have created a PKI user, a new menu is added to the GUI. a. Go to User& Device > PKI to see the new user.

1. Edit the user account and expand Two-factorauthentication.
2. Enable Require two-factorauthentication and set a Password for the account.
3. Go to User& Device > User> UserGroups and create a group sslvpngroup.
4. Add the PKI user pki01 to the group.

5. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

6. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Set ServerCertificate to the authentication certificate.
   5. Enable Require Client Certificate.
   6. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
   7. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
7. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Set the Source Address to all and Source User to sslvpngroup.
   5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
   6. Set Destination Address to the internal protected subnet 168.1.0.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Enable NAT.
   9. Configure any remaining firewall and security options as desired.
   10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

2. Install the CA certificate.

The server certificate is used for encrypting SSL VPN traffic and will be used for authentication. It is easier to install the server certificate from GUI. However, CLI can import a p12 certificate from a tftp server.

If you want to import a p12 certificate, put the certificate server_certificate.p12 on your tftp server, then run following command on the FortiGate.

execute vpn certificate local import tftp server_certificate.p12 <your tftp_server> p12 <your password for PKCS12 file>

To check server certificate is installed:

show vpn certificate local server_certificate

3. Install the CA certificate.

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.

It is easier to install the server certificate from GUI. However, CLI can import a CA certificates from a tftp server. If you want to import a CA certificate, put the CA certificate on your tftp server, then run following command on the FortiGate.

execute vpn certificate ca import tftp <your CA certificate name> <your tftp server>

To check that a new CA certificate is installed:

show vpn certificate ca

4. Configure PKI users and a user group.

config user peer

edit pki01

set ca CA_Cert_1 set subject User01 set two-factor enable set passwd <your-password>

end config user group edit “sslvpngroup” set member “pki01”

next

end

5. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

6. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” set reqclientcert enable config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

next

end

7. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable

next

end

Sample installation

To use the user certificate, you must first install it on the user’s PC. When the user tries to authenticate, the user certificate is checked against the CA certificate to verify that they match.

Every user should have a unique user certificate. This allows you to distinguish each user and revoke a specific user’s certificate, such as if a user no longer has VPN access.

To install the user certificate on Windows 7, 8, and 10:

1. Double-click the certificate file to open the Import Wizard.
2. Use the Import Wizard to import the certificate into the Personal store.

To install the user certificate on Mac OS X:

1. Open the certificate file, to open Keychain Access.
2. Double-click the certificate.
3. Expand Trust and select Always Trust.

To see the results of tunnel connection:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
3. Add a new connection.

l Set VPN Type to SSL VPN. l Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 172.20.120.123.

4. Select Customize Port and set it to 10443.
5. Enable Client Certificate and select the authentication certificate.
6. Save your settings.
7. Use the credentials you’ve set up to connect to the SSL VPN tunnel.

If the certificate is correct, you can connect.

To see the results of web portal:

1. In a web browser, log into the portal http://172.20.120.123:10443.

A message requests a certificate for authentication.

2. Select the user certificate.
3. Enter your user credentials.

If the certificate is correct, you can connect to the SSL VPN web portal.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
2. Go to Log & Report > VPN Events and view the details for the SSL connection log.

To check the SSL VPN connection using the CLI:

SSL VPN with LDAP-integrated certificate authentication

This topic provides a sample configuration of SSL VPN that requires users to authenticate using a certificate with LDAP UserPrincipalName checking.

This sample uses Windows 2012R2 Active Directory acting as both the user certificate issuer, the certificate authority, and the LDAP server.

Sample network topology

Sample configuration

In this sample, the UserPrincipal Name is included in the subject name of the issued certificate. This is the user field we use to search LDAP in the connection attempt.

To use the user certificate, you must first install it on the user’s PC. When the user tries to authenticate, the user certificate is checked against the CA certificate to verify that they match.

Every user should have a unique user certificate. This allows you to distinguish each user and revoke a specific user’s certificate, such as if a user no longer has VPN access.

To install the server certificate:

The server certificate is used for encrypting SSL VPN traffic and will be used for authentication.

1. Go to System > Feature Visibility and ensure Certificates is enabled.
2. Go to System > Certificates and select Import > Local Certificate.

l Set Type to Certificate. l Choose the Certificate file and the Key file for your certificate, and enter the Password. l If desired, you can change the Certificate Name.

The server certificate now appears in the list of Certificates.

To install the CA certificate:

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.

1. Go to System > Certificates and select Import > CA Certificate.
2. Select Local PC and then select the certificate file.

The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address.

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

Port1 interface connects to the internal network.

1. Go to Network > Interface and edit the wan1
2. Set IP/Network Mask to 20.120.123/255.255.255.0.
3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
4. Click OK.
5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.

2. Configure the LDAP server.
   1. Go to User& Device > LDAP Servers > Create New. l Specify Name and ServerIP/Name.

l Set Distinguished Name to dc=fortinet-fsso,dc=com. l Set Bind Type to Regular. l Set Username to cn=admin,ou=testing,dc=fortinet-fsso,dc=com. l Set password.

3. Configure PKI users and a user group.

To use certificate authentication, PKI users must be created in the CLI. Use the CLI console to enter the following commands:

config user peer

edit user1

set ca CA_Cert_1 set ldap-server “ldap-AD” set ldap-mode principal-name

end

Now that you have created a PKI user, a new menu is added to the GUI. a. Go to User& Device > PKI to see the new user.

1. Go to User& Device > User> UserGroups and create a group sslvpn-group.
2. Add the PKI peer object you created as a local member of the group.
3. Add a remote group on the LDAP server and select the group of interest. You need these users to be members using the LDAP browser window.

4. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

5. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Set ServerCertificate to the authentication certificate.
   5. Enable Require Client Certificate.
   6. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
   7. Create new Authentication/Portal Mapping for group sslvpn-group mapping portal full-access.
6. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Set the Source Address to all and Source User to sslvpn-group.
   5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
   6. Set Destination Address to the internal protected subnet 168.1.0.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Enable NAT.
   9. Configure any remaining firewall and security options as desired.
   10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

2. Configure the LDAP server.

config user ldap edit “ldap-AD” set server “172.18.60.206” set cnid “cn”

set dn “dc=fortinet-fsso,dc=com”

set type regular

set username “cn=admin,ou=testing,dc=fortinet-fsso,dc=com” set password ldap-server-password

next

end

3. Configure PKI users and a user group.

config user peer

edit user1

set ca CA_Cert_1 set ldap-server “ldap-AD” set ldap-mode principal-name

end

config user group edit “sslvpn-group” set member “ldap-AD” “test3” config match edit 1 set server-name “ldap-AD”

set group-name “CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM”

next end

next

end

4. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

5. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” set reqclientcert enable config authentication-rule edit 1 set groups “sslvpn-group” set portal “full-access”

next

end

6. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access” set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpn-group” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of tunnel connection:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
3. Add a new connection.
   • Set the connection name.
   • Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 20.120.123.
4. Select Customize Port and set it to 10443.
5. Enable Client Certificate and select the authentication certificate.
6. Save your settings.

Connecting to the VPN only requires the user’s certificate. It does not require username or password.

To see the results of web portal:

1. In a web browser, log into the portal http://172.20.120.123:10443.

A message requests a certificate for authentication.

2. Select the user certificate.

You can connect to the SSL VPN web portal.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
2. Go to Log & Report > VPN Events to view the details of the SSL VPN connection event log.
3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the SSL VPN connection using the CLI:

Below is a sample output of diag debug app fnbamd -1 while the user connects. This is a shortened output sample of a few locations to show the important parts. This sample shows lookups to find the group memberships (three groups total) of the user and that the correct group being found results in a match.

[1148] fnbamd_ldap_recv-Response len: 16, svr: 172.18.60.206

[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-result

[864] fnbamd_ldap_parse_response-ret=0

[1386] __fnbamd_ldap_primary_grp_next-Auth accepted

[910] __ldap_rxtx-Change state to ‘Done’

[843] __ldap_rxtx-state 23(Done)

[925] fnbamd_ldap_send-sending 7 bytes to 172.18.60.206

[937] fnbamd_ldap_send-Request is sent. ID 5

[753] __ldap_stop-svr ‘ldap-AD’

[53] ldap_dn_list_del_all-Del CN=test3,OU=Testing,DC=Fortinet-FSSO,DC=COM

[399] ldap_copy_grp_list-copied CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM

[399] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=Fortinet-FSSO,DC=COM

[2088] fnbamd_auth_cert_check-Matching group ‘sslvpn-group’

[2007] __match_ldap_group-Matching server ‘ldap-AD’ – ‘ldap-AD’

[2015] __match_ldap_group-Matching group ‘CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM’ ‘CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM’

[2091] fnbamd_auth_cert_check-Group ‘sslvpn-group’ matched

[2120] fnbamd_auth_cert_result-Result for ldap svr[0] ‘ldap-AD’ is SUCCESS

[2126] fnbamd_auth_cert_result-matched user ‘test3’, matched group ‘sslvpn-group’

You can also use diag firewall auth list to validate that a firewall user entry exists for the SSL VPN user and is part of the right groups.

SSL VPN with FortiToken Mobile Push authentication

This topic provides a sample configuration of SSL VPN that uses FortiToken Mobile Push two-factor authentication. If you enable push notifications, the user can easily accept or deny the authentication request.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. Port1 interface connects to the internal network.
   1. Go to Network > Interface and edit the wan1
   2. Set IP/Network Mask to 20.120.123/255.255.255.0.
   3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
   4. Click OK.
   5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
2. Register FortiGate for FortiCare Support.

To add or download a Mobile token on FortiGate, FortiGate must be registered for FortiCare Support. If your FortiGate is registered, skip this step. a. Go to Dashboard > Licenses.

1. Hover the pointer on FortiCare Support to check if FortiCare registered. If not, click it and select Register.
2. Add FortiToken Mobile to FortiGate.

If your FortiGate has FortiToken installed, skip this step.

1. Go to User& Device > FortiTokens and click Create New.
2. Select Mobile Token and type in Activation Code.
3. Every FortiGate has two free Mobile Tokens. Go to User& Device > FortiTokens and click Import Free Trial Tokens.

4. Enable FortiToken Mobile Push.

To use FTM-push authentication, use CLI to enable FTM-Push in the FortiGate.

1. Ensure server-ip is reachable from the Internet and enter the following CLI commands:

config system ftm-push set server-ip 172.20.120.123 set status enable

end

1. Go to Network > Interfaces.
2. Edit the wan1
3. Under Administrative Access > IPv4, select FTM.
4. Click OK.

5. Configure user and user group.
   1. Go to User& Device > UserDefinition to create a local user sslvpnuser1.
   2. Enter the user’s Email Address.
   3. Enable Two-factorAuthentication and select one Mobile token from the list,
   4. Enable Send Activation Code from Email.
   5. Click Next and click Submit.
   6. Go to User& Device > UserGroups to create a group sslvpngroup with the member sslvpnuser1.
6. Activate the Mobile token.
   1. When the user sslvpnuser1 is created, an email is sent to the user’s email address. Follow the instructions to install your FortiToken Mobile application on your device and activate your token.
7. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

8. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Set ServerCertificate to the authentication certificate.
   5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
9. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Set the Source Address to all and Source User to sslvpngroup.
   5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
   6. Set Destination Address to the internal protected subnet 168.1.0.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Enable NAT.
   9. Configure any remaining firewall and security options as desired.
   10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

2. Register FortiGate for FortiCare Support.

To add or download a Mobile token on FortiGate, FortiGate must be registered for FortiCare Support. If your FortiGate is registered, skip this step.

diagnose forticare direct-registration product-registration -a “your account@xxx.com” -p

“your password” -T “Your Country/Region” -R “Your Reseller” -e 1

3. Add FortiToken Mobile to FortiGate.
   1. If your FortiGate has FortiToken installed, skip this step. execute fortitoken-mobile import <your FTM code>
   2. Every FortiGate has two free Mobile Tokens. You can download the free token.

execute fortitoken-mobile import 0000-0000-0000-0000-0000

4. Enable FortiToken Mobile Push.
   1. To use FTM-push authentication, ensure server-ip is reachable from the Internet and enable FTM-Push in the FortiGate.

config system ftm-push set server-ip 172.20.120.123 set status enable

end

1. Enable FTM service on WAN interface.

config system interface edit “wan1” append allowaccess ftm

next

end

5. Configure user and user group.

config user local edit “sslvpnuser1” set type password set two-factor fortitoken

set fortitoken <select mobile token for the option list> set email-to <user’s email address> set passwd <user’s password>

next

end config user group edit “sslvpngroup” set member “sslvpnuser1”

next

end

6. Activate the Mobile token.
7. When the user sslvpnuser1 is created, an email is sent to the user’s email address. Follow the instructions to install your FortiToken Mobile application on your device and activate your token.
8. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

8. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

next

end

9. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of web portal:

1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the sslvpnuser1

The FortiGate pushes a login request notification through the FortiToken Mobile application.

3. Check your mobile device and select Approve.

When the authentication is approved, sslvpnuser1 is logged into the SSL VPN portal.

4. On the FortiGate, go to Monitor> SSL-VPN Monitor to confirm the user connection.

To see the results of tunnel connection:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
3. Add a new connection.
   • Set the connection name.
   • Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 20.120.123.
4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Log in using the sslvpnuser1 credentials and click FTM Push.

The FortiGate pushes a login request notification through the FortiToken Mobile application.

7. Check your mobile device and select Approve.

When the authentication is approved, sslvpnuser1 is logged into the SSL VPN tunnel.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

SSL VPN with RADIUS on FortiAuthenticator

This topic provides a sample configuration of SSL VPN that uses FortiAuthenticator as a RADIUS authentication server.

Sample network topology

Sample configuration

To configure FortiAuthenticator using the GUI:

1. Create a user on the FortiAuthenticator.
   1. On the FortiAuthenticator, go to Authentication > UserManagement > Local Users to create a user sslvpnuser1.
   2. Enable Allow RADIUS authentication and click OK to access additional settings.
   3. Go to Authentication > UserManagement > UserGroups to create a group sslvpngroup.
   4. Add sslvpnuser1 to the group by moving the user from Available users to Selected users.
2. Create the RADIUS client (FortiGate) on the FortiAuthenticator.
   1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients to add the FortiGate as a RADIUS client OfficeServer).
   2. Enter the FortiGate IP address and set a Secret.

The secret is a pre-shared secure password that the FortiGate uses to authenticate to the FortiAuthenticator. c. Set Realms to local |Local users.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address.

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

Port1 interface connects to the internal network.

1. Go to Network > Interface and edit the wan1
2. Set IP/Network Mask to 20.120.123/255.255.255.0.
3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
4. Click OK.
5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.

2. Create a RADIUS user and user group .
   1. On the FortiGate, go to User& Device > RADIUS Servers to create a user to connect to the RADIUS server

(FortiAuthenticator).

1. For Name, use FAC-RADIUS.
2. Enter the IP address of the FortiAuthenticator, and enter the Secret created above.
3. Click Test Connectivity to ensure you can connect to the RADIUS server.
4. Select Test UserCredentials and enter the credentials for sslvpnuser1.

The FortiGate can now connect to the FortiAuthenticator as the RADIUS client.

1. Go to User& Device > UserGroups and click Create New to map authenticated remote users to a user group on the FortiGate.
2. For Name, use SSLVPNGroup.
3. In Remote Groups, click Add.
4. In the Remote Server dropdown list, select FAC-RADIUS.
5. Leave the Groups field blank.

3. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

4. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Set ServerCertificate to the authentication certificate.
   5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
5. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Set the Source Address to all and Source User to sslvpngroup.
   5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
   6. Set Destination Address to the internal protected subnet 168.1.0.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Enable NAT.
   9. Configure any remaining firewall and security options as desired.
   10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet.

Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root” set ip 192.168.1.99 255.255.255.0

next

end config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

2. Create a RADIUS user and user group.

config user radius edit “FAC-RADIUS” set server “172.20.120.161” set secret <FAC client secret>

next

end

config user group edit “sslvpngroup” set member “FAC-RADIUS”

next

end

3. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

4. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

next

end

5. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of web portal:

1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the sslvpnuser1
3. On the FortiGate, go to Monitor> SSL-VPN Monitor to confirm the user connection.

To see the results of tunnel connection:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
3. Add a new connection.
   • Set the connection name.
   • Set Remote Gateway to 20.120.123.
4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Log in using the sslvpnuser1 credentials and check that you are logged into the SSL VPN tunnel.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

SSL VPN sessions:

Index User     Source IP    Duration     I/O Bytes    Tunnel/Dest IP 0  sslvpnuser1  10.1.100.254 9      22099/43228  10.212.134.200

SSL VPN with RADIUS and FortiToken mobile push on FortiAuthenticator

This topic provides a sample configuration of SSL VPN that uses FortiAuthenticator as a RADIUS authentication server and FortiToken Mobile Push two-factor authentication. If you enable push notifications, the user can easily accept or deny the authentication request.

Sample network topology

Sample configuration

To configure FortiAuthenticator using the GUI:

1. Add a FortiToken mobile license on the FortiAuthenticator.
   1. On the FortiAuthenticator, go to Authentication > UserManagement > FortiTokens. Click Create New.
   2. Set Token type to FortiToken Mobile and enter the FortiToken Activation codes.
2. Create the RADIUS client (FortiGate) on the FortiAuthenticator.
   1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients to add the FortiGate as a RADIUS client OfficeServer).
   2. Enter the FortiGate IP address and set a Secret.

The secret is a pre-shared secure password that the FortiGate uses to authenticate to the FortiAuthenticator.

1. Set Authentication method to Enforce two-factorauthentication.
2. Select Enable FortiToken Mobile push notifications authentication.
3. Set Realms to local |Local users.

3. Create a user and assign FortiToken Mobile to the user on the FortiAuthenticator.
   1. On the FortiAuthenticator, go to Authentication > UserManagement > Local Users to create a user sslvpnuser1.
   2. Enable Allow RADIUS authentication and click OK to access additional settings.
   3. Enable Token-based authentication and select to deliver the token code by FortiToken.
   4. Select the FortiToken added from the FortiToken Mobile dropdown menu.
   5. Set Delivery method to Email and fill in the UserInformation
   6. Go to Authentication > UserManagement > UserGroups to create a group sslvpngroup.
   7. Add sslvpnuser1 to the group by moving the user from Available users to Selected users.
4. Install the FortiToken Mobile application on your smartphone, for Android or iOS.

The FortiAuthenticator sends the FortiToken Mobile activation to the user’s email address.

5. Activate the FortiToken Mobile through the FortiToken Mobile application by either entering the activation code or by scanning the QR code.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address.

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

Port1 interface connects to the internal network.

1. Go to Network > Interface and edit the wan1
2. Set IP/Network Mask to 20.120.123/255.255.255.0.
3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
4. Click OK.
5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.

2. Create a RADIUS user and user group.
   1. On the FortiGate, go to User& Device > RADIUS Servers to create a user to connect to the RADIUS server

(FortiAuthenticator).

1. For Name, use FAC-RADIUS.
2. Enter the IP address of the FortiAuthenticator, and enter the Secret created above.
3. Click Test Connectivity to ensure you can connect to the RADIUS server.
4. Select Test UserCredentials and enter the credentials for sslvpnuser1.

The FortiGate can now connect to the FortiAuthenticator as the RADIUS client.

1. Go to User& Device > UserGroups and click Create New to map authenticated remote users to a user group on the FortiGate.
2. For Name, use SSLVPNGroup.
3. In Remote Groups, click Add.
4. In the Remote Server dropdown list, select FAC-RADIUS.
5. Leave the Groups field blank.

3. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

4. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Set ServerCertificate to the authentication certificate.
   5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
5. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Set the Source Address to all and Source User to sslvpngroup.
   5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
   6. Set Destination Address to the internal protected subnet 168.1.0.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Enable NAT.
   9. Configure any remaining firewall and security options as desired.
   10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

2. Create a RADIUS user and user group.

config user radius edit “FAC-RADIUS” set server “172.20.120.161” set secret <FAC client secret>

next

end

config user group edit “sslvpngroup” set member “FAC-RADIUS”

next end

3. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

4. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

next

end

5. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of web portal:

1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the sslvpnuser1

The FortiAuthenticator pushes a login request notification through the FortiToken Mobile application.

3. Check your mobile device and select Approve.

When the authentication is approved, sslvpnuser1 is logged into the SSL VPN portal.

4. On the FortiGate, go to Monitor> SSL-VPN Monitor to confirm the user connection.

To see the results of tunnel connection:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
3. Add a new connection.
   • Set the connection name.
   • Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 20.120.123.
4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Log in using the sslvpnuser1 credentials and click FTM Push.

The FortiAuthenticator pushes a login request notification through the FortiToken Mobile application.

7. Check your mobile device and select Approve.

When the authentication is approved, sslvpnuser1 is logged into the SSL VPN tunnel.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

SSL VPN with local user password policy

This topic provides a sample configuration of SSL VPN for users with passwords that expire after two days. Users are warned after one day about the password expiring. The password policy can be applied to any local user password. The password policy cannot be applied to a user group or a local remote user such as LDAP/RADIUS/TACACS+.

In FortiOS 6.2, users are warned after one day about the password expiring and have one day to renew it. When the expiration time is reached, the user cannot renew the password and must contact the administrator for assistance.

In FortiOS 6.0/5.6, users are warned after one day about the password expiring and have to renew it. When the expiration time is reached, the user can still renew the password.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. Port1 interface connects to the internal network.
   1. Go to Network > Interface and edit the wan1
   2. Set IP/Network Mask to 20.120.123/255.255.255.0.
   3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
   4. Click OK.
   5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
2. Configure user and user group.
   1. Go to User& Device > UserDefinition to create a local user.
   2. Enter the user’s Email Address.
   3. If you want, enable Two-factorAuthentication,
   4. Click Next and click Submit.
   5. Go to User& Device > UserGroups to create a user group and add that local user to it.
3. Configure and assign the password policy using the CLI.
   1. Configure a password policy that includes an expiration date and warning time. The default start time for the password is the time the user was created.

config user password-policy

edit “pwpolicy1” set expire-days 2 set warn-days 1

next end

1. Assign the password policy to the user you just created.

config user local

edit “sslvpnuser1”

set type password set passwd-policy “pwpolicy1”

next

end

4. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

5. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Set ServerCertificate to the authentication certificate.
   5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
6. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Set the Source Address to all and Source User to sslvpngroup.
   5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
   6. Set Destination Address to the internal protected subnet 168.1.0.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Enable NAT.
   9. Configure any remaining firewall and security options as desired.
   10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

2. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

3. Configure and assign the password policy.
   1. Configure a password policy that includes an expiration date and warning time. The default start time for the password is the time the user was created.

config user password-policy

edit “pwpolicy1” set expire-days 2 set warn-days 1

next

end

1. Assign the password policy to the user you just created.

config user local

edit “sslvpnuser1”

set type password set passwd-policy “pwpolicy1”

next

end

4. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

5. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1”

set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

next

end

6. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of the SSL VPN web connection:

1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the sslvpnuser1

When the warning time is reached , the user is prompted to enter a new password.

In FortiOS 6.2, when the expiration time is reached, the user cannot renew the password and must contact the administrator.

In FortiOS 6.0/5.6, when the expiration time is reached, the user can still renew the password.

3. On the FortiGate, go to Monitor> SSL-VPN Monitor to confirm the user connection.

To see the results of the SSL VPN tunnel connection:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
3. Add a new connection.
   • Set the connection name.
   • Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 20.120.123.
4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Log in using the sslvpnuser1

When the warning time is reached , the user is prompted to enter a new password.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check that login failed due to password expired on GUI:

1. Go to Log & Report > VPN Events to see the SSL VPN alert labeled ssl-login-fail.
2. Click Details to see the log details about the Reason sslvpn_login_password_expired.

To check the web portal login using the CLI:

To check the FortiOS 6.2 login password expired event log:

vd=”root” eventtime=1550257076 logdesc=”SSL VPN login fail” action=”ssl-login-fail” tunneltype=”ssl-web” tunnelid=0 remip=10.1.100.254 user=”u1″ group=”g1″ dst_host=”N/A” reason=”sslvpn_login_password_expired” msg=”SSL user failed to logged in”

SSL VPN with RADIUS password renew on FortiAuthenticator

This topic provides a sample configuration of SSL VPN for RADIUS users with Force Password Change on next logon. In this example, the RADIUS server is a FortiAuthenticator. A user test1 is configured on FortiAuthenticator with Force password change on next logon.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. Port1 interface connects to the internal network.
   1. Go to Network > Interface and edit the wan1
   2. Set IP/Network Mask to 20.120.123/255.255.255.0.
   3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
   4. Click OK.
   5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
2. Create a RADIUS user.
   1. Go to User& Device > RADIUS Servers to create a user.
   2. Set Authentication method to MS-CHAP-v2.
   3. Enter the IP/Name and Secret.
   4. Click Create.

Password renewal only works with the MS-CHAP-v2 authentication method.

1. To enable the password-renew option, use these CLI commands.

config user radius edit “fac” set server “172.20.120.161” set secret <fac radius password> set auth-type ms_chap_v2 set password-renewal enable

next

end

3. Configure user group.
   1. Go to User& Device > UserGroups to create a user group.
   2. For the Name, enter fac-group.
   3. In Remote Groups, click Add to add Remote Server you just created.
4. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

5. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Set ServerCertificate to the authentication certificate.
   5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group fac-group mapping portal full-access.
6. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name, in this example, sslvpn certificate auth.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Set the Source Address to all and Source User to fac-group.
   5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network, in this example, port1.
   6. Set Destination Address to the internal protected subnet 168.1.0.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Enable NAT.
   9. Configure any remaining firewall and security options as desired.
   10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next end

2. Configure the RADIUS server.

config user radius edit “fac” set server “172.18.58.107” set secret <fac radius password> set auth-type ms_chap_v2 set password-renewal enable

next

end

3. Configure user group.

config user group edit “fac-group” set member “fac”

next

end

4. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

5. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “fac-group” set portal “full-access”

next

end

6. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access” set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “fac-group” set action accept set schedule “always” set service “ALL”

set nat enable

next

end

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

2. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

3. Configure and assign the password policy.
   1. Configure a password policy that includes an expiration date and warning time. The default start time for the password is the time the user was created.

config user password-policy

edit “pwpolicy1” set expire-days 2 set warn-days 1

next

end

1. Assign the password policy to the user you just created.

config user local

edit “sslvpnuser1”

set type password set passwd-policy “pwpolicy1”

next

end

4. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

5. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

next

end

6. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of the SSL VPN web connection:

1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the test1

Use a user which is configured on FortiAuthenticator with Force password change on next logon.

3. Click Login. You are prompted to enter a new password.
4. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.

To see the results of the SSL VPN tunnel connection:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
3. Add a new connection.
   • Set the connection name.
   • Set Remote Gateway to the IP of the listening FortiGate interface, in this example, 20.120.123.
4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Log in using the test1

You are prompted to enter a new password.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > VPN Events to view the details of the SSL VPN connection event log.
3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

SSL VPN with LDAP user password renew

This topic provides a sample configuration of SSL VPN for LDAP users with Force Password Change on next logon. In this example, the LDAP server is a Windows 2012 AD server. A user ldu1 is configured on Windows 2012 AD server with Force password change on next logon.

You must have generated and exported a CA certificate from the AD server and then have imported it as an external CA certificate into the FortiGate.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. Port1 interface connects to the internal network.
   1. Go to Network > Interface and edit the wan1
   2. Set IP/Network Mask to 20.120.123/255.255.255.0.
   3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
   4. Click OK.
   5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
2. Import CA certificate into FortiGate.
   1. Go to System > Features Visibility and enable Certificates.
   2. Go to System > Certificates and select Import > CA Certificate.
   3. Select Local PC and then select the certificate file.

The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.

1. If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:

config vpn certificate ca rename CA_Cert_1 to LDAPS-CA

end

3. Configure the LDAP user.
   1. Go to User& Device > LDAP Servers > Create New.
      • Specify Name and ServerIP/Name.
      • Specify Common Name Identifier, Distinguished Name. l Set Bind Type to Regular. l Specify Username and Password. l Enable Secure Connection and set Protocol to LDAPS. l For Certificate, select LDAP serverCA LDAPS-CA from the list.
   2. To enable the password-renew option, use these CLI commands.

config user ldap edit “ldaps-server” set password-expiry-warning enable set password-renewal enable

next

end

4. Configure user group.
   1. Go to User& Device > UserGroups to create a user group.
   2. Enter a Name.
   3. In Remote Groups, click Add to add ldaps-server.
5. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

6. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Set ServerCertificate to the authentication certificate.
   5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group ldaps-group mapping portal full-access.
7. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name, in this example, sslvpn certificate auth.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Set the Source Address to all and Source User to ldaps-group.
   5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network, in this example, port1.
   6. Set Destination Address to the internal protected subnet 168.1.0.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Enable NAT.
   9. Configure any remaining firewall and security options as desired.
   10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet.

Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

2. Import CA certificate into FortiGate.
   1. Go to System > Features Visibility and enable Certificates.
   2. Go to System > Certificates and select Import > CA Certificate.
   3. Select Local PC and then select the certificate file.

The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.

1. If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:

config vpn certificate ca rename CA_Cert_1 to LDAPS-CA

end

3. Configure the LDAP server.

config user ldap edit “ldaps-server” set server “172.20.120.161”

set cnid “cn”

set dn “cn=Users,dc=qa,dc=fortinet,dc=com”

set type regular

set username “CN=Administrator,cn=users,DC=qa,DC=fortinet,DC=com” set password ENC

Uf/OvqAbjSpeZz4wv9Tapl3xyMn1DGSTSxb2ZAB5dA5kVd0wVsGaeAhuX1Hl7mRtJQdRL8L2mzSfV6NTyQsdJ8E+rZy mImS2rfQg0OZ0IRRYKp0v3qFXgsmW9x9xRP2u79OcpUR5JmnnW8DFnK9jSUGix+DvYpbBn8EwweoDQq55Ej9FLwKSBY iYZs18V9ktSxT49w== set group-member-check group-object

set secure ldaps set ca-cert “LDAPS-CA” set port 636

set password-expiry-warning enable set password-renewal enable

next

end

4. Configure user group.

config user group edit “ldaps-group” set member “ldaps-server”

next end

5. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

6. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “ldaps-group” set portal “full-access”

next

end

7. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “ldaps-group” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of the SSL VPN web connection:

1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the ldu1

Use a user which is configured on FortiAuthenticator with Force password change on next logon.

3. Click Login. You are prompted to enter a new password.
4. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.

To see the results of the SSL VPN tunnel connection:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
3. Add a new connection.
   • Set the connection name.
   • Set Remote Gateway to the IP of the listening FortiGate interface, in this example, 20.120.123.
4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Log in using the ldu1

You are prompted to enter a new password.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > VPN Events to view the details of the SSL VPN connection event log.
3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

SSL VPN troubleshooting

This topic provides a tips for SSL VPN troubleshooting.

Diagnose commands

SSL VPN debug command

Use the following diagnose commands to identify SSL VPN issues. These commands enable debugging of SSL VPN with a debug level of -1. The -1 debug level produces detailed results.

diagnose debug application sslvpn -1 diagnose debug enable

The CLI displays debug output similar to the following:

FGT60C3G10002814 # [282:root]SSL state:before/accept initialization (172.20.120.12)

[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)

[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)

[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)

[282:root]SSL state:SSLv3 write finished B (172.20.120.12)

[282:root]SSL state:SSLv3 flush data (172.20.120.12)

[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)

[282:root]SSL state:SSLv3 read finished A (172.20.120.12)

[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)

[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1

To disable the debug:

diagnose debug disable diagnose debug reset

Remote user authentication debug command

Use the following diagnose commands to identify remote user authentication issues.

diagnose debug application fnbamd -1 diagnose debug reset

Common issues

To troubleshoot getting no response from the SSL VPN URL:

1. Go to VPN > SSL-VPN Settings.
   1. Check the SSL VPN port
   2. Check the Restrict Access settings to ensure the host you are connecting from is allowed.
2. Go to Policy > IPv4 Policy or Policy > IPv6 policy.
   1. Check that the policy for SSL VPN traffic is configured correctly.
   2. Check the URL you are attempting to connect to. It should follow this pattern:

https://<FortiGate IP>:<Port>

1. Check that you are using the correct port number in the URL. Ensure FortiGate is reachable from the computer.

ping <FortiGate IP>

1. Check the browser has TLS 1.1, TLS 1.2, and TLS 1.3

To troubleshoot FortiGate connection issues:

1. Check the Release Notes to ensure that the FortiClient version is compatible with your version of FortiOS.
2. FortiClient uses IE security setting, In IE Internet Option > Advanced > Security, check that Use TLS 1.1 and Use TLS 1.2 are enabled.
3. Check that SSL VPN ip-pools has free IPs to sign out. The default ip-pools SSLVPN_TUNNEL_ADDR1 has 10 IP addresses.
4. Export and check FortiClient debug logs.
5. Go to File > Settings.
6. In the Logging section, enable Export logs.
7. Set the Log Level to Debug and select Clearlogs.
8. Try to connect to the VPN.
9. When you get a connection error, select Export logs.

To troubleshoot SSL VPN hanging or disconnecting at 98%:

1. A new SSL VPN driver was added to FortiClient 5.6.0 and later to resolve SSL VPN connection issues. If your FortiOS version is compatible, upgrade to use one of these versions.
2. Latency or poor network connectivity can cause the default login timeout limit to be reached on the FortiGate. In

FortiOS 5.6.0 and later, use the following commands to allow a user to increase timers related to SSL VPN login.

config vpn ssl settings

set login-timeout 180 (default is 30) set dtls-hello-timeout 60 (default is 10)

end

To troubleshoot tunnel mode connections shutting down after a few seconds:

This might occur if there are multiple interfaces connected to the Internet, for example, SD-WAN. This can cause the session to become “dirty”. To allow multiple interfaces to connect, use the following CLI commands.

If you are using a FortiOS 6.0.1 or later:

config system interface

edit <name>

set preserve-session-route enable

next

end

If you are using a FortiOS 6.0.0 or earlier:

config vpn ssl settings set route-source-interface enable

end

To troubleshoot users being assigned to the wrong IP range:

1. Go to VPN > SSL-VPN Portals and VPN > SSL-VPN Settings and ensure the same IP Pool is used in both places.

Using the same IP Pool prevents conflicts. If there is a conflict, the portal settings are used.

To troubleshoot slow SSL VPN throughput:

Many factors can contribute to slow throughput.

This recommendation is try improving throughput by using the FortiOS Datagram Transport Layer Security (DTLS) tunnel option, available in FortiOS 5.4 and above.

DTLS allows the SSL VPN to encrypt the traffic using TLS and uses UDP as the transport layer instead of TCP. This avoids retransmission problems that can occur with TCP-in-TCP.

FortiClient 5.4.0 to 5.4.3 uses DTLS by default. FortiClient 5.4.4 and later uses normal TLS, regardless of the DTLS setting on the FortiGate.

To use DTLS with FortiClient:

1. Go to File > Settings and enable Preferred DTLS Tunnel.

To enable DTLS tunnel on FortiGate, use the following CLI commands:

config vpn ssl settings

set dtls-tunnel enable end

Access a cloud server using an AWS SDN connector via SSL VPN

This example provides a sample configuration so that a local client PC can access an FTP server deployed inside an AWS cloud using an AWS SDN connector via SSL VPN.

The FortiGate VM64-AWS is deployed inside an AWS Cloud, and can dynamically resolve the private IP address of the FTP server in the cloud with an AWS SDN connector. The local client PC, with FortiClient installed, can establish an SSL-VPN tunnel to the FortiGate, and then access the FTP server through the tunnel.

To configure the FortiGate VM64-AWS:

1. Configure an AWS SDN connector:
   1. Go to Security Fabric > Fabric Connectors.
   2. Click Create New.
   3. Click Amazon Web Services (AWS).
   4. Configure the following:

1. Click OK.

2. Check the connector status:
   1. Go to Security Fabric > Fabric Connectors.
   2. Click the refresh icon on the configured SDN connector.

A green arrow in the bottom right corner of the connector means that it is connected.

3. Create a firewall address:
   1. Go to Policy & Objects > Addresses and click Create New > Address.
   2. Configure the following:

1. Click OK.

4. Check the resolved firewall address after the update interval (60 seconds, by default):
   1. Go to Policy & Objects > Addresses.
   2. Hover the cursor over the dynamic-aws

The firewall address resolved by the configured SDN connector is shown (172.331.31.101).

5. Configure SSL VPN to access the FTP server:
   1. Configure a user and user group:
      1. Go to User& Device > UserDefinition and create a new local user named usera.
      2. Go to User& Device > UserGroups, create a group named sslvpngroup, and add usera to it. Configure SSL VPN:
      3. Go to VPN > SSL-VPN Settings.
      4. Set the Listen on Interface(s) to port1 and the Listen on Port to 10443. Set ServerCertificate to your own certificate, or Fortinet_Factory.
      5. In the Authentication/Portal Mapping section, set the default All OtherUsers/Groups to full-access, and create a new Authentication/Portal Mapping for the sslvpngroup also with full-access. v. Click Apply.
      6. Configure an SSL VPN firewall policy:
   2. Go to Policy & Objects > IPv4 Policy and click Create New.
   3. Configure the following:

• Click OK.

To connect an SSL VPN tunnel from the local client PC:

1. Download FortiClient from forticlient.com and install it.
2. Open the FortiClient console and go to Remote Access.
3. Add a new connection
4. Set VPN to SSL-VPN, and enter a Connection Name and Description.
5. Set the Remote Gateway to 26.32.219, which is the FortiGate’s port1 public IP address that is configured as the listening interface.
6. Enable Customize port, and set the port number to 10443.
7. Click Save.
8. Use the credentials configured for usera to connect to the tunnel.

Traffic to the SDN connector’s resolved IP address (dynamic-aws, 172.31.31.101) will go through the tunnel, and other traffic will go through the local gateway.

The client PC shows the routing entry for the tunnel:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         172.16.200.1    0.0.0.0         UG    0      0        0 eth1

172.31.31.101 10.212.134.200 255.255.255.255 UGH 0        0        0 ppp0

The FortiGate shows the logged in user and the assigned SSL VPN tunnel virtual IP address :

execute vpn sslvpn list

SSL VPN Login Users:

Index User      Auth Type Timeout         From      HTTP in/out    HTTPS in/out

0        usera 1(1)           284      208.91.115.10     0/0            0/0

SSL VPN sessions:

Index User     Source IP     Duration I/O Bytes     Tunnel/Dest IP

0         usera 208.91.115.10 76        1883/1728     10.212.134.200

Diagnose commands

Show SDN connector status:

FGT-AWS# diagnose sys sdn status

SDN Connector                       Type        Status

————————————————————aws1      aws    connected

Debug the AWS SDN connector to resolve the firewall address:

FGT-AWS-3 # diagnose debug application awsd -1 …

awsd checking firewall address object dynamic-aws, vd 0

address change, new ip list:

172.31.31.101 awsd sdn connector aws1 finish updating IP addresses …

Restart the AWS SDN connector daemon:

FGT-AWS-3 # diagnose test application awsd 99

FortiGate multiple connector support

This guide shows how to configure Fabric connectors and resolve dynamic firewall addresses through the configured Fabric connector in FortiOS.

FortiOS supports multiple Fabric connectors including public connectors (AWS, Azure, GCP, OCI, AliCloud) and private connectors (Kubernetes, VMware ESXi, VMware NSX, OpenStack, Cisco ACI, Nuage). FortiOS also supports multiple instances for each type of Fabric connector.

This guide uses an Azure Fabric connector as an example. The configuration procedure for all supported Fabric connectors is the same. In the following topology, the FortiGate accesses the Azure public cloud through the Internet:

This process consists of the following:

1. Configure the interface.
2. Configure a static route to connect to the Internet.
3. Configure two Azure Fabric connectors with different client IDs.
4. Check the configured Fabric connectors.
5. Create two firewall addresses.
6. Check the resolved firewall addresses afterthe update interval.
7. Run diagnose commands.

To configure the interface:

1. In FortiOS, go to Network > Interfaces.
2. Edit port1:
   1. From the Role dropdown list, select WAN.
   2. In the IP/Network Mask field, enter 10.6.30.4/255.255.255.0 for the interface connected to the Internet.

To configure a static route to connect to the Internet:

1. Go to Network > Static Routes. Click Create New.
2. In the Destination field, enter 0.0.0.0/0.0.0.0.
3. From the Interface dropdown list, select port1.
4. In the Gateway Address field, enter 10.60.30.254.

To configure two Azure Fabric connectors with different client IDs:

1. Go to Security Fabric > Fabric Connectors.
2. Click Create New. Configure the first Fabric connector:
   1. Select Microsoft Azure.
   2. In the Name field, enter azure1.
   3. In the Status field, select Enabled.
   4. From the Server region dropdown list, select Global.
   5. In the Tenant ID field, enter the tenant ID. In this example, it is 942b80cd-1b14-42a1-8dcf-4b21dece61ba.
   6. In the Client ID field, enter the client ID. In this example, it is 14dbd5c5-307e-4ea4-8133-68738141feb1.
   7. In the Client secret field, enter the client secret.
   8. Leave the Resource path
   9. Click OK.
3. Click Create New. Configure the second Fabric connector:
   1. Select Microsoft Azure.
   2. In the Name field, enter azure2.
   3. In the Status field, select Enabled.
   4. From the Server region dropdown list, select Global.
   5. In the Tenant ID field, enter the tenant ID. In this example, it is 942b80cd-1b14-42a1-8dcf-4b21dece61ba.
   6. In the Client ID field, enter the client ID. In this example, it is 3baf0a6c-44ff-4f94-b292-07f7a2c36be6.
   7. In the Client secret field, enter the client secret.
   8. Leave the Resource path
   9. Click OK.

To check the configured Fabric connectors:

1. Go to Security Fabric > Fabric Connectors.
2. Click the Refresh icon in the upper right corner of each configured Fabric connector. A green up arrow appears in the lower right corner, meaning that both Fabric connectors are connected to the Azure cloud using different client IDs.

To create two firewall addresses:

This process creates two Fabric connector firewall addresses to associate with the configured Fabric connectors.

1. Go to Policy & Objects > Addresses.
2. Click Create New > Address. Configure the first Fabric connector firewall address:
   1. In the Name field, enter azure-address-1.
   2. From the Type dropdown list, select Fabric Connectoraddress.
   3. From the SDN Connector dropdown list, select azure1.
   4. For SDN address type, select Private.
   5. From the Filter dropdown list, select the desired filter.
   6. For Interface, select any.
   7. Click OK.
3. Click Create New > Address. Configure the second Fabric connector firewall address:
   1. In the Name field, enter azure-address-1.
   2. From the Type dropdown list, select Fabric Connectoraddress.
   3. From the SDN Connector dropdown list, select azure2.
   4. For SDN address type, select Private.
   5. From the Filter dropdown list, select the desired filter.
   6. For Interface, select any.
   7. Click OK.

To check the resolved firewall addresses after the update interval:

By default, the update interval is 60 seconds.

1. Go to Policy & Objects > Addresses.
2. Hover over the created addresses. The firewall address that the configured Fabric connectors resolved display.

To run diagnose commands:

Run the show sdn connector status command. Both Fabric connectors should appear with a status of connected.

Run the diagnose debug application azd -1 command. The output should look like the following:

Level2-downstream-D # diagnose debug application azd -1 …

azd sdn connector azure1 start updating IP addresses azd checking firewall address object azure-address-1, vd 0 IP address change, new list: 10.18.0.4 …

To restart the Azure Fabric connector daemon, run the diagnose test application azd 99 command.

Configuring the FortiGate interface to manage FortiAP units

This guide describes how to configure a FortiGate interface to manage FortiAPs.

Based on the above topology, this example uses port16 as the interface used to manage connection to FortiAPs.

1. You must enable a DHCP server on port16:
   1. In FortiOS, go to Network > Interfaces.
   2. Double-click port16.
   3. In the IP/Network Mask field, enter an IP address for port16.
   4. Enable DHCP Server, keeping the default settings.
2. If desired, you can enable the VCI-match feature using the CLI. When VCI-match is enabled, only devices with a VCI name that matches the preconfigured string can acquire an IP address from the DHCP server. To configure VCI-match, run the following commands:

config system dhcp server edit 1 set interface port16 set vci-match enable set vci-string “FortiAP”

next

end

3. As it is a minimum management requirement that FortiAP establish a CAPWAP tunnel with the FortiGate, you must enable CAPWAP access on port16 to allow it to manage FortiAPs: Go to Network > Interfaces.
   16. Double-click port16.
   17. Under Administrative Access, select CAPWAP.
   18. Click OK.
4. To create a new FortiAP entry automatically when a new FortiAP unit is discovered, run the following command. By default, this option is enabled. config system interface edit port16 set allow-access capwap set ap-discover enable|disable

next

end

5. To allow FortiGate to authorize a newly discovered FortiAP to be controlled by the FortiGate, run the following command. By default, this option is disabled.

config system interface edit port16 set allow-access capwap

set auto-auth-extension-device enable|disable

next

end

Discovering a FortiAP unit

For a FortiGate acting as an AP controller (AC) to discover a FortiAP unit, the FortiAP must be able to reach the AC. A FortiAP with the factory default configuration has various ways of acquiring an AC’s IP address to reach it.

Discovering, authorizing, and deauthorizing FortiAP units

AC actions when a FortiAP attempts to get discovered

Enable the ap-discover setting on the AC for the interface designed to manage FortiAPs:

config system interface edit “lan” set ap-discover enable

next

end

The set ap-discover enable setting allows the AC to create an entry in the Managed FortiAPs table when it receives the FortiAP’s discovery request. The ap-discover setting is enabled by the factory default settings. When the FAP entry is created automatically, it is marked as discovered status, and is pending for administrator’s authorization, unless the following setting is present.

config system interface edit “lan” set auto-auth-extension-device enable

next

end

The above set auto-auth-extension-device enable setting will allow AC authorize an new discovered FAP automatically without administrator’s manual authorization operation. The auto-auth-extension-device setting is disabled by factory default.

Authorize a discovered FAP

Once the FAP discovery request is received by AC, an FAP entry will be added to Managed FAP table, and shown on GUI > Managed FortiAP list page.

To authorize the specific AP, click to select the FAP entry, then click Authorize button on the top of the table or Authorize entry in the pop-out menu.

Through GUI, authorization can also be done in FAP detail panel, under Action menu.

The authorization can also be done through CLI with follow commands.

config wireless-controller wtp edit “FP423E3X16000320” set admin enable

next

end

De-authorize a managed FAP

To de-authorize a managed FAP, click to select the FAP entry, then click Deauthorize button on the top of the table or Deauthorize entry in the pop-out menu.

Through GUI, de-authorization can also be done in FAP detail panel, under Action menu.

The de-authorization can also be done through CLI with follow commands.

config wireless-controller wtp edit “FP423E3X16000320” set admin discovered

next

end

Set up a mesh connection between FortiAP units

To set up a WiFi mesh connection, a minimum of three devices are required:

1. A FortiGate as the AP Controller (AC)
2. A FortiAP as the Mesh Root AP (MRAP)
3. A FortiAP as a Mesh Leaf AP (MLAP).

Configuring the AC

These instructions assume that the MRAP is already being managed by the AC (see Configuring the FortiGate interface to manage FortiAP units on page 639 and Discovering, authorizing, and deauthorizing FortiAP units on page 640).

To configure the AC:

1. Go to WiFi & Switch Controller> SSID and create a mesh SSID.
2. Go to WiFi & Switch Controller> Managed FortiAPs, edit the MRAP, and assign the mesh SSID to the MRAP, and wait for a connection.

Configuring the MLAP

The MLAP can be configured to use the mesh link as its Main uplink or a Backup link for Ethernet connections.

To configure the MLAP:

1. On the FortiAP, go to Connectivity.
2. Set Uplink to Mesh or Ethernet with mesh backup support.
3. Enter a mesh SSID and password.
4. Optionally, select Ethernet Bridge (see Main uplink on page 646). This option is not available if Uplink is set to Ethernet with mesh backup support.

Once the MLAP has joined the AC, it can be managed in the same way as a wired AP.

A mesh SSID can also be assigned to an MLAP for other downstream MLAPs, creating a multi-hop WiFi mesh network. The maximum hop count has a default value of 4, and can be configured in the FAP console with the following commands:

cfg -a MESH_MAX_HOPS=n cfg -c

Main uplink

When a mesh link is set as the main uplink of the MLAP, the Ethernet port on the MLAP can be set up as a bridge to the mesh link. This allows downstream wired devices to use the mesh link to connect to the network.

To enable a mesh Ethernet bridge, select Ethernet Bridge in the FortiAP Connectivity section in the GUI, or use the following console commands:

cfg -a MESH_ETH_BRIDGE=1 cfg -c

Backup link for Ethernet connections

When a mesh link is set to be the backup link for an Ethernet connection, the mesh link will not be established unless the Ethernet connection goes offline. When a mesh link is in this mode, the Ethernet port cannot be used as a bridge to the mesh link.

Deploying WPA2-Personal SSID to FortiAP units

The guide provides simple configuration instructions for developing WPA2-Personal SSID with FortiAP. The steps include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.

The following shows a simple network topology for this recipe:

To deploy WPA2-Personal SSID to FortiAP units on the FortiOS GUI:

1. Create a WPA2-Personal SSID:
   1. Go to WiFi & Switch Controller> SSID, select SSID, then click Create New.
   2. Enter the desired interface name. For Traffic mode, select Tunnel.
   3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
   4. In the SSID field, enter the desired SSID name. For Security, select WPA2 Personal.
   5. In the Pre-Shared Key field, enter the password. The password must be 8 to 63 characters long, or exactly 64 academical digits.
   6. Click OK.
2. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C. Do one of the following: Select the SSID by editing the FortiAP:
3. Go to WiFi & Switch Controller> Managed FortiAPs. Select the FortiAP-320C and click Edit. ii. Ensure that Managed AP Status is Connected.
   • Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.

2. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
3. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
4. Click OK.
5. Select the SSID by editing the FortiAP profile:
6. Go to WiFi & Switch Controller> FortiAP Profile. Select the FAP320C-default profile, then click Edit.
7. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
8. Click OK.

3. Create the SSID-to-Internet firewall policy:
4. Go to Policy & Objects > IPv4 Policy, then click Create New.
5. Enter the desired policy name.
6. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
7. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
8. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
9. Click OK.

To deploy WPA2-Personal SSID to FortiAP units using the FortiOS CLI:

1. Create a WPA2-Personal SSID:
2. Create a VAP interface named “wifi-vap”:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet

next

end

1. Configure an IP address and enable DHCP:

config system interface edit “wifi-vap” set ip 10.10.80.1 255.255.255.0

next

end

config system dhcp server edit 1 set dns-service default set default-gateway 10.10.80.1 set netmask 255.255.255.0 set interface “wifi-vap” config ip-range edit 1 set start-ip 10.10.80.2 set end-ip 10.10.80.254

next

end

set timezone-option default

next

end

2. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C:

config wireless-controller wtp edit “FP320C3X14000640” set admin enable

set wtp-profile “FAP320C-default”

next

end

config wireless-controller wtp-profile edit “FAP320C-default” config radio-1 set vap-all disable

set vaps “wifi-vap”

end config radio-2 set vap-all disable set vaps “wifi-vap”

end

next

end

3. Create the SSID-to-Internet firewall policy: config firewall policy edit 1 set name “WiFi to Internet” set srcintf “wifi-vap” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set fsso disable set nat enable

next

end

Deploying WPA2-Enterprise SSID to FortiAP units

The guide provides simple configuration instructions for developing WPA2-Enterprise SSID with FortiAP. The steps include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.

The following shows a simple network topology for this recipe:

To deploy WPA2-Enterprise SSID to FortiAP units on the FortiOS GUI:

1. Create an SSID as WPA2-Enterprise. Do one of the following:
2. Create an SSID as WPA2-Enterprise with authentication from a RADIUS server:
3. Create a RADIUS server:
4. Go to User& Device > RADIUS Servers, then click Create New.
5. Enter a server name. In the Primary Server> IP/Name field, enter the IP address or server name. iv. In the Primary Server> Secret field, enter the secret key.
   1. Click Test Connectivity to verify the connection with the RADIUS server.
   2. Click Test UserCredentials to verify that the user account can be authenticated with the RADIUS server.

• Click OK.

1. Create a WPA2-Enterprise SSID:

1. Go to WiFi & Switch Controller> SSID, select SSID, then click Create New.
2. Enter the desired interface name. For Traffic mode, select Tunnel.

• In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.

1. In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
2. In the Authentication field, select RADIUS Server. From the dropdown list, select the RADIUS server created in step i.
3. Click OK.
4. Create an SSID as WPA2-Enterprise with authentication from a user group:
5. Create a user group:
   1. Go to User& Device > UserGroups, then click Create New.
   2. Enter the desired group name. For Type, select Firewall.
   3. For Remote Groups, click the + button. In the dropdown list, select the desired RADIUS server. Click OK.
   4. Click OK.
6. Create a WPA2-Enterprise SSID:
   1. Go to WiFi & Switch Controller> SSID, select SSID, then click Create New.
   2. Enter the desired interface name. For Traffic mode, select Tunnel.
   3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
   4. In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
   5. In the Authentication field, select RADIUS Server. From the dropdown list, select the RADIUS server created in step i.
   6. Click OK.
7. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C. Do one of the following: Select the SSID by editing the FortiAP:
8. Go to WiFi & Switch Controller> Managed FortiAPs. Select the FortiAP-320C and click Edit. ii. Ensure that Managed AP Status is Connected.
   • Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.

2. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
3. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
4. Click OK.
5. Select the SSID by editing the FortiAP profile:
6. Go to WiFi & Switch Controller> FortiAP Profile. Select the FAP320C-default profile, then click Edit.
7. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.

• To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.

1. Click OK.

3. Create the SSID-to-Internet firewall policy:
   1. Go to Policy & Objects > IPv4 Policy, then click Create New.
   2. Enter the desired policy name.
   3. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
   4. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
   5. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
   6. Click OK.

To deploy WPA2-Enterprise SSID to FortiAP units using the FortiOS CLI:

1. Create a RADIUS server:

config user radius edit “wifi-radius” set server “172.16.200.55” set secret fortinet

next

end

2. Create a user group:

config user group edit “group-radius” set member “wifi-radius”

next

end

3. Create a WPA2-Enterprise SSID:
   1. Create an SSID with authentication from the RADIUS server:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Ent-Radius” set security wpa2-only-enterprise set auth radius

set radius-server “wifi-radius”

next

end

1. Create an SSID with authentication from the user group:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Ent-Radius” set security wpa2-only-enterprise set auth usergroup set usergroup “group-radius”

next

end

1. Configure an IP address and enable DHCP:

config system interface edit “wifi-vap” set ip 10.10.80.1 255.255.255.0

next end config system dhcp server

edit 1 set dns-service default set default-gateway 10.10.80.1 set netmask 255.255.255.0 set interface “wifi-vap” config ip-range edit 1 set start-ip 10.10.80.2 set end-ip 10.10.80.254

next

end

set timezone-option default

next

end

4. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C:

config wireless-controller wtp edit “FP320C3X14000640” set admin enable

set wtp-profile “FAP320C-default”

next

end

config wireless-controller wtp-profile edit “FAP320C-default” config radio-1 set vap-all disable set vaps “wifi-vap”

end config radio-2 set vap-all disable set vaps “wifi-vap”

end

next

end

5. Create the SSID-to-Internet firewall policy: config firewall policy

edit 1 set name “WiFi to Internet” set srcintf “wifi-vap” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set fsso disable set nat enable

next end

Deploying captive portal SSID to FortiAP units

The guide provides simple configuration instructions for developing captive portal SSID with FortiAP. The steps include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.

The following shows a simple network topology for this recipe:

To deploy captive portal SSID to FortiAP units on the FortiOS GUI:

1. Create a local user:
   1. Go to User& Device > UserDefinition, then click Create New.
   2. In the Users/Groups Creation Wizard, select Local User, then click Next.
   3. Enter the desired values in the Username and Password fields, then click Next.
   4. On the Contact Info tab, fill in any information as desired, then click You do not need to configure any contact information for the user.
   5. On the Extra Info tab, set the UserAccount Status to Enabled.
   6. If the desired user group already exists, enable UserGroup, then select the desired user group. Click Submit.
2. Create a user group:
   1. Go to User& Device > UserGroups, then click Create New.
   2. Enter the desired group name.
   3. For Type, select Firewall.
   4. For Members, click the + button. In the dropdown list, select the local user created in step 1. Click OK. Click OK.
3. Create a captive portal SSID:
   1. Go to WiFi & Switch Controller> SSID, select SSID, then click Create New.
   2. Enter the desired interface name. For Traffic mode, select Tunnel.
   3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
   4. In the SSID field, enter the desired SSID name. For Captive Portal, select Security.
   5. Configure the portal type as one of the following:
      2. For Portal Type, select Authentication. In the UserGroup dropdown list, select the user group created in step 2.
      3. For Portal Type, select Disclaimer+ Authentication. In the UserGroup dropdown list, select the user group created in step 2.

• For Portal Type, select DisclaimerOnly.

1. To configure the portal type as email collection, go to System > Feature Visibility, and enable Email Collection, then select Email Collection for Portal Type.

1. Click OK.

4. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C. Do one of the following: Select the SSID by editing the FortiAP:
5. Go to WiFi & Switch Controller> Managed FortiAPs. Select the FortiAP-320C and click Edit. ii. Ensure that Managed AP Status is Connected.
   • Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.

2. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
3. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
4. Click OK.
5. Select the SSID by editing the FortiAP profile:

1. Go to WiFi & Switch Controller> FortiAP Profile. Select the FAP320C-default profile, then click Edit.
2. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
3. Click OK.
4. Create the SSID-to-Internet firewall policy:
5. Go to Policy & Objects > IPv4 Policy, then click Create New.
6. Enter the desired policy name.
7. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
8. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
9. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
10. Click OK.

To deploy captive portal SSID to FortiAP units using the FortiOS CLI:

1. Create a local user:

config user local edit “local” set type password set passwd 123456

next

end

2. Create a user group:

config user group edit “group-local” set member “local”

next

end

3. Create a captive portal SSID. Do one of the following:
   1. Create a captive portal SSID with portal type Authentication:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Captive” set security captive-portal

set portal-type auth

set selected-usergroups “group-local”

next

end

1. Create a captive portal SSID with portal type Disclaimer+ Authentication:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Captive” set security captive-portal set portal-type auth+disclaimer set selected-usergroups “group-local”

next

end

1. Create a captive portal SSID with portal type DisclaimerOnly:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Captive” set security captive-portal set portal-type disclaimer

next

end

1. Create a captive portal SSID with portal type Email Collection:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Captive” set security captive-portal set portal-type email-collect

next

end

1. Configure an IP address and enable DHCP:

config system interface edit “wifi-vap” set ip 10.10.80.1 255.255.255.0

next

end

config system dhcp server

edit 1 set dns-service default set default-gateway 10.10.80.1 set netmask 255.255.255.0 set interface “wifi-vap” config ip-range edit 1 set start-ip 10.10.80.2 set end-ip 10.10.80.254

next

end

set timezone-option default

next

end

4. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C:

config wireless-controller wtp edit “FP320C3X14000640” set admin enable

set wtp-profile “FAP320C-default”

next

end

config wireless-controller wtp-profile edit “FAP320C-default” config radio-1 set vap-all disable set vaps “wifi-vap”

end config radio-2 set vap-all disable set vaps “wifi-vap”

end

next

end

5. Create the SSID-to-Internet firewall policy: config firewall policy

edit 1 set name “WiFi to Internet” set srcintf “wifi-vap” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set fsso disable set nat enable

next

end

Configuring quarantining on SSID

This guide provides instructions on simple configuration for on SSID. Consider the following for this feature:

l The quarantine function only works with SSID tunnel mode. l The quarantine function is independent of SSID security mode.

The following shows a simple network topology for this recipe:

To quarantine a wireless client on the FortiOS GUI:

1. In FortiOS, go to the policy applied to the SSID and enable All Sessions for Log Allowed Traffic.
2. Edit the SSID:
   1. Go to WiFi & Switch Controller > SSID, and select the desired SSID.
   2. Enable Device Detection.
   3. Enable Quarantine Host.
   4. Click OK.
3. Quarantine a wireless client:
   1. Do one of the following:
      1. Go to Security Fabric > Physical Topology. View the topology by access device.
      2. Go to FortiView > Traffic from LAN/DMZ > Source.

• Go to FortiView > Traffic from LAN/DMZ > WiFi Clients.

1. Right-click the wireless client, then click Quarantine Host.

To quarantine a wireless client using the FortiOS CLI:

1. Under global quarantine settings, enable quarantine:

config user quarantine set quarantine enable

end

2. Under virtual access point (VAP) settings, enable quarantine:

config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set quarantine enable

next

end

3. Quarantine a wireless client. The example client has the MAC address b4:ae:2b:cb:d1:72:

config user quarantine config targets edit “DESKTOP-Surface” config macs edit b4:ae:2b:cb:d1:72 set description “Surface”

next

end

next

end

end