Quantcast
Channel: Fortinet GURU
Viewing all 2380 articles
Browse latest View live

FortiSIEM Get CMDB Device Info

$
0
0
Get CMDB Device Info

API Parameters for Enterprise Deployments

Get Short Description of All Devices

Sample XML Output

Sample Python Script

Get Short Description of All Devices in an Address Range

Sample XML Output

Sample Python Script

Get Full Information About One Device

Sample XML Output

Sample Python Script

Get a Section of Information (Applications, Interfaces, Processors, Storage) About One Device

Sample XML Output

Sample Python Script

API Parameters for Multitenant Deployments

Get Short Description of All Devices for an Organization

Sample XML Output

Sample Python Script

Get Short Description of All Devices in an Address Range for an Organization

Sample XML Output

Sample Python Code

Get Full Information About One Device Belonging to an Organization

Sample XML Output

Sample Python Code

Get a Section of Information (Applications, Interfaces, Processors, Storage) About One Device for an Organization Sample XML Output

Sample Python Code

Applies To

Enteprise and multitenant deployments.

API Parameters for Enterprise Deployments

Get Short Description of All Devices

Methodology REST API based: make an HTTP(S) request with an input XML (optional). An output XML is returned.
Input URL  https://<AccelOps_IP>/phoenix/rest/cmdbDeviceInfo/devices
Input Credentials  Username and password of any AccelOps account
Output An XML that contains a short set of attributes for each device, including:

Host Name

Access IP

Creation Method

Description

Vendor, Model, version

Contact info

Location

Uptime

Hardware Model

Serial Number

Business Service Groups to which the device belongs

Sample XML Output

AllDevicesShortInfo.xml

Sample Python Script

getCMDBinfo.py Script Usage
python getCMDBInfo.py <AccelOpsSuperIp> super/<user>

<password>

Get Short Description of All Devices in an Address Range

Methodology REST API based: make an HTTP(S) request with an input XML (optional). An output XML is returned.
Input URL  https://<AccelOps_IP>/phoenix/rest/cmdbDeviceInfo/devices?includeIps=<includeIpSet>&excludeIps

>

Input

Credentials

 Username and password of any AccelOps account
Output An XML that contains short description of devices with access IPs in the specified address range

If you want all devices in the range 192.168.20.1-192.168.20.100, then issue the API https://<AccelOps_IP>/pho enix/rest/cmdbDeviceInfo/devices?includeIps=192.168.20.1-192.168.20.100

If you want all devices in the range 192.168.20.1-192.168.20.100, but want to exclude 192.168.20.20,

192.168.20.25, then issue the API https://<AccelOps_IP>/phoenix/rest/cmdbDeviceInfo/devices?include

Ips=192.168.20.1-192.168.20.100&excludeIps=192.168.20.20,192.168.20.25

If you want all devices in the range 192.168.20.1-192.168.20.100, but want to exclude 192.168.20.20-192.168.20

.25, then issue the API https://<AccelOps_IP>/phoenix/rest/cmdbDeviceInfo/devices?includeIps=192.16

8.20.1-192.168.20.100&excludeIps=192.168.20.20-192.168.20.25

Sample XML Output

Query: https://<AccelOps_IP>/phoenix/rest/cmdbDeviceInfo/devices?includeIps=192.168.20.1-192.168.20.40

Output: AllDeviceInRangeShortDescription.xml

Sample Python Script

Get Full Information About One Device

Methodology REST API based: make an HTTP(S) request with an input XML (optional). An output XML is returned.
Input URL  https://<AccelOps_IP>/phoenix/rest/cmdbDeviceInfo/device?ip=<deviceIp>&loadDepend=true
Input Credentials  Username and password of any AccelOps account
Output An XML that contains full information AccelOps has discovered about a device

Sample XML Output

Query: https://<AccelOps_IP>/phoenix/rest/cmdbDeviceInfo/device?ip=192.168.1.12&loadDepend=true

Output: oneWindowsServerFullInfo.xml

Sample Python Script

getCMDBinfo.py Script
p g < s <

U

Get a Section of Information (Applications, Interfaces, Processors, Storage) About One Device

Methodology REST API based: make an HTTP(S) request with an input XML (optional). An output XML is returned.
Input URL https:///phoenix/rest/cmdbDeviceInfo/device?ip=&loadDepend=true&fields=<
Input

Credentials

 Username and password of any AccelOps account
Output An XML that contains the specified section discovered for the device

Query: https://<AccelOps_IP>/phoenix/rest/cmdbDeviceInfo/device?ip=192.168.1.12&fields=interfaces&loadDepend

=true

Output: oneWindowsServerInterfaces.xml

Sample Python Script


FortiSIEM Get the List of Monitored Organizations

$
0
0
Get the List of Monitored Organizations

Applies To

API Parameters

Sample XML Output

Sample Code

Applies To

Multitenant deployments

API Parameters
Methodology REST API based: make an HTTP(S) request with an input XML (optional). An output XML is returned.
Input URL https:///phoenix/rest/config/Domain
Input Credentials  Username and password of Super account
Output  An XML that contains Organization id, Organization name, Status, Included and Excluded IP range

Sample XML Output

Sample Code

This sample python script takes the Super credentials as arguments and writes out the parsed XML output file in a comma separated value (CSV) format on the screen. The output can be redirected to a file if needed.

mapping={‘name’:”, ‘domainId’:”, ‘disabled’:”, ‘initialized’:”, ‘include’:”, ‘exclude’:”}             for node2 in node1.getElementsByTagName(“domainId”):                for node3 in node2.childNodes:                   if node3.nodeType==Node.TEXT_NODE:                      mapping[‘domainId’]=node3.data                for node4 in node1.getElementsByTagName(“excludeRange”):                   for node5 in node4.childNodes:                      if node5.nodeType==Node.TEXT_NODE:                         mapping[‘exclude’]=node5.data                for node6 in node1.getElementsByTagName(“includeRange”):                   for node7 in node6.childNodes:                      if node7.nodeType==Node.TEXT_NODE:                         mapping[‘include’]=node7.data                for node8 in node1.getElementsByTagName(“name”):                   for node9 in node8.childNodes:                      if node9.nodeType==Node.TEXT_NODE:                         mapping[‘name’]=node9.data                for node10 in node1.getElementsByTagName(“disabled”):                   for node11 in node10.childNodes:                      if node11.nodeType==Node.TEXT_NODE:                         mapping[‘disabled’]=node11.data                for node12 in node1.getElementsByTagName(“initialized”):                   for node13 in node12.childNodes:                      if node13.nodeType==Node.TEXT_NODE:                         mapping[‘initialized’]=node13.data                param.append(mapping)    return param def generateResult(param):    print “Org Name,Org Id,Disabled,Initialized,Include Range,Exclude Range\n\n”    for item in param:

print “%s,%s,%s,%s,%s,%s\n” % (item[‘name’], item[‘domainId’], item[‘disabled’], item[‘initialized’], item[‘include’], item[‘exclude’]) if __name__==’__main__’:

import sys    if len(sys.argv)!=4:

print “Usage: GetMonitoredOrganizations.py appServer user password”       exit()

FortiSIEM Update Device Monitoring

$
0
0
Update Device Monitoring

Applies To

API Parameters for Enterprise Deployments

API Parameters for Multitenant Deployments

Sample XML Output

Sample Code

Sample XML Input File

Sample Python Script

Applies To

Enterprise and multitenant deployments.

API Parameters for Enterprise Deployments
Methodology REST API based: make an HTTP(S) request with an input XML (optional).
Input URL https:///phoenix/rest/deviceMon/updateMonitor
Input

Credentials

 Username and password of any AccelOps account
Input

Parameters

Username and password of Super account or Organization specific account, Organization name, input XML containing the updates to device monitoring configuration.
Output  HTTP Status Code
API Parameters for Multitenant Deployments
Methodology REST API based: make an HTTP(S) request with an input XML (optional).
Input URL https:///phoenix/rest/deviceMon/updateMonitor
Input

Credentials

Username and password of Super account or Organization specific account, Organization name, input XML containing the updates to device monitoring configuration.
Output  HTTP Status Code

Sample XML Output

MonitorDevice.xml

Sample Code

Sample XML Input File

Sample Python Script

This sample takes the credentials, and optionally an organization name, as arguments and writes out the parsed XML output file in a comma separated value (CSV) format on the screen. The output can be redirected to a file if needed.

UpdateMonitor.py Script Usage

 

 

import sys, base64, urllib, urllib2 def restPost(appServer, user, password, file):

f = open(file, ‘r’)     content = f.read()

f.close()     url = “https://” + appServer + “/phoenix/rest/deviceMon/updateMonitor”     auth = “Basic %s” % base64.encodestring(user + “:” + password)     request = urllib2.Request(url, content)     request.add_header(‘Authorization’, auth)     request.add_header(‘Content-Type’, ‘text/xml’) # ‘application/xml’     request.add_header(‘Content-Length’, len(content)+2)     request.add_header(‘User-Agent’, ‘Python-urllib2/2.7’)     request.get_method = lambda: ‘PUT’     try:

handle = urllib2.urlopen(request)     except urllib2.HTTPError, error:         if (error.code != 204):

print error if __name__==’__main__’:     if len(sys.argv) != 5:

print “Usage: UpdateMonitor.py appServer user password deviceDefFile”         print “Example: python UpdateMonitor.py 192.168.20.116 super/admin adm1n deviceMonitorDef.xml”         sys.exit()     restPost(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])

python UpdateMonitor.py <AccelOps_IP> <user> <password> <device monitor xml file name> Sample Query

python UpdateMonitor.py 172.16.20.210 “super/admin”

“admin*1” MonitorDevice.xml

Super_user needs to be explicitly stated in organization/user format, for example “super/admi n” or “super/admin” instead of just “admin”

 

 

FortiSIEM Add, Update or Delete Device Maintenance Schedule

$
0
0
Add, Update or Delete Device Maintenance Schedule

Applies To

API Parameters for Adding/Updating Maintenance Schedule

API Parameters for Deleting Maintenance Schedule

Sample Code to Add/Update a Device Maintenance Schedule

Sample XML Input File

Sample Python Script

Sample Code to Delete a Device Maintenance Schedule Sample Python Script

Applies To

<Enterprise and multitenant deployments.>

<Enterprise deployments.> <Multitenant deployments>

API Parameters for Adding/Updating Maintenance Schedule
Methodology REST API based: make an HTTP(S) request with an input XML (optional). An output XML is returned.
Input URL https:///phoenix/rest/deviceMaint/update
Input Parameters An XML file
Input Credentials Username and password of any AccelOps account
Output An XML file
API Parameters for Deleting Maintenance Schedule
Methodology REST API based: make an HTTP(S) request with an input XML (optional). An output XML is returned.
Input URL https:///phoenix/rest/deviceMaint/delete
Input Parameters An XML file
Input Credentials Username and password of any AccelOps account
Output An XML file
Sample Code to Add/Update a Device Maintenance Schedule

Sample XML Input File

 

Sample Python Script

AddMaint.py Script Usage
 import sys, base64, urllib, urllib2 def restPost(appServer, user, password, file):

f = open(file, ‘r’)     content = f.read()

f.close()     url = “https://” + appServer + “/phoenix/rest/deviceMaint/update”     auth = “Basic %s” % base64.encodestring(user + “:” + password)     request = urllib2.Request(url, content)     request.add_header(‘Authorization’, auth)     request.add_header(‘Content-Type’, ‘text/xml’) # ‘application/xml’     request.add_header(‘Content-Length’, len(content)+2)     request.add_header(‘User-Agent’, ‘Python-urllib2/2.7’)     request.get_method = lambda: ‘PUT’     try:

handle = urllib2.urlopen(request)     except urllib2.HTTPError, error:         if (error.code != 204):

print error if __name__==’__main__’:     if len(sys.argv) != 5:

print “Usage: AddMaint.py appServer user password scheduleDefFile”         print “Example: python AddMaint.py 192.168.20.116 super/admin adm1n scheduleDef.xml”         sys.exit()     restPost(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])

python AddMaint.py <AccelOps_IP> <user> <password> <maintenance schedule xml file name> Sample Query

python AddMaint.py 172.16.20.210 “super/admin”

“admin*1” MaintenanceSchedule.xml

Super_user needs to be explicitly stated in organization/user format, for example “super/admi n” or “super/admin” instead of just “admin”

Sample Code to Delete a Device Maintenance Schedule

Sample Python Script

 

DeleteMaint.py Script Usage
import sys, base64, urllib, urllib2 def restPost(appServer, user, password, file):

f = open(file, ‘r’)     content = f.read()

f.close()     url = “https://” + appServer + “/phoenix/rest/deviceMaint/delete”     auth = “Basic %s” % base64.encodestring(user + “:” + password)     request = urllib2.Request(url, content)     request.add_header(‘Authorization’, auth)     request.add_header(‘Content-Type’, ‘text/xml’) # ‘application/xml’     request.add_header(‘Content-Length’, len(content)+2)     request.add_header(‘User-Agent’, ‘Python-urllib2/2.7’)     request.get_method = lambda: ‘PUT’     try:

handle = urllib2.urlopen(request)     except urllib2.HTTPError, error:         if (error.code != 204):

print error if __name__==’__main__’:     if len(sys.argv) != 5:

print “Usage: DeleteMaint.py appServer user password scheduleDefFile”         print “Example: python DeleteMaint.py 192.168.20.116 “super/admin” “adm1n” scheduleDef.xml”         sys.exit()

restPost(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])

python DeleteMaint.py <AccelOps_IP> <user> <password> <maintenance schedule xml file name> Sample Query

python DeleteMaint.py 172.16.20.210 “super/admin”

“admin*1” MaintenanceSchedule.xml

Super_user needs to be explicitly stated in organization/user format, for example “super/admi n” or “super/admin” instead of just “admin”

FortiSIEM Events and Report Integration

$
0
0
Events and Report Integration

This API provides a way to programmatically run any query or report that can be executed on the event data from the AccelOps GUI.

General Description

Request API Parameters

Polling API Parameters

Results API Parameters

Sample XML Output

Sample Code

General Description
Methodology REST API based:

make an HTTP(S) request with an input XML that defines the query.

Since the number of returned results can be large, the caller has to first get the total number of results

Then get the results one chunk at a time. Every time, an output XML containing the query results is returned.

Request API Parameters
Input URL https:///phoenix/rest/query/eventQuery
Input

Parameters

 XML file containing the query parameters
Input

Credentials

Enterprise Deployments: Username and password of any AccelOps account

Multi-tenant Deployments: Username and password of Super account for getting incidents for all organizations. If incidents for a specific organization are needed, then an organization-specific account and an organization name is needed.

Output  queryId or an error code if there is a problem in handling the query or the query format
Polling API Parameters

The request will poll until the server completes the query.

Input

URL

https:///phoenix/rest/query/progress/
Output progress (pct)

Until progress reaches 100, at which point the server completes the query, you need to continue polling the server. This is because the server may need to aggregate the results or insert meta-information before sending the results.

Results API Parameters
Input

URL

https:///phoenix/rest/query/events///
Output totalCount (first time) and an XML containing the incident attributes.

For the first call, begin = 0 and end can be 1000. You need to continuously query the server by using the same URL, but increasing the begin and end until the totalCount is reached.

Sample XML Output

Failed-Logins-Report.txt

Sample Code

This sample takes the credentials, input XML and. optionally. organization name as arguments and writes out the query results in a comma separated value (CSV) format on the screen. The output can be redirected to a file if needed.

Sample XML Input Files

Failed Login at Any Device Top Events by Severity and

Count

Top Reporting Device and Module by Event Count Top Servers By Least Free

Disk Space

Sample Python Script

<script name>.py Script Usage
You also need to download the getMonitoredOrganizations python script into the same directory Sample Query

python GetQueryResultsByOrg.py 172.16.20.210 “super/admin” “admin*1” all ./failed-login.xml

Super_user needs to be explicitly stated in

organization/user format, for example “super/admin

” or “super/admin” instead of just “admin”

FortiSIEM Incident Notification

$
0
0
Incident Notification

AccelOps can send notifications via email/SMS, HTTPS, SNMP traps, and over the AccelOps API. These topics describe the formats for these notification types, and how to use the notification API.

Formats for Incident Notifications over Email, HTTPS, SNMP Trap, and API Using the Notification API

Formats for Incident Notifications over Email, HTTPS, SNMP Trap, and API

This topic describes the formats for the various types of notifications that AccelOps can send by email/SMS, HTTPS, SNMP trap, or through the API>.

Email/SMS Notification

Subject Line Format

Body Format

SMS Format

SNMP Trap Notification

MIB File

HTTP(S) Notification

XML Schema

XML File Format

Email/SMS Notification

Email is the most common form of incident notification. For integration purposes, an incident email subject and body can be parsed and specific actions can be taken if necessary.

These screenshots shows three types of email that can be sent depending on whether an incident is NEW, UPDATEd or CLEARed

New Update Clear

Subject Line Format

[New|Update|Clear] <HostName>: <Rule Name>

Body Format

Section Field Description
Generic
Incident Id Unique ID of the incident in AccelOps. An incident can be searched in AccelOps by this ID.
Time Time when this incident occurred
Severity Incident severity: HIGH|MEDIUM|LOW and a numeric severity in the range 0-10 (0-4 LOW, 5-8 MEDIUM and 9-10 HIGH
Incident Count How many times this incident has occurred. For NEW incidents, the count is 1.
Rule Rule Name Name of the rule, repeated in the subject line
Rule

Description

Incident Target Where the incident occurred, or the target of an IPS alert
Host Name

(optional)

Host IP

(optional)

Other attributes as defined in rule
Incident Source For security-related incidents, where the incident originated
Host Name

(optional)

Host IP

(optional)

Other attributes as defined in rule
Incident Details Rule-specific details that caused the incident to trigger
Affected Business

Services  (optional

)

Identity and

Location

Xontains additional information for IP addresses in incident source or target. This information is present only if such information is discovered by AccelOps and shown in the Identity and Location tab. Host name

User

Domain

Nearest switch name/port or VPN gateway or Wireless Controller

First and last seen times for this IP address to identity/location binding

FortiSIEM Using the Notification API

$
0
0
Using the Notification API

Applies To

General API Parameters

Request API Parameters

Polling API Parameters

Results API Parameters

Sample XML Ouput

XML Schema

Sample Code

Sample XML Input File

Querying Incidents for the Last 2 Hours

Sample Python Script

Applies To

Enterprise and multitenant deployments.

General API Parameters

Methodology REST API based: make an HTTP(S) request with an input XML. An output XML is returned. Since the number of returned results can be large, the requester has to first get the total number of results, and then get the results one chunk at a time.

Request API Parameters

Input URL https:///phoenix/rest/query/eventQuery
Input

Parameters

 XML file containing the query parameters
Input

Credentials

Enterprise Deployments: Username and password of any AccelOps account

Mulittenant Deployments: Username and password of Super account for getting incidents for all organizations. If incidents for a specific organization are needed, then an organization-specific account and an organization name is needed.

Output  queryId or an error code if there is a problem in handling the query or the query format

Polling API Parameters

The request will poll until the server completes the query.

Input

URL

https:///phoenix/rest/query/progress/
Output progress (pct)

Until progress reaches 100, at which point the server completes the query, you need to continue polling the server. This is because the server may need to aggregate the results or insert meta-information before sending the results.

Results API Parameters

Input

URL

https:///phoenix/rest/query/events///
Output totalCount (first time) and an XML containing the incident attributes.

For the first call, begin = 0 and end can be 1000. You need to continuously query the server by using the same URL, but increasing the begin and end until the totalCount is reached

Sample XML Ouput

 Incidents Report Output

XML Schema

The AccelOps AONotification.xsd file shows the XML schema for incident notifications..

Sample Code

Sample XML Input File

Sample Python Script

<script name>.py Script Usage
Sample Query

python GetIncidentsByOrg.py 172.16.20.210 “super/admin” “admin*1” SoftwareAB

Super_user needs to be explicitly stated in organization/user format, for example “sup er/admin” or “super/admin” instead of just “admin”

External Help desk / CMDB Integration

Currently AccelOps has inbuilt support for ServiceNow and ConnectWise for CMDB and 2-way incident integration.  Other systems can be supported by create a new Java plugin by following instructions in the AccelOps ServiceAPI. The document is available at AccelOps support portal under AccelOps ServiceAPI section.

External Threat Intelligence Integration

New external threat intelligence websites can be supported by create a new Java plugin by following instructions in the AccelOps ServiceAPI. The document is available at AccelOps support portal under AccelOps ServiceAPI section.

License Registration

Worker registration

Collector registration

AccelOps License registration

Worker registration
Methodology  Run this command to add or delete a Worker from Super
Usage Command located at /opt/phoenix/deployment/jumpbox

Run commands from Super

Add a Worker to Super: phProvisionWorker –add <user> <password> <super> <worker>

Remove a Worker from Super: phProvisionWorker –delete <user> <password> <super> <worker>

Input Parameters user: username of admin account to logon to GUI password: password of admin account to logon to GUI superIp: Supervisor IP Address or FQDN workerIp: Worker IP Address or FQDN
Output None
Collector registration
Methodology  Run this command to add or delete a collector
Usage Add a Collector to Super

Run this command from Collector

Usage: /opt/phoenix/bin/phProvisionCollector  –add <user> <password> <super> <organization> <collector> Remove a Collector to Super

Run this command from Super

Usage: /opt/phoenix/bin/phProvisionCollector  –delete <user> <password> <super> <organization> <collector>

Input Parameters user: username of admin account to logon to GUI password: password of admin account to logon to GUI super: Supervisor IP Address or FQDN

organization: organization name (SP), Super (Enterprise) collector: Collector IP Address or FQDN

Output None
Sample

Interaction

[root@Super171]# cd /opt/phoenix/deployment/jumpbox

[root@Super171]# phProvisionCollector –delete admin admin*1 10.10.110.171 test-org 10.10.110.172

Continue the provision process…

Deleting Collector: 10.10.110.172 from Super: 10.10.110.171 with Organization: test-org

Sucessfully done.

AccelOps License registration
Methodology  Download License from AccelOps
Usage Run this command from Super as root

Usage: /pbin/phdownloadlicense <user> <password> <ao-license-server>

Input Parameters user: username for obtaining license password: password for obtaining license

ao-license-server: AccelOps license server host name

Output None

 

Sample interaction [root@sp161 pbin]# phdownloadlicense rstest rstest va-reg.accelops.net

Retrieving Information …

New license file has been retrieved. You may use phinstalllicense to install the new license.

Methodology  Install downloaded license as root
Usage Run this command from Super as root

Usage: /pbin/phinstalllicense

Input

Parameters

None
Output None
Sample

interaction

[root@sp161 pbin]# phinstalllicense

The process of installing a license will disrupt AccelOps services. Do you want to start the installation at this time ?

[yes/no] : yes

Installing license …

Number of Licensed VA(s) = 10

Number of Running Worker(s) = 0

Exiting from worker provision …

 

[root@sp161 pbin]# phLicenseTool –verify                 license matched

 

[root@sp161 pbin]# phLicenseTool –show

Report License: workers=9; citems=5000; eps=10000;storage=10737418240000; starttime=1399878000; endtime=1447398000; mode=1; rsOrg=111; rsExp=1432796400; SP=1; organizationNum=10; country=; customerId=1086; customerName=rstest; collectors=5; devicesupport=1; basicAgents=1; advancedAgents=1; profile=0

FortiOS 5.6 SSL VPN

$
0
0

Introduction

This document provides a general introduction to SSL VPN technology, explains the features available with SSL VPN and gives guidelines to decide what features you need to use, and how the FortiGate unit is configured to implement the features.

The following chapters are included in this document:

SSL VPN Overview provides useful general information about VPN and SSL, how the FortiGate unit implements them, and gives guidance on how to choose between SSL and IPsec.

Basic configuration explains how to configure the FortiGate unit and the web portal. Along with these configuration details, this chapter also explains how to grant unique access permissions, how to configure the SSL encryption key algorithm, and describes the SSL VPN OS Patch Check feature that allows a client with a specific OS patch to access SSL VPN services.

The SSL VPN client provides an overview of the FortiClient software required for tunnel mode, where to obtain the software, how to install it, and the configuration information required for remote users to connect to the internal network.

The SSL VPN web portal provides an overview of the SSL VPN web portal, with explanations of how to use and configure the web portal features.

Setup examples explores several configuration scenarios with step-by-step instructions. While the information provided is enough to set up the described SSL VPN configurations, these scenarios are not the only possible SSL VPN setups.

Troubleshooting provides some general maintenance and troubleshooting procedures for SSL VPNs.


What’s new in FortiOS 5.6 SSL VPN

$
0
0

What’s new in FortiOS 5.6

The following section describes new SSL VPN features added to FortiOS 5.6.0.

Remote desktop configuration changes (410648)

If NLA security is chosen when creating an RDP bookmark, a username and password must be provided. However there may be instances where the user might want to use a blank password, despite being highly unrecommended. If a username is provided but the password is empty, the CLI will display a warning. See example CLI below, where the warning appears as a caution before finishing the command:

config vpn ssl web user-group-bookmark edit <group-name> config bookmarks edit <bookmark-name> set apptype rdp set host 172.16.200.121 set security nla set port 3389 set logon-user <username>

next

end

Warning: password is empty. It might fail user authentication and remote desktop connection would be failed.

end

If no username (logon-user) is specified, the following warning message will appear:

Please enter user name for RDP security method NLA. object set operator error, -2010 discard the setting Command fail. Return code -2010

SSL VPN supports WAN link load balancing interface (396236)

New CLI command to set virtual-wan-link as the destination interface in a firewall policy (when SSL VPN is the source interface) for WAN link load balancing. This allows logging into a FortiGate via SSL VPN for traffic inspection and then have outbound traffic load balanced by WAN link load balancing.

CLI syntax

config firewall policy edit <example> set dstintf virtual-wan-link

end

SSL VPN login timeout to support high latency (394583)

With long network latency, the FortiGate can timeout the client before it can finish negotiation processes, such as DNS lookup and time to enter a token. Two new CLI commands under config vpn ssl settings have been added that allow the login timeout to be configured, replacing the previous hard timeout value. The second command can be used to set the SSL VPN maximum DTLS hello timeout.

What’s new in FortiOS 5.6

CLI syntax

config vpn ssl settings edit <example> set login-timeout [10-180] Default is 30 seconds.

set dtls-hello-timeout [10-60] Default is 10 seconds.

end

SSL VPN supports Windows 10 OS check (387276)

A new CLI field has been added to the os-check-list under config vpn ssl web portal to allow OS checking for Windows 10.

CLI syntax

config vpn ssl web portal edit <example> set os-check enable config os-check-list windows-10 set action {deny | allow | check-up-to-date}

end

end

SSL VPN DNS suffix per portal and number of portals (383754)

A new CLI command under config vpn ssl web portal to implement a DNS suffix per SSL VPN portal. Each suffix setting for each specific portal will override the dns-suffix setting under config vpn ssl settings.

This feature also raises bookmark limits and the number of portals that can be supported, depending on what FortiGate series model is used:

l 650 portals on 1000D series l 1300 portals on 2000E series l 2600 portals on 3000D series

The previous limit for 1000D series models, for example, was 256 portals.

CLI syntax

config vpn ssl web portal edit <example> set dns-suffix <string>

end

New SSL VPN timeout settings (379870)

New SSL VPN timeout settings have been introduced to counter ‘Slowloris’ and ‘R-U-Dead-Yet’ vulnerabilities that allow remote attackers to cause a denial of service via partial HTTP requests.

The FortiGate solution is to add two attributes (http-request-header-timeout and http-requestbody-timeout).

 

What’s new in FortiOS 5.6

CLI syntax

config vpn ssl settings set http-request-header-timeout [1-60] (seconds) set http-request-body-timeout [1-60] (seconds)

end

Personal bookmark improvements (377500)

You can now move and clone personal bookmarks in the GUI and CLI.

CLI syntax

config vpn ssl web user-bookmark edit ‘name’ config bookmarks move bookmark1 after/before clone bookmark1 to

next

end

New controls for SSL VPN client login limits (376983)

Removed the limitation of SSL VPN user login failure time, by linking SSL VPN user setting with config user settings and provided a new option to remove SSL VPN login attempts limitation. New CLI allows the administrator to configure the number of times wrong credentials are allowed before SSL VPN server blocks an IP address, and also how long the block would last.

CLI syntax

config vpn ssl settings set login-attempt-limit [0-10] Default is 2.

set login-block-time [0-86400] Default is 60 seconds. end

Unrated category removed from ssl-exempt (356428)

The “Unrated” category has been removed from the SSL Exempt/Web Category list.

Clipboard support for SSL VPN remote desktop connections (307465)

A remote desktop clipboard viewer pane has been added which allows user to copy, interact with and overwrite remote desktop clipboard contents.

FortiOS 5.6 SSL VPN Overview

$
0
0

SSL VPN Overview

As organizations have grown and become more complex, secure remote access to network resources has become critical for day-to-day operations. In addition, businesses are expected to provide clients with efficient, convenient services including knowledge bases and customer portals. Employees traveling across the country or around the world require timely and comprehensive access to network resources. As a result of the growing need for providing remote/mobile clients with easy, cost-effective and secure access to a multitude of resources, the concept of a Virtual Private Network (VPN) was developed.

SSL VPNs establish connectivity using SSL, which functions at Levels 4 – 5 (Transport and Session layers). Information is encapsulated at Levels 6 – 7 (Presentation and Application layers), and SSL VPNs communicate at the highest levels in the OSI model. SSL is not strictly a Virtual Private Network (VPN) technology that allows clients to connect to remote networks in a secure way. A VPN is a secure logical network created from physically separate networks. VPNs use encryption and other security methods to ensure that only authorized users can access the network. VPNs also ensure that the data transmitted between computers cannot be intercepted by unauthorized users. When data is encoded and transmitted over the Internet, the data is said to be sent through a “VPN tunnel”. A VPN tunnel is a non-application oriented tunnel that allows the users and networks to exchange a wide range of traffic regardless of application or protocol.

The advantages of a VPN over an actual physical private network are two-fold. Rather than utilizing expensive leased lines or other infrastructure, you use the relatively inexpensive, high-bandwidth Internet. Perhaps more important though is the universal availability of the Internet. In most areas, access to the Internet is readily obtainable without any special arrangements or long wait times.

SSL (Secure Sockets Layer) as HTTPS is supported by most web browsers for exchanging sensitive information securely between a web server and a client. SSL establishes an encrypted link, ensuring that all data passed between the web server and the browser remains private and secure. SSL protection is initiated automatically when a user (client) connects to a web server that is SSL-enabled. Once the successful connection is established, the browser encrypts all the information before it leaves the computer. When the information reaches its destination, it is decrypted using a secret (private) key. Any data sent back is first encrypted, and is decrypted when it reaches the client.

FortiOS supports the SSL and TLS versions defined below:

SSL and TLS version support table

Version RFC
SSL 2.0 RFC 6176
SSL 3.0 RFC 6101
TLS 1.0 RFC 2246
TLS 1.1 RFC 4346
TLS 1.2 RFC 5246

SSL VPN modes of operation

SSL VPN modes of operation

When a remote client connects to the FortiGate unit, the FortiGate unit authenticates the user based on username, password, and authentication domain. A successful login determines the access rights of remote users according to user group. The user group settings specify whether the connection will operate in web-only mode or tunnel mode.

Web-only mode

Web-only mode provides remote users with a fast and efficient way to access server applications from any thin client computer equipped with a web browser. Web-only mode offers true clientless network access using any web browser that has built-in SSL encryption and the Sun Java Runtime Environment (note that there is no minimum Java/JRE version requirement—any version of Java/JRE currently supported by the supplier of the Java/JRE for the operating system should work).

Support for SSL VPN web-only mode is built into FortiOS. The feature comprises of an SSL daemon running on the FortiGate unit, and a web portal, which provides users with access to network services and resources including HTTP/HTTPS, Telnet, FTP, SMB/CIFS, VNC, RDP, and SSH.

In web-only mode, the FortiGate unit acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group. After successful authentication, the FortiGate unit redirects the web browser to the web portal home page and the user can access the server applications behind the FortiGate unit.

When the FortiGate unit provides services in web-only mode, a secure connection between the remote client and the FortiGate unit is established through the SSL VPN security in the FortiGate unit and the SSL security in the web browser. After the connection has been established, the FortiGate unit provides access to selected services and network resources through a web portal.

FortiGate SSL VPN web portals have a 1- or 2-column page layout and portal functionality is provided through small applets called widgets. Widget windows can be moved or minimized. The controls within each widget depend on its function. There are predefined web portals and the administrator can create additional portals.

Configuring the FortiGate unit involves selecting the appropriate web portal configuration in the user group settings. These configuration settings determine which server applications can be accessed. SSL encryption is used to ensure traffic confidentiality.

The following table lists the operating systems and web browsers supported by SSL VPN web-only mode.

VPN Web-only Mode, supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit/64bit) l Microsoft Internet Explorer version 11 l Mozilla Firefox version 46
Microsoft Windows 8/8.1 (32-bit/64bit) l Microsoft Internet Explorer version 11 l Mozilla Firefox version 46

 

SSL VPN Overview                                                                                                   SSL VPN modes of operation

Operating System Web Browser
Mac OS 10.11 l Safari version 9 l Chrome version 56
Linux CentOS version 6.5 l Mozilla Firefox version 46

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

Tunnel mode

In Tunnel mode, remote clients connect to a FortiGate unit that acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group.

The SSL VPN client encrypts all traffic from the remote client computer and sends it to the FortiGate unit through an SSL VPN tunnel over the HTTPS link between the user and the FortiGate unit. Another option is split tunneling, which ensures that only the traffic for the private network is sent to the SSL VPN gateway. Internet traffic is sent through the usual unencrypted route. This conserves bandwidth and alleviates bottlenecks.

When the user initiates a VPN connection with the FortiGate unit through the SSL VPN client, the FortiGate unit establishes a tunnel with the client and assigns the client a virtual IP address from a range of reserved addresses. The client uses the assigned IP address as its source address for the duration of the connection. After the tunnel has been established, the user can access the network behind the FortiGate unit.

SSL VPN conserve mode

FortiGate units perform all security profile processing in physical RAM. Since each model has a limited amount of memory, Kernel conserve mode is activated when the remaining free memory is nearly exhausted or the AV proxy has reached the maximum number of sessions it can service.

SSL VPN also has its own conserve mode. The FortiGate enters the SSL VPN conserve mode before the Kernel conserve mode in an attempt to prevent the Kernel conserve mode from triggering. During the SSL VPN conserve mode, no new SSL connections are allowed. It starts when free memory is <25% of the total memory (when the memory on the FortiGate is less than 512Mb) or <10% of the total memory (when the FortiGate has more than 512Mb built in).

To determine if the FortiGate has entered SSL VPN conserve mode – CLI

Run the following command in the CLI Console: diagnose vpn ssl statistics

Result (showing conserve mode state in red):

SSLVPN statistics: ——————
Memory unit: 1
System total memory: 2118737920
System free memory: 218537984
SSLVPN memory margin: 314572800
SSLVPN state: conserve

Port forwarding mode

Max number of users:            2

Max number of tunnels:          0

Max number of connections:      13

Current number of users:        1

Current number of tunnels:      0

Current number of connections: 1

Port forwarding mode

While tunnel mode provides a Layer 3 tunnel that users can run any application over, the user needs to install the tunnel client, and have the required administrative rights to do so. In some situations, this may not be desirable, yet the simple web mode does not provide enough flexibility for application support (for example, if you wish to use an email client that communicates with a POP3 server). The port forward mode, or proxy mode, provides this middle ground between web mode and tunnel mode.

SSL VPN port forwarding listens on local ports on the user’s computer. When it receives data from a client application, the port forward module encrypts and sends the data to the FortiGate unit, which then forwards the traffic to the application server.

The port forward module is implemented with a Java applet, which is downloaded and runs on the user’s computer. The applet provides the up-to-date status information such as addressing and bytes sent and received.

On the user end, the user logs into the FortiGate SSL VPN portal, and selects a port forward bookmark configured for a specific application. The bookmark defines the server address and port as well as which port to listen to on the user’s computer.

The user must configure the application on the PC to point to the local proxy instead of the application server. For information on this configuration change, see the application documentation.

This mode only supports client/server applications that are using a static TCP port. It will not support client/server applications using dynamic ports or traffic over UDP.

Application support

With Citrix application servers, the server downloads an ICA configuration file to the user’s PC. The client application uses this information to connect to the Citrix server. The FortiGate unit will read this file and append a SOCKS entry to set the SOCKS proxy to ‘localhost’. The Citrix client will then be able to connect to the SSL VPN port forward module to provide the connection. When configuring the port forwarding module, a selection is available for Citrix servers.

For Windows Remote Desktop Connections, when selecting the RDP option, the tunnel will launch the RDP client and connect to the local loopback address after the port forward module has been initiated.

Note that the RDP/VNC web portals are not supported for the following platforms:

SSL VPN Overview                                                                                                              Port forwarding mode

Platform Model
FortiGate 80D, 92D, 200D, 200D-POE, 240D, 240D-POE, 600C, 800C, 1000C,

3240C, 3600C, and 5001C

FortiGate-Rugged 90D
FortiWiFi 92D

Antivirus and firewall host compatibility

The following tables list the antivirus and firewall client software packages that are supported in FortiOS.

Supported Windows XP antivirus and firewall software

Product supported Antivirus Firewall
Symantec Endpoint Protection V11
Kaspersky Antivirus 2009
McAfee Security Center v8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009

Supported Windows 7 32-bit and 64-bit antivirus and firewall software

Product supported Antivirus Firewall
CA Internet Security 2011
AVG Internet Security 2011
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360TM Version 4.0
NortonTM Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite

Traveling and security

Product supported Antivirus Firewall
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

Traveling and security

Because SSL VPN provides a means for “on-the-go” users to dial in to the network while away from the office, you need to ensure that wherever and however they choose to dial in is secure, and not potentially compromising the corporate network.

Host check

To reinforce security, you can enable a host integrity checker to scan the remote client. The integrity checker probes the remote client computer to verify that it is safe before access is granted. Security attributes recorded on the client computer (for example, in the Windows registry, in specific files, or held in memory due to running processes) are examined and uploaded to the FortiGate unit. For more information, see Host check on page 32.

Host Check is applicable for both SSL VPN Web Mode and SSL VPN Tunnel mode.

SSL VPN and IPv6

FortiOS supports SSL VPN with IPv6 addressing, and is available for all the java applets (Telnet, VNC, RDP, and so on). IPv6 configurations for security policies and addressing include:

  • Policy matching for IPv6 addresses l Support for DNS resolving in SSL VPN l Support IPv6 for ping l FTP applications
  • SMB

In essentially any of the following instructions, replace IPv4 with IPv6 to achieve the same desired results, but for IPv6 addresses and configurations.

 

FortiOS 5.6 SSL VPN Basic configuration

$
0
0

Basic configuration

Configuring SSL VPN involves a number of configurations within FortiOS that you need to complete to make it all come together. This chapter describes the components required, and how and where to configure them to set up the FortiGate unit as an SSL VPN server. The configurations and steps are high level, to show you the procedures needed, and where to locate the options in FortiOS. For real-world examples, see Setup examples on page 54.

There are three or four key steps to configuring an SSL VPN tunnel. The first three in the points below are mandatory, while the others are optional. This chapter outlines these key steps as well as additional configurations for tighter security and monitoring.

The key steps are:

l Create user accounts and user groups for the remote clients.

(User accounts and groups on page 17) l Create a web portal to define user access to network resources.

(Configuring SSL VPN web portals on page 22) l Configure the security policies.

(Configuring security policies on page 1) l For tunnel-mode operation, add routing to ensure that client tunnel-mode packets reach the SSL VPN interface.

(Routing in tunnel mode on page 30) l Setup logging of SSL VPN activities.

(SSL VPN logs on page 37)

This section contains the following information:

User accounts and groups

Configuring SSL VPN web portals

Configuring encryption key algorithms

Additional configuration options

User accounts and groups

The first step for an SSL VPN tunnel is to add the users and user groups that will access the tunnel. You may already have users defined for other authentication-based security policies.

The user group is associated with the web portal that the user sees after logging in. You can use one policy for multiple groups, or multiple policies to handle differences between the groups such as access to different services, or different schedules.

To create a user account:

  • In the web-based manager, go to User & Device > User Definition, and select Create New.
  • In the CLI, use the commands in config user local.

All users accessing the SSL tunnel must be in a firewall user group. User names can be up to 64 characters long.

User accounts and groups

To create user groups:

  • In the web-based manager, go to User & Device > User Groups and select Create New. l In the CLI, use the commands in config user group.

Authentication

Remote users must be authenticated before they can request services and/or access network resources through the web portal. The authentication process can use a password defined on the FortiGate unit or optionally use established external authentication mechanisms such as RADIUS or LDAP.

To authenticate users, you can use a plain text password on the local FortiGate unit, forward authentication requests to an external RADIUS, LDAP or TACACS+ server, or utilize PKI certificates.

For information about how to create RADIUS, LDAP, TACACS+ or PKI user accounts and certificates, see the Authentication Guide.

FortiOS supports LDAP password renewal notification and updates through SSL VPN.

Configuration is enabled using the CLI commands:

config user ldap edit <username>

set server <domain>

set password-expiry-warning enable        set password-renewal enable end

For more information, see the Authentication Guide.

MAC host check

When a remote client attempts to log in to the portal, you can have the FortiGate unit check against the client’s MAC address to ensure that only a specific computer or device is connecting to the tunnel. This can ensure better security should a password be compromised.

MAC addresses can be tied to specific portals and can be either the entire MAC address or a subset of the address. MAC host checking is configured in the CLI using the folowing commands:

conf vpn ssl web portal edit portal set mac-addr-check enable set mac-addr-action allow config mac-addr-check-rule edit “rule1” set mac-addr-list 01:01:01:01:01:01 08:00:27:d4:06:5d set mac-addr-mask 48

end

end

User accounts and groups

IP addresses for users

After the FortiGate unit authenticates a request for a tunnel-mode connection, the FortiGate unit assigns the SSL VPN client an IP address for the session. The address is assigned from an IP Pool, which is a firewall address defining an IP address range.

Take care to prevent overlapping IP addresses. Do not assign to clients any IP addresses that are already in use on the private network. As a precaution, consider assigning IP addresses from a network that is not commonly used (for example, 10.254.254.0/24).

To set tunnel-mode client IP address range – web-based manager:

  1. Go to Policy & Objects > Addresses and select Create New.
  2. Enter an Name, for example, SSL_VPN_tunnel_range.
  3. Select a Type of IP Range.
  4. In the Subnet/IP Range field, enter the starting and ending IP addresses that you want to assign to SSL VPN clients, for example 254.254.[80-100].
  5. In Interface, select Any.
  6. Select OK.

To set tunnel-mode client IP address range – CLI:

If your SSL VPN tunnel range is for example 10.254.254.80 – 10.254.254.100, you could enter

config firewall address edit SSL_tunnel_users set type iprange set end-ip 10.254.254.100 set start-ip 10.254.254.80

end

Authentication of remote users

When remote users connect to the SSL VPN tunnel, they must perform authentication before being able to use the internal network resources. This can be as simple as assigning users with their own passwords, connecting to an LDAP server or using more secure options. FortiOS provides a number of options for authentication as well as security option for those connected users.

The web portal can include bookmarks to connect to internal network resources. A web (HTTP/HTTPS) bookmark can include login credentials so that the FortiGate unit automatically logs the user into the website. This means that the user logs into the SSL VPN and then does not have to enter any more credentials to visit preconfigured web sites.

Both the administrator and the end user can configure bookmarks, including SSO bookmarks. To add bookmarks as a web portal user, see Using the Bookmarks widget on page 47.

User accounts and groups

Setting the client authentication timeout

The client authentication timeout controls how long an authenticated user will remain connected. When this time expires, the system forces the remote client to authenticate again. As with the idle timeout, a shorter period of time is more secure. The default value is 28800 seconds (8 hours). You can only modify this timeout value in the CLI.

For example, to change the authentication timeout to 18 000 seconds, enter the following commands in the CLI:

config vpn ssl settings set auth-timeout 18000

end

You can also set the idle timeout for the client, to define how long the user does not access the remote resources before they are logged out.

Additional timeout settings

SSL VPN timeout settings are also available to counter ‘Slowloris’ and ‘R-U-Dead-Yet’ vulnerabilities that allow remote attackers to cause a denial of service via partial HTTP requests.

The FortiGate solution involves two attributes (http-request-header-timeout and http-requestbody-timeout).

CLI syntax

config vpn ssl settings set http-request-header-timeout [1-60] (seconds) set http-request-body-timeout [1-60] (seconds)

end

Allow one-time login per user

You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again.

To allow one-time login per user – web-based manager:

Go to VPN > SSL-VPN Portals, select a portal, and enable Limit Users to One SSL-VPN Connection at a Time. It is disabled by default.

To allow one-time login per user – CLI:

config vpn ssl web portal edit <portal_name> set limit-user-logins enable

end

Strong authentication with security certificates

The FortiGate unit supports strong (two-factor) authentication through X.509 security certificates (version 1 or 3). The FortiGate unit can require clients to authenticate using a certificate, and the client can require the FortiGate unit to authenticate using a certificate.

For information about obtaining and installing certificates, see the Authentication Guide.

User accounts and groups

You can select the Require Client Certificate option so that clients must authenticate using certificates. The client browser must have a local certificate installed, and the FortiGate unit must have the corresponding CA certificate installed.

When the remote client initiates a connection, the FortiGate unit prompts the client browser for its client-side certificate as part of the authentication process.

To require client authentication by security certificates – web-based manager:

  1. Go to VPN > SSL-VPN Settings.
  2. Select Require Client Certificate.
  3. Select Apply.

To require client authentication by security certificates – CLI:

config vpn ssl settings set reqclientcert enable

end

If your SSL VPN clients require strong authentication, the FortiGate unit must offer a CA certificate that the client browser has installed.

In the FortiGate unit SSL VPN settings, you can select which certificate the FortiGate offers to authenticate itself. By default, the FortiGate unit offers its factory installed (Fortinet_CA_SSLProxy) certificate from Fortinet to remote clients when they connect. If you leave the default setting, a warning appears that recommends you purchase a certificate for your domain and upload it for use.

To enable FortiGate unit authentication by certificate – web-based manager:

  1. Go to VPN > SSL-VPN Settings.
  2. From the Server Certificate list, select the certificate that the FortiGate unit uses to identify itself to SSL VPN clients.
  3. Select Apply.

To enable FortiGate unit authentication by certificate – CLI:

For example, to use the example_cert certificate

config vpn ssl settings set servercert example_cert

end

NSA Suite B cryptography support

FortiOS supports the use of ECDSA Local Certificates for SSL VPN Suite B. The National Security Agency (NSA) developed Suite B algorithms in 2005 to serve as a cryptographic base for both classified and unclassified information at an interoperable level.

 

FortiOS allows you to import, generate, and use ECDSA certificates defined by the Suite B cryptography set. To generate ECDSA certificates, use the following command in the CLI:

exec vpn certificate local generate ec <certificate-name_str> <elliptic-curve-name> <subject_str> [<optional_information>]

Configuring SSL VPN web portals

The SSL VPN portal enables remote users to access internal network resources through a secure channel using a web browser. FortiGate administrators can configure login privileges for system users as well as the network resources that are available to the users.

FortiOS supports LDAP password renewal notification and updates through SSL VPN.

Configuration is enabled using the CLI commands:

config user ldap edit <username>

set server <domain>

set password-expiry-warning enable        set password-renewal enable end

For more information, see the Authentication Guide.

This step in the configuration of the SSL VPN tunnel sets up the infrastructure; the addressing, encryption, and certificates needed to make the initial connection to the FortiGate unit. This step is also where you configure what the remote user sees with a successful connection. The portal view defines the resources available to the remote users and the functionality they have on the network.

SSL connection configuration

To configure the basic SSL VPN settings for encryption and login options, go to VPN > SSL-VPN Settings.

Listen on Interface(s) Define the interface which the FortiGate will use to listen for SSL VPN tunnel requests. This is generally your external interface.
Listen on Port Enter the port number for HTTPS access.

 

Redirect port 80 to this login port Enable to redirect the admin HTTP port to the admin HTTPS port.

There are two likely scenarios for this:

l SSL VPN is not in use, in which case the admin GUI runs on port 443 or 10443, and port 80 is redirected.

l SSL VPN runs on port 443, in which case port 80 is redirected to 443 and the admin port runs on 10443.

If the administrator chooses to run SSL VPN on port 80, the redirect option is invalid.

This can also be configured in the CLI as shown below (note that HTTPSredirect is disabled by default):

Syntax:

config vpn ssl settings

set https-redirect [enable | disable] end

Restrict Access Restrict accessibility to either Allow access from any host or to Limit access to specific hosts as desired. If selecting the latter, you must specify the hosts.
Idle Logout Type the period of time (in seconds) that the connection can remain inactive before the user must log in again. The range is from 10 to 28800 seconds. Setting the value to 0 will disable the idle connection timeout. This setting applies to the SSL VPN session. The interface does not time out when web application sessions or tunnels are up.
Server Certificate Select the signed server certificate to use for authentication. If you leave the default setting (Fortinet_CA_SSLProxy), the FortiGate unit offers its built-in certificate from Fortinet to remote clients when they connect. A warning appears that recommends you purchase a certificate for your domain and upload it for use.
Require Client Certificate Select to use group certificates for authenticating remote clients. When the remote client initiates a connection, the FortiGate unit prompts the client for its client-side certificate as part of the authentication process.

For information on using PKI to provide client certificate authentication, see the Authentication Guide.

Address Range Select Automatically assign addresses or Specify custom IP ranges. The latter will allow you to select the range or subnet firewall addresses that represent IP address ranges reserved for tunnel-mode SSL VPN clients.
DNS Server If you select Specify, you may enter up to two DNS servers (IPv4 or IPv6) to be provided for the use of clients.

Note: It is possible to implement a unique DNS suffix per SSL VPN portal using the CLI. Each suffix setting for each specific portal will override the dns-suffix setting under config vpn ssl settings. This is a

CLI-only option, using the following syntax:

config vpn ssl web portal edit <example> set dns-suffix <string>

end

Specify WINS Servers Enable to access options for entering up to two WINS servers (IPv4 or IPv6) to be provided for the use of clients.
Allow Endpoint

Registration

Select so that FortiClient registers with the FortiGate unit when connecting. If you configured a registration key by going to System > Config > Advanced, the remote user is prompted to enter the key. This only occurs on the first connection to the FortiGate unit.

Portal configuration

The portal configuration determines what the remote user sees when they log in to the portal. Both the system administrator and the user have the ability to customize the SSL VPN portal.

To view the portals settings page, go to VPN > SSL-VPN Portals.

There are three pre-defined default portal configurations available:

l full-access l tunnel-access l web-access

Each portal type includes similar configuration options. Select between the different portals by double-clicking one of the default portals in the list. You can also create a custom portal by selecting the Create New option at the top.

Portal Setting Description
Name The name for the portal.
Limit Users to One SSL-VPN Connection at a Time You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again. This option is disabled by default.
Tunnel Mode These settings determine how tunnel mode clients are assigned IPv4 addresses.

 

Portal Setting Description
Enable Split Tunneling Select so that the VPN carries only the traffic for the networks behind the FortiGate unit. The user’s other traffic follows its normal route.

If you enable split tunneling, you are required to set the Routing Address, which is the address that your corporate network is using. Traffic intended for the Routing Address will not be split from the tunnel.

Source IP Pools Select an IP Pool for users to acquire an IP address when connecting to the portal. There is always a default pool available if you do not create your own.
Tunnel Mode Client Options These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a check box for the corresponding option appears on the VPN login screen in FortiClient, and is not enabled by default.

l Allow client to save password – When enabled, if the user

selects this option, their password is stored on the user’s computer and will automatically populate each time they connect to the VPN.

l Allow client to connect automatically – When enabled, if the

user selects this option, when the FortiClient application is launched, for example after a reboot or system startup, FortiClient will automatically attempt to connect to the VPN tunnel.

l Allow client to keep connections alive – When enabled, if the

user selects this option, the FortiClient should try to reconnect once it detects the VPN connection is down unexpectedly (not manually disconnected by user).

Enable Web Mode Select to enable web mode access.
Portal Message This is a text header that appears on the top of the web portal.
Theme Select a color styling specifically for the web portal.
Show Session Information The Show Session Information widget displays the login name of the user, the amount of time the user has been logged in and the inbound and outbound traffic statistics.
Show Connection Launcher Displays the Connection Launcher widget in the web portal.
Show Login History Select to include user login history on the web portal.
Portal Setting Description
User Bookmarks Enable to allow users to add their own bookmarks in the web portal.
Predefined Bookmarks Select to include bookmarks on the web portal. Bookmarks are used as links to internal network resources. When a bookmark is selected from a bookmark list, a pop-up window appears with the web page. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML filebrowser.

Options to allow firewall address to be used in routing table for SSL VPN

If destination Named Address is set in Network > Static Routes and Address Range is set to

Automatically assign addresses in VPN > SSL-VPN Settings, SSL VPN should refresh the routing table automatically.

If your network configuration does not contain a default SSL VPN portal, you might receive the error message “Input value is invalid” when you attempt to access VPN > SSL-VPN Portals.

            To enable a default portal – CLI:

config vpn ssl settings set default-portal <full-access | tunnel-access |

web-access> end

Adding bookmarks

A web bookmark can include login credentials to automatically log the SSL VPN user into the website. When the administrator configures bookmarks, the website credentials must be the same as the user’s SSL VPN credentials. Users configuring their own bookmarks can specify alternative credentials for the website.

To add a bookmark – web-based manager:

  1. On the VPN > SSL-VPN Portals page, ensure Enable User Bookmarks is enabled.
  2. Select Create New and enter the following information:
Category Select a category, or group, to include the bookmark. If this is the first bookmark added, you will be prompted to add a category. Otherwise, select Create from the drop-down list.
Name Enter a name for the bookmark.
Type Select the type of link from the drop-down list. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML file-browser.
URL Enter the IP address source.
Description Enter a brief description of the link.
Single Sign-On Enable if you wish to use Single Sign-On (SSO) for any links that require authentication.

When including a link using SSO, be sure to use the entire URL. For example, http://10.10.1.0/login, rather than just the IP address.

  1. Select OK.

For more configuration options, see Configuring SSL VPN web portals on page 22.

Personal bookmarks

The administrator has be ability to view bookmarks the remote client has added to their SSL VPN login in the bookmarks widget. This enables the administrator to monitor and, if needed, remove unwanted bookmarks that do not meet with corporate policy.

To view and maintain remote client bookmarks, go to VPN > SSL-VPN Personal Bookmarks.

For more information about available bookmark applications, see Applications available in the web portal on page 46

To enable personal bookmarks:

  1. Go to System > Feature Select.
  2. Enable SSL-VPN Personal Bookmark Management.
  3. Select Apply.

Moving and cloning bookmarks

The administrator also has the ability to move and clone personal bookmarks in the GUI and CLI.

CLI syntax

config vpn ssl web user-bookmark edit ‘name’ config bookmarks move bookmark1 after/before clone bookmark1 to

next

end

Group-based SSL VPN bookmarks

The administrator can add bookmarks for groups of users. SSL VPN will only output the matched group-name entry to the client. This can only be done via the CLI.

To add group-based SSL VPN bookmarks – CLI:

config vpn ssl web portal edit “portal-name”

set user-group-bookmark enable*/disable

next

end

config vpn ssl web user-group-bookmark edit “group-name” config bookmark edit “bookmark1” ….

next

end

next

end

Remote desktop bookmark creation with no password

If NLA security is chosen when creating an RDP bookmark, a username and password must be provided. However there may be instances where the user might want to use a blank password, despite being highly unrecommended. If a username is provided but the password is empty, the CLI will display a warning. See example CLI below, where the warning appears as a caution before finishing the command:

config vpn ssl web user-group-bookmark edit <group-name> config bookmarks edit <bookmark-name> set apptype rdp set host 172.16.200.121 set security nla set port 3389 set logon-user <username>

next

end

Warning: password is empty. It might fail user authentication and remote desktop connection would be failed.

end

If no username (logon-user) is specified, the following warning message will appear:

Please enter user name for RDP security method NLA. object set operator error, -2010 discard the setting Command fail. Return code -2010

SSL VPN Realms

You can go to VPN > SSL-VPN Realms and create custom login pages for your SSL VPN users. You can use this feature to customize the SSL VPN login page for your users and also to create multiple SSL VPN logins for different user groups.

In order to create a custom login page using the web-based manager, this feature must be enabled using Feature Select.

 

Configuring encryption key algorithms

To configure SSL VPN Realms – web-based manager:

  1. Configure a custom SSL VPN login by going to VPN > SSL-VPN Realms and selecting Create New. Users access different portals depending on the URL they enter.
  2. The first option in the custom login page is to enter the path of the custom URL.

This path is appended to the address of the FortiGate unit interface to which SSL VPN users connect. The actual path for the custom login page appears beside the URL path field.

  1. You can also limit the number of users that can access the custom login at any given time.
  2. You can use HTML code to customize the appearance of the login page.
  3. After adding the custom login, you must associate it with the users that will access the custom login. Do this by going to VPN > SSL-VPN Settings and adding a rule to the Authentication/Portal Mapping
  4. Under Authentication/Portal Mapping, click Create New and select the user group(s) and the associated Realm.

To configure SSL VPN Realms – CLI:

config vpn ssl web realm edit <url-path> set login-page <content_str> set max-concurrent-user <int> set virtual-host <hostname_str>

end

Where the following variables are set:

Variable Description Default
edit <url-path> Enter the URL path to access the SSL-VPN login page.

Do not include “http://”.

No default.
login-page <content_str> Enter replacement HTML for SSL-VPN login page. No default.
max-concurrent-user <int> Enter the maximum number of concurrent users allowed. Range 0-65 535. 0 means unlimited. 0
virtual-host <hostname_str> Enter the virtual host name for this realm. Optional. Maximum length 255 characters. No default.

Configuring encryption key algorithms

The FortiGate unit supports a range of cryptographic cipher suites to match the capabilities of various web browsers. The web browser and the FortiGate unit negotiate a cipher suite before any information (for example, a user name and password) is transmitted over the SSL link. You can only configure encryption key algorithms for SSL VPN in the CLI.

To configure encryption key algorithms – CLI:

Use the following CLI command,

config vpn ssl settings set algorithm <cipher_suite>

end

where one of the following variables replaces <cipher_suite>:

Variable Description
low Use any cipher suite; AES, 3DES, RC4, or DES.
medium Use a 128-bit or greater cipher suite; AES, 3DES, or RC4.
high Use a ciper suite grather than 128 bits; AES or 3DES.

Note that the algorithm <cipher_suite> syntax is only available when the sslvpn-enable attribute is set to enable.

Controlling the use of specific cipher suites

Administrators can ban the use of specific cipher suites in the CLI for SSL VPN, so PCI-DSS (Payment Card Industry Data Security Standard) certification can be met.

To ban the use of specific cipher suites for SSL VPN – CLI:

config vpn ssl settings

set banned-cipher [RSA | DH | DHE | ECDH | ECDHE | DSS | ECDSA | AES | AESGCM | CAMELLIA | 3DES | SHA1 | SHA256 | SHA384]

Additional configuration options

Beyond the basics of setting up the SSL VPN, you can configure a number of other options that can help to ensure your internal network is secure and can limit the possibility of attacks and viruses entering the network from an outside source.

Routing in tunnel mode

If you are creating a SSL VPN connection in tunnel mode, you need to add a static route so that replies from the protected network can reach the remote SSL VPN client.

To add the tunnel mode route – web-based manager:

  1. Go to Network > Static Routes and select Create New.
  2. Enter the Destination IP/Mask of the tunnel IP address that you assigned to the users of the web portal.
  3. Select the SSL VPN virtual interface for the Device.
  4. Select OK.

To add the tunnel mode route – CLI:

If you assigned 10.11.254.0/24 as the tunnel IP range, you would enter:

config router static

edit <id> set device ssl.root set dst 10.11.254.0/24

end

Changing the port number for web portal connections

You can specify a different TCP port number for users to access the web portal login page through the HTTPS link. By default, the port number is 443 and users can access the web portal login page using the following default URL:

https://:443/remote/login

where <FortiGate_IP_address> is the IP address of the FortiGate interface that accepts connections from remote users.

To change the SSL VPN port – web-based manager:

  1. If Current VDOM appears at the bottom left of the screen, select Global from the list of VDOMs.
  2. Go to VPN > SSL-VPN Settings.
  3. Type an unused port number in the Listen on Port field and select Apply.

To change the SSL VPN port – CLI:

This is a global setting. For example, to set the SSL VPN port to 10443, enter the following:

config vpn ssl settings set port 10443

end

HTTP to HTTPS redirect support

The admin HTTP port can be redirected to the admin HTTPS port. This is enabled in VPN > SSL-VPN Settings using the option Redirect port 80 to this login port.

There are two likely scenarios for this:

l SSL VPN is not in use, in which case the admin GUI runs on port 443 or 10443, and port 80 is redirected. l SSL VPN runs on port 443, in which case port 80 is redirected to 443 and the admin port runs on 10443.

If the administrator chooses to run SSL VPN on port 80, the redirect option is invalid.

This can also be configured in the CLI as described below:

To redirect HTTP to HTTPS port – CLI:

config vpn ssl settings set https-redirect [enable | disable] (default: disabled)

end

SSL offloading

To configure SSL offloading, which allows or denies client renegotiation, you must use the CLI. This helps to resolve the issues that affect all SSL and TLS servers that support renegotiation, identified by the Common Vulnerabilities and Exposures system in CVE-2009-3555. The SSL offloading renegotiation feature is considered a workaround until the IETF permanently resolves the issue.

The CLI command is ssl-client-renegotiation and is found under the config firewall vip syntax.

Host check

When you enable AV, FW, or AV-FW host checking in the web portal Security Control settings, each client is checked for security software that is recognized by the Windows Security Center. As an alternative, you can create a custom host check that looks for security software selected from the Host Check list. For more information, see Additional configuration options on page 30.

The Host Check list includes default entries for many security software products.

To configure host checking – CLI:

To configure the full-access portal to check for AV and firewall software on client Windows computers, you would enter the following:

config vpn ssl web portal edit full-access set host-check av-fw

end

To configure the full-access portal to perform a custom host check for FortiClient Host Security AV and firewall software, you would enter the following:

config vpn ssl web portal edit full-access set host-check custom

set host-check-policy FortiClient-AV FortiClient-FW

end

Replacing the host check error message

You can add your own host security check error message using either the web-based manager or the CLI. The default message reads: “Your PC does not meet the host checking requirements set by the firewall. Please check that your OS version or antivirus and firewall applications are installed and running properly or you have the right network interface.”

To replace the host check error message – web-based manager:

  1. Navigate to System > Replacement Messages and select Extended View in the upper right corner.
  2. Scroll down to SSL VPN and select Hostcheck Error Message.
  3. Edit the text in the right-hand column below and select Save.

If you are unhappy with the new message, you can restore the message to its default by selecting Restore Default instead of Save.

To replace the host check error message – CLI:

Configure the host check error message using the following command.

config system replacemsg sslvpn hostcheck-error

Creating a custom host check list

You can add your own software requirements to the host check list using the CLI. Host integrity checking is only possible with client computers running Microsoft Windows platforms. Enter the following commands:

config vpn ssl web host-check-software edit <software_name> set guid <guid_value> set type <av | fw> set version <version_number>

end

If known, enter the Globally Unique Identifier (GUID) for the host check application. Windows uses GUIDs to identify applications in the Windows Registry. The GUID can be found in the Windows registry in the HKEY_ CLASSES_ROOT section.

To obtain the exact versioning, in Windows, right-click on the .EXE file of the application and select Properties, then select the Version tab.

Example Tunnel Mode Host Check – Registry Key Check

l Check to see if a required registry key is present:

config vpn ssl web host-check-software edit <computer_name> config check-item-list edit 1 set target “HKEY_LOCAL_

MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveCompute rName:ComputerName=WINXP32SP3B62”

set type registry <<<—–

next

end

next

end

Example Tunnel Mode Host Check – Application Running Check

l Check to see if a required application is isntalled and/or running:

config vpn ssl web host-check-software edit “calc” config check-item-list edit 1 set target “calc.exe” set type process <<<—–

next

end

next end

Example Tunnel Mode Host Check – File Check

l Check to see if a specific file exists at a specific location:

config vpn ssl web host-check-software edit “putty” config check-item-list edit 1 set target “C:\\software\\putty.txt”

set md5s <ENC>

next

end

next

end

Configuring virtual desktop

Available for 32-bit Windows XP, Windows Vista, and Windows 7 client PCs, the virtual desktop feature completely isolates the SSL VPN session from the client computer’s desktop environment. All data is encrypted, including cached user credentials, browser history, cookies, temporary files, and user files created during the session. When the SSL VPN session ends normally, the files are deleted. If the session ends due to a malfunction, files might remain, but they are encrypted so that the information is protected.

When the user starts an SSL VPN session that has virtual desktop enabled, the virtual desktop replaces the user’s normal desktop. When the virtual desktop exits, the user’s normal desktop is restored.

Virtual desktop requires the Fortinet cache cleaner plugin. If the plugin is not present, it automatically downloads to the client computer.

To enable virtual desktop :

To enable virtual desktop on the full-access portal and apply the application control list ‘List1’, for example, you would enter:

config vpn ssl web portal edit full-access set virtual-desktop enable set virtual-desktop-app-list List1

end

Configuring virtual desktop application control

You can control which applications users can run on their virtual desktop. To do this, you create an Application Control List of either allowed or blocked applications. When you configure the web portal, you select the list to use.

Configure the application control list in the CLI.

To create an Application Control List – CLI:

If you want to add ‘BannedApp’ to ‘List1’, a list of blocked applications, you would enter:

config vpn ssl web virtual-desktop-app-list edit “List1” set action block config apps edit “BannedApp”

set md5s “06321103A343B04DF9283B80D1E00F6B”

end

end

Configuring client OS Check

The SSLVPN client OS Check feature can determine if clients are running the Windows 2000, Windows XP, Windows Vista, Windows 7, or Windows 10 operating system. You can configure the OS Check to do any of the following:

  • Allow the client access.
  • Allow the client access only if the operating system has been updated to a specified patch (service pack) version.
  • Deny the client access.

The OS Check has no effect on clients running other operating systems.

The Windows patch check enables you to define the minimum Windows version and patch level allowed when connecting to the SSL VPN portal. When the user attempts to connect to the web portal, FortiOS performs a query on the version of Windows the user has installed. If it does not match the minimum requirement, the connection is denied. The Windows patch check is configured in the CLI.

To specify the acceptable patch level, you set the latest-patch-level and the tolerance. The lowest acceptable patch level is latest-patch-level minus tolerance. In this case, latest-patch-level is 3 and tolerance is 1, so 2 is the lowest acceptable patch level.

To configure OS Check:

OS Check is configurable only in the CLI.

config vpn ssl web portal edit <portal_name> set os-check enable config os-check-list [windows-2000 | windows-xp | windows-vista | windows-7 | windows-10]

set action [allow | check-up-to-date | deny] set latest-patch-level [disable | 0 – 255]

set tolerance <tolerance_num>

end

end

Host check for Windows firewall

The Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, but you can use a registry value to detect the firewall status.

If Windows firewall is on, the following registry value will be set to 1:

l KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\

FirewallPolicy\StandardProfile l ValueName: EnableFirewall

In FortiOS, use the registry-value-check feature to define the Windows Firewall software by entering the following in the CLI:

config vpn ssl web host-check-software edit “Microsoft-Windows-Firewall” config check-item-list

edit 1 set target

“HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\Firew allPolicy\\StandardProfile:EnableFirewall==1”

set type registry

next edit 2 set target

“HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\Firew allPolicy\\PublicProfile:EnableFirewall==1”

set type registry

next edit 3 set target

“HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\Firew allPolicy\\DomainProfile:EnableFirewall==1”

set type registry

next

end

set type fw next

set host-check custom set host-check-policy Microsoft-Windows-Firewall

Adding WINS and DNS services for clients

You can specify the WINS or DNS servers that are made available to SSL-VPN clients.

DNS servers provide the IP addresses that browsers need to access web sites. For Internet sites, you can specify the DNS server that your FortiGate unit uses. If SSL VPN users will access intranet sites using URLs, you need to provide them access to the intranet’s DNS server. You specify a primary and a secondary DNS server.

A WINS server provides IP addresses for named servers in a Windows domain. If SSL VPN users will access a Windows network, you need to provide them access to the domain WINS server. You specify a primary and a secondary WINS server.

To specify WINS and DNS services for clients – web-based manager:

  1. Go to VPN > SSL-VPN Settings.
  2. Next to DNS Server select Specify.
  3. Enter the IP addresses of DNS servers in the DNS Server fields as needed. Fields are available for both IPv4 and IPv6 addresses.
  4. Select Specify WINS Servers, and enter the IP addresses of WINS servers in the WINS Server fields as needed. Fields are available for both IPv4 and IPv6 addresses.
  5. Select Apply.

To specify WINS and DNS services for clients – CLI:

config vpn ssl settings set dns-server1 <address_ipv4> set dns-server2 <address_ipv4> set wins-server1 <address_ipv4> set wins-server2 <address_ipv4> end

Idle timeout

The idle timeout setting controls how long the connection can remain idle before the system forces the remote user to log in again. For security, keep the default value of 5000 seconds or less. Set the timeout value to 0 to disable idle timeouts.

To set the idle timeout – web-based manager:

  1. Go to VPN > SSL-VPN Settings and enable Idle Logout.
  2. In the Inactive For field, enter the timeout value. The valid range is from 10 to 28800 seconds.
  3. Select Apply.

To set the idle timeout – CLI:

config vpn ssl settings set idle-timeout <seconds_int>

end

Login timeout

With long network latency, the FortiGate can timeout the client before it can finish negotiation processes, such as DNS lookup and time to enter a token. Two CLI commands under config vpn ssl settings allow the login timeout to be configured, replacing the previous hard timeout value. The second command can be used to set the SSL VPN maximum DTLS hello timeout.

CLI syntax

config vpn ssl settings edit <example> set login-timeout [10-180] Default is 30 seconds.

set dtls-hello-timeout [10-60] Default is 10 seconds.

end

Login failure limit

The following CLI allows the administrator to configure the number of times wrong credentials are allowed before the SSL VPN server blocks an IP address, and also how long the block would last.

CLI syntax

config vpn ssl settings set login-attempt-limit [0-10] Default is 2.

set login-block-time [0-86400] Default is 60 seconds. end

SSL VPN logs

Logging is available for SSL VPN traffic so you can monitor users connected to the FortiGate unit and their activity. For more information on configuring logs on the FortiGate unit, see the Logging and Reporting Guide.

To enable logging of SSL VPN events – web-based manager:

  1. Go to Log & Report > Log Settings.
  2. Enable Event Logging, and select VPN activity event.
  3. Select Apply.

To view the SSL VPN log data, in the web-based manager, go to Log & Report and select either the Event Log or Traffic Log.

In event log entries, look for the sub-types “sslvpn-session” and “sslvpn-user”.

For information about how to interpret log messages, see the FortiGate Log Message Reference.

Monitoring active SSL VPN sessions

You can go to User & Device > Monitor to view a list of active SSL VPN sessions. The list displays the user name of the remote user, the IP address of the remote client, and the time the connection was made. You can also see which services are being provided, and delete an active web session from the FortiGate unit.

To monitor SSL VPNs – web-based manager:

To view the list of active SSL VPN sessions, go to Monitor > SSL-VPN Monitor.

When a tunnel-mode user is connected, the Description field displays the IP address that the FortiGate unit assigned to the remote host.

If required, you can end a session/connection by selecting its checkbox and then clicking the Delete icon.

Importing and using a CA-signed SSL certificate

Use the following set of instructions to import a CA-signed SSL certificate and configure an SSL VPN using that certificate.

Import the signed certificate into your FortiGate device

  1. Unzip the file downloaded from the CA.

There should be two .CRT files: a CA certificate with bundle in the file name, and a local certificate.

  1. Log in to your FortiGate unit and browse to System > Certificates.
  2. Select Create New > Local Certificate to import the local certificate. The status of the certificate will change from PENDING to OK.
  3. Import the CA certificate by selecting Import > CA Certificate.

It will be listed in the CA Certificates section of the certificates list. You can now configure SSL VPN using the signed certificate.

Configure your FortiGate device to use the signed certificate

  1. Log in to your FortiGate unit and browse to VPN > SSL-VPN Settings.
  2. In the Connection Settings section, locate the Server Certificate
  3. Select the new certificate from the drop-down menu.
  4. Select Apply to configure SSL VPN to use the new certificate.

Implement post-authentication CSRF protection in SSL VPN web mode

This attribute can enable/disable verification of a referrer in the HTTP request header in order to prevent a CrossSite Request Forgery attack.

CLI Syntax

config vpn ssl settings set check-referer [enable|disable]

end

DTLS support

The Datagram Transport Layer Security (DTLS) protocol is supported for SSL VPN connections. DTLS allows datagram-based applications to communicate in a way that prevents eavesdropping, tampering, or message forgery. It can also be used to improve upload/download throughput. It is similar to the Transport Layer Security (TLS) protocol.

DTLS support can be enabled in the CLI as described below.

CLI Syntax

config vpn ssl settings set dtls-tunnel [enable | disable] (default: enabled)

end

Allow firewall address to be used in routing table for SSL VPN

If destination Named Address is set in Network > Static Routes and Address Range is set to

Automatically assign addresses is enabled in VPN > SSL-VPN Settings, SSL VPN should refresh the routing table automatically.

To view the routes in the routing table, go to Monitor > Routing Monitor.

WAN link load balancing

You can set virtual-wan-link as the destination interface in a firewall policy (when SSL VPN is the source interface) for WAN link load balancing. This allows logging into a FortiGate via SSL VPN for traffic inspection and then have outbound traffic load balanced by WAN link load balancing.

CLI syntax

config firewall policy edit <example> set dstintf virtual-wan-link

end

 

FortiOS 5.6 The SSL VPN client

$
0
0

The SSL VPN client

The remote client connects to the SSL VPN tunnel in various ways, depending on the VPN configuration.

  • Tunnel mode establishes a connection to the remote protected network that any application can use. If the client computer runs Microsoft Windows, they can download the tunnel mode client from the web portal.

If the client computer runs Linux or Mac OS X, the user needs to download the tunnel mode client application from the Fortinet Support web site. See the Release Notes for your FortiOS firmware for the specific operating system versions that are supported.

  • The virtual desktop application creates a virtual desktop on a user’s PC and monitors the data read/write activity of the web browser running inside the virtual desktop. When the application starts, it presents a ‘virtual desktop’ to the user. The user starts the web browser from within the virtual desktop and connects to the SSL VPN web portal. The browser file/directory operation is redirected to a new location, and the data is encrypted before it is written to the local disk. When the virtual desktop application exits normally, all the data written to the disk is removed. If the session terminates abnormally (power loss, system failure, etc.), the data left behind is encrypted and unusable to the user. The next time you start the virtual desktop, the encrypted data is removed.

FortiClient

Remote users can use the FortiClient software to initiate an SSL VPN tunnel to connect to the internal network.

FortiClient uses local port TCP 1024 to initiate an SSL encrypted connection to the FortiGate unit, on port TCP 443. When connecting using FortiClient, the FortiGate unit authenticates the FortiClient SSL VPN request based on the user group options. The FortiGate unit establishes a tunnel with the client and assigns a virtual IP address to the client PC. Once the tunnel has been established, the user can access the network behind the FortiGate unit.

FortiClient software is available for download at www.forticlient.com and is available for Windows, Mac OS X, Apple iOS, and Android.

Tunnel mode client configuration

The FortiClient SSL VPN tunnel client requires basic configuration by the remote user to connect to the SSL VPN tunnel. When distributing the FortiClient software, provide the following information for the remote user to enter once the client software has been started. Once entered, they can select Connect to begin an SSL VPN session.

Connection Name If you have pre-configured the connection settings, select the connection from the list and then select Connect. Otherwise, enter the settings in the fields below.

client                                                                                             Tunnel mode client

Remote Gateway Enter the IP address or FQDN of the FortiGate unit that hosts the SSL VPN.
Username Enter your username.
Client Certificate Use this field if the SSL VPN requires a certificate for authentication.

Select the required certificate from the drop-down list. The certificate must be installed in the Internet Explorer certificate store.

 

 

FortiOS 5.6 The SSL VPN web portal

$
0
0

The SSL VPN web portal

This chapter explains how to use and configure the web portal features. This chapter is written for end users as well as administrators.

The following topics are included:

Connecting to the FortiGate unit

Web portal overview

Portal configuration

Using the Bookmarks widget

Using the Quick Connection Tool

Using the SSL VPN virtual desktop

Using FortiClient

Connecting to the FortiGate unit

You can connect to the FortiGate unit using a web browser. The URL of the FortiGate interface may vary from one installation to the next. If required, ask your FortiGate administrator for the URL of the FortiGate unit, and obtain a user name and password. You can connect to the web portal using an Android phone, iPhone, or iPad. The FortiGate unit will display the content of the portal to fit the device’s screen.

In addition, if you will be using a personal or group security (X.509) certificate to connect to the FortiGate unit, your web browser may prompt you for the name of the certificate. Your FortiGate administrator can tell you which certificate to select.

To log into the secure FortiGate HTTP gateway

  1. Using the web browser on your computer, browse to the URL of the FortiGate unit (for example, https://<FortiGate_IP_address>:443/remote/login). The FortiGate unit may offer you a self-signed security certificate. If you are prompted to proceed, select Yes.

A second message may be displayed to inform you that the FortiGate certificate distinguished name differs from the original request. This message is displayed because the FortiGate unit is attempting to redirect your web browser connection. You can ignore the message.

  1. When you are prompted for your user name and password:
    • In the Name field, type your user name.
    • In the Password field, type your password.
  2. Select Login.

The FortiGate unit will redirect your web browser to the FortiGate SSL VPN web portal home page automatically.

Web portal overview

After logging in to the web portal, the remote user is presented with a web portal page similar to the following:

 

Portal

Various widgets provide the web portal’s features:

  • Session Information displays the elapsed time since login and the volume of HTTP and HTTPS traffic, both inbound and outbound.
  • Quick Connection enables you to connect to network resources without using or creating a bookmark. l Download Forticlient provides access to the FortiClient tunnel application for various operating systems.
  • Bookmarks provides links to network resources. You can use the administrator-defined bookmarks and you can

add your own bookmarks.

While using the web portal, you can select the Help button to get information to assist you in using the portal features. This information displays in a separate browser window.

When you have finished using the web portal, select the Logout button in the top right corner of the portal window.

Portal configuration

The SSL VPN web portal enables users to access network resources through a secure channel using a web browser. Fortinet administrators can configure log in privileges for system users and which network resources are available to the users.

Portal configuration

The portal configuration determines what the user sees when they log in to the portal. Both the system administrator and the user have the ability to customize the SSL VPN portal.

There are three pre-defined default web portal configurations available:

  • full-access: Includes all widgets available to the user – Session Information, Tunnel Mode options, Connection Launcher, Remote Desktop, and Predefined Bookmarks. l tunnel-access: Includes Session Information and Tunnel Mode
  • web-access: Includes Session Information and Predefined Bookmarks

You can also create your own web portal to meet your corporate requirements.

Portal page
Create New Creates a new web portal.
Edit Select a portal from the list to enable the Edit option, and modify the portal configuration.
Delete Removes a portal configuration.

To remove multiple portals from the list, select the check box beside the portal names, then select Delete.

Name The name of the web portal.
Ref. Displays the number of times the object is referenced in other configurations on the FortiGate unit, such as security policies.

To view the location of the referenced object, select the number in Ref.

column.

To view more information about how the object is used, select one of:

View the list page for these objects – automatically redirects you to the list page where the object is referenced at.

Edit this object – modifies settings within that particular setting that the object is referenced with.

View the details for this object – similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with.

Portal settings

A web portal defines SSL VPN user access to network resources. The portal configuration determines what SSL VPN users see when they log in to the unit. Both the Fortinet administrator and the SSL VPN user have the ability to customize the web portal settings. Portal settings are configured in VPN > SSL-VPN Portals.

The following settings are available, allow you to configure general and security console options for your web portal.

Portal

Portal Setting Description
Name The name for the portal.
Limit Users to One SSL-VPN Connection at a Time You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again. This option is disabled by default.
Tunnel Mode These settings determine how tunnel mode clients are assigned IPv4 addresses.
Enable Split Tunneling Select so that the VPN carries only the traffic for the networks behind the FortiGate unit. The user’s other traffic follows its normal route.

If you enable split tunneling, you are required to set the Routing Address, which is the address that your corporate network is using. Traffic intended for the Routing Address will not be split from the tunnel.

Source IP Pools Select an IP Pool for users to acquire an IP address when connecting to the portal. There is always a default pool available if you do not create your own.
Tunnel Mode Client Options These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a check box for the corresponding option appears on the VPN login screen in FortiClient, and is not enabled by default.

l Allow client to save password – When enabled, if the user

selects this option, their password is stored on the user’s computer and will automatically populate each time they connect to the VPN.

l Allow client to connect automatically – When enabled, if the

user selects this option, when the FortiClient application is launched, for example after a reboot or system startup, FortiClient will automatically attempt to connect to the VPN tunnel.

l Allow client to keep connections alive – When enabled, if the

user selects this option, the FortiClient should try to reconnect once it detects the VPN connection is down unexpectedly (not manually disconnected by user).

Enable Web Mode Select to enable web mode access.
Portal Message This is a text header that appears on the top of the web portal.

Portal configuration

Portal Setting Description
Theme Select a color styling specifically for the web portal.
Show Session Information The Show Session Information widget displays the login name of the user, the amount of time the user has been logged in and the inbound and outbound traffic statistics.
Show Connection Launcher Displays the Connection Launcher widget in the web portal.
Show Login History Select to include user login history on the web portal.
User Bookmarks Enable to allow users to add their own bookmarks in the web portal.
Predefined Bookmarks Select to include bookmarks on the web portal. Bookmarks are used as links to internal network resources. When a bookmark is selected from a bookmark list, a pop-up window appears with the web page. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML filebrowser.

Predefined Bookmarks

Bookmarks are used as links to specific resources on the network. When a bookmark is selected from a bookmark list, a pop-up window appears with the requested web page. Telnet, RDP, and VNC pop up a window that requires a browser plug-in. FTP and Samba replace the bookmarks page with an HTML file-browser.

Note that the RDP/VNC web portals are not supported for the following platforms:

Platform Model
FortiGate 80D, 92D, 200D, 200D-POE, 240D, 240D-POE, 600C, 800C, 1000C,

3240C, 3600C, and 5001C

FortiGate-Rugged 90D
FortiWiFi 92D

A web bookmark can include login credentials to automatically log the SSL VPN user into the web site. When the administrator configures bookmarks, the web site credentials must be the same as the user’s SSL VPN credentials. Users configuring their own bookmarks can specify alternative credentials for the web site.

Applications available in the web portal

Depending on the web portal configuration and user group settings, one or more of the following server applications are available to you through Predefined Bookmarks, as well as the Quick Connection widget:

  • Citrix makes use of SOCKS so that the Citrix client can connect to the SSL VPN port forward module to provide the connection.
  • FTP (File Transfer Protocol) enables you to transfer files between your computer and a remote host.

 

Using the Bookmarks widget

  • HTTP/HTTPS accesses web pages.
  • Port Forward provides the middle ground between web mode and tunnel mode. When the SSL VPN receives data from a client application, the data is encrypted and sent to the FortiGate unit, which then forwards the traffic to the application server. l RDP (Remote Desktop Protocol), similar to VNC, enables you to remotely control a computer running Microsoft Terminal Services.
  • SMB/CIFS implements the Server Message Block (SMB) protocol to support file sharing between your computer and a remote server host.
  • SSH (Secure Shell) enables you to exchange data between two computers using a secure channel.
  • TELNET (Teletype Network emulation) enables you to use your computer as a virtual text-only terminal to log in to a remote host.
  • VNC (Virtual Network Computing) enables you to remotely control another computer, for example, accessing your work computer from your home computer.

Some server applications may prompt you for a user name and password. You must have a user account created by the server administrator so that you can log in.

Group-based SSL VPN bookmarks

The administrator can add bookmarks for groups of users. SSL VPN will only output the matched group-name entry to the client. This can only be done via the CLI.

To add group-based SSL VPN bookmarks – CLI:

config vpn ssl web portal edit “portal-name” set user-group-bookmark enable*/disable

next

end

config vpn ssl web user-group-bookmark edit “group-name” config bookmark edit “bookmark1” ….

next

end

next

end

Using the Bookmarks widget

The Bookmarks widget shows both administrator-configured and user-configured bookmarks. Administrator bookmarks cannot be altered but you can add, edit or delete user bookmarks.

Bookmarks widget

The FortiGate unit forwards client requests to servers on the Internet or internal network. To use the web-portal applications, you add the URL, IP address, or name of the server application to the My Bookmarks list. For more information, see Adding bookmarks on page 48.

If you want to access a web server or telnet server without first adding a bookmark to the My Bookmarks list, use the Connection Tool instead. For more information, see Using the Bookmarks widget on page 47.

Adding bookmarks

You can add frequently used connections as bookmarks. Afterward, select any hyperlink from the Bookmarks list to initiate a session.

To add a bookmark

  1. In the web portal, select New Bookmark.
  2. Enter the following information:
Name Enter the name to display in the Bookmarks list.
Type Select the abbreviated name of the server application or network service from the drop-down list.
Location Enter the IP address or FQDN of the server application or network service.

For RDP connections, you can append some parameters to control screen size and keyboard layout. See Using the Bookmarks widget on page 47.

Description Optionally enter a short description. The description displays when you pause the mouse pointer over the hyperlink.
SSO Single Sign On (SSO) is available for HTTP/HTTPS bookmarks only.

Disabled — This is not an SSO bookmark.

Automatic — Use your SSL VPN credentials or an alternate set. See the SSO Credentials field.

Static — Supply credentials and other required information (such as an account number) to a web site that uses an HTML form for authentication. You provide a list of the form field names and the values to enter into them. This method does not work for sites that use HTTP authentication, in which the browser opens a pop-up dialog box requesting credentials.

SSO fields
SSO Credentials SSL VPN Login — Use your SSL VPN login credentials.

Alternative — Enter Username and Password below.

Username Alternative username. Available if SSO Credentials is Alternative.

48

Using the Bookmarks widget

Password Alternative password. Available if SSO Credentials is Alternative.
Static SSO fields These fields are available if SSO is Static.
Field Name Enter the field name, as it appears in the HTML form.
Value Enter the field value.

To use the values from SSO Credentials, enter %passwd% for password or %username% for username.

Add Add another Field Name / Value pair.
  1. Select OK and then select Done.

Group-based SSL VPN bookmarks

This CLI-only feature allows administrators to add bookmarks for groups of users. SSL VPN will only output the matched group-name entry to the client.

Syntax:

config vpn ssl web portal edit “portal-name” set user-group-bookmark enable*/disable

next

end

conf vpn ssl web user-group-bookmark edit “group-name” conf bookmark edit “bookmark1” ….

next

end

next

end

Group-based SSL VPN bookmarks

This CLI-only feature allows administrators to add bookmarks for groups of users. SSL VPN will only output the matched group-name entry to the client.

Syntax:

config vpn ssl web portal edit <portal-name> set user-group-bookmark [enable | disable]

next

end

config vpn ssl web user-group-bookmark edit <group-name> config bookmark edit <bookmark1> …. next

Quick Connection Tool

end

next

end

Using the Quick Connection Tool

The Quick Connection Tool widget enables a user to connect to a resource when it isn’t a predefined bookmark.

You can connect to any type of server without adding a bookmark to the Bookmarks list. The fields in the Quick Connection Tool enable you to specify the type of server and the URL or IP address of the host computer.

See the following procedures:

l To connect to a web server on page 50 l To ping a host or server behind the FortiGate unit on page 50 l To start a Telnet session on page 51 l To start an FTP session on page 51 l To start an SMB/CIFS session on page 51 l To start an SSH session on page 52 l To start an RDP session on page 52 l To start a VNC session on page 52

Except for ping, these services require that you have an account on the server to which you connect.

When you use the Connection Tool, the FortiGate unit may offer you its self-signed security certificate. Select Yes to proceed. A second message may be displayed to inform you of a host name mismatch. This message is displayed because the FortiGate unit is attempting to redirect your web browser connection. Select Yes to proceed.

To connect to a web server

  1. In Type, select HTTP/HTTPS.
  2. In the Host field, type the URL of the web server.

For example: http://www.mywebexample.com or https://172.20.120.101

  1. Select Go.
  2. To end the session, close the browser window.

To ping a host or server behind the FortiGate unit

  1. In Type, select Ping.
  2. In the Host field, enter the IP address of the host or server that you want to reach. For example: 11.101.22
  3. Select Go.

A message stating whether the IP address can be reached or not is displayed.

50

Using the Quick Connection Tool

To start a Telnet session

  1. In Type, select Telnet.
  2. In the Host field, type the IP address of the telnet host. For example: 11.101.12
  3. Select Go.

A Telnet window opens.

  1. Select Connect.
  2. A telnet session starts and you are prompted to log in to the remote host.

After you log in, you may enter any series of valid telnet commands at the system prompt.

  1. To end the session, select Disconnect (or type exit) and then close the TELNET connection window.

To start an FTP session

  1. In Type, select FTP.
  2. In the Host field, type the IP address of the FTP server. For example: 11.101.12
  3. Select Go.

A login window opens.

  1. Enter your user name and password and then select Login. You must have a user account on the remote host to log in.
  2. Manipulate the files in any of the following ways:
    • To download a file, select the file link in the Name
    • To access a subdirectory (Type is Folder), select the link in the Name
    • To create a subdirectory in the current directory, select New directory. l To delete a file or subdirectory from the current directory, select its Delete
    • To rename a file in the current directory, select its Rename l To upload a file to the current directory from your client computer, select Upload. l When the current directory is a subdirectory, you can select Up to access the parent directory.
  3. To end the FTP session, select Logout.

To start an SMB/CIFS session

  1. In Type, select SMB/CIFS.
  2. In the Host field, type the IP address of the SMB or CIFS server. For example: 11.101.12
  3. Select Go.
  4. Enter your user name and password and then select Login. You must have a user account on the remote host to log in.
  5. Manipulate the files in any of the following ways:
    • To download a file, select the file link in the Name l To access a subdirectory (Type is Folder), select the file link in the Name column.
    • To create a subdirectory in the current directory, select New Directory. l To delete a file or subdirectory from the current directory, select its Delete l To rename a file, select its Rename icon.

 

Quick Connection Tool

  • To upload a file from your client computer to the current directory, select Upload.
  • When the current directory is a subdirectory, you can select Up to access the parent directory.
  1. To end the SMB/CIFS session, select Logout and then close the SMB/CIFS window.

To start an SSH session

  1. In Type, select SSH.
  2. In the Host field, type the IP address of the SSH host. For example: 11.101.12
  3. Select Go.
    • login window opens.
  4. Select Connect.
    • SSH session starts and you are prompted to log in to the remote host. You must have a user account to log in. After you log in, you may enter any series of valid commands at the system prompt.
  5. To end the session, select Disconnect (or type exit) and then close the SSH connection window.

To start an RDP session

  1. In Type, select RDP.
  2. In the Host field, type the IP address of the RDP host. For example: 11.101.12
  3. Optionally, you can specify additional options for RDP by adding them to the Host field following the host address. See Using the Quick Connection Tool on page 50 for information about the available options. For example, to use a French language keyboard layout you would add the -m parameter:

10.11.101.12 -m fr

  1. Select Go.

A login window opens.

  1. When you see a screen configuration dialog, click OK.

The screen configuration dialog does not appear if you specified the screen resolution with the host address.

  1. When you are prompted to log in to the remote host, type your user name and password. You must have a user account on the remote host to log in.
  2. Select Login.

If you need to send Ctrl-Alt-Delete in your session, use Ctrl-Alt-End.

  1. To end the RDP session, Log out of Windows or select Cancel from the Logon window.

To start a VNC session

  1. In Type, select VNC.
  2. In the Host field, type the IP address of the VNC host. For example: 11.101.12
  3. Select Go.

A login window opens.

  1. Type your user name and password when prompted to log in to the remote host. You must have a user account on the remote host to log in.
  2. Select OK.

If you need to send Ctrl-Alt-Delete in your session, press F8, then select Send Ctrl-Alt-Delete from the pop-up menu.

  1. To end the VNC session, close the VNC window.

Using the SSL VPN virtual desktop

Note that the RDP/VNC web portals are not supported for the following platforms:

Platform Model
FortiGate 80D, 92D, 200D, 200D-POE, 240D, 240D-POE, 600C, 800C, 1000C,

3240C, 3600C, and 5001C

FortiGate-Rugged 90D
FortiWiFi 92D

Using the SSL VPN virtual desktop

The virtual desktop feature is available for Windows only. When you start an SSL VPN session, the virtual desktop replaces your normal desktop. When the virtual desktop exits, your regular desktop is restored. Virtual desktop information is encrypted so that no information from it remains available after your session ends.

To use the SSL VPN virtual desktop, simply log in to an SSL VPN that requires the use of the virtual desktop. Wait for the virtual desktop to initialize and replace your desktop with the SSL VPN desktop, which has a Fortinet SSL VPN logo as wallpaper. Your web browser will open to the web portal page.

You can use the virtual desktop just as you use your regular desktop, subject to the limitations that virtual desktop application control imposes. If it is enabled in the web portal virtual desktop settings, you can switch between the virtual desktop and your regular desktop. Right-click the SSL VPN Virtual Desktop icon in the taskbar and select Switch Desktop.

To see the web portal virtual desktop settings, right-click the SSL VPN Virtual Desktop icon in the taskbar and select Virtual Desktop Option.

When you have finished working with the virtual desktop, right-click the SSL VPN Virtual Desktop icon in the taskbar and select Exit. Select Yes to confirm. The virtual desktop closes and your regular desktop is restored.

Using FortiClient

Remote users can use FortiClient Endpoint Security to initiate an SSL VPN tunnel to connect to the internal network. FortiClient uses local port TCP 1024 to initiate an SSL encrypted connection to the FortiGate unit, on port TCP 10443. When connecting using FortiClient, the FortiGate unit authenticates the FortiClient SSL VPN request based on the user group options. the FortiGate unit establishes a tunnel with the client and assigns a virtual IP address to the client PC. Once the tunnel has been established, the user can access the network behind the FortiGate unit.

For information on configuring the FortiGate unit for SSL VPN connectivity, see Basic configuration on page 17.

For details on configuring FortiClient for SSL VPN connections, see the FortiClient documentation.

FortiOS 5.6 SSL VPN Setup examples

$
0
0

Setup examples

The examples in this chapter demonstrate the basic configurations needed for common connections to the SSL VPN tunnel and portals, applying the steps outlined in Basic configuration on page 17.

The following examples are included:

Secure Internet browsing

Split Tunnel

Multiple user groups with different access permissions

Client device certificate authentication with multiple groups

Secure Internet browsing

This example sets up an SSL VPN tunnel that provides remote users the ability to access the Internet while traveling, and ensures that they are not subject to malware and other dangers, by using the corporate firewall to filter all of their Internet traffic. Essentially, the remote user will connect to the corporate FortiGate unit to surf the Internet.

Using SSL VPN and FortiClient SSL VPN software, you create a means to use the corporate FortiGate to browse the Internet safely.

Creating an SSL VPN IP pool and SSL VPN web portal

  1. Go to VPN > SSL-VPN Portals and select tunnel-access.
  2. Disable Split Tunneling.
  3. For Source IP Pools select SSLVPN_TUNNEL_ADDR1.
  4. Select OK.

Creating the SSL VPN user and user group

  1. Create the SSL VPN user and add the user to a user group configured for SSL VPN use.
  2. Go to User & Device > User Definition and select Create New to add the user:

 

Secure Internet browsing

User Name twhite
Password password
  1. Select OK.
  2. Go to User & Device > User Groups and select Create New to add twhite to a group called SSL VPN:
Name SSL VPN
Type Firewall
  1. Move twhite to the Members
  2. Select OK.

Creating a static route for the remote SSL VPN user

Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.

  1. Go to Network > Static Routes and select Create New to add the static route.
Destination IP/Mask 10.212.134.0/255.255.255.0
Device ssl.root
  1. Select OK.

Creating security policies

Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Add an SSL VPN security policy as below, and click OK.
Incoming Interface ssl.root
Outgoing Interface internal
Source Address all
Source User Group SSL VPN
Destination all
  1. Select OK.

Split Tunnel

Configuring authentication rules

  1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
  2. Add an authentication rule for the remote user:
Users/Groups Tunnel
Portal tunnel-access
  1. Select OK and Apply.

Results

Using the FortiClient SSLVPN application, access the VPN using the address https://172.20.120.136:443/ and log in as twhite. Once connected, you can browse the Internet.

From the FortiGate web-based manager, go to Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects to the Internet.

Split Tunnel

In this configuration, remote users are able to securely access the head office internal network through the head office firewall, yet browse the Internet without going through the head office FortiGate. Split tunneling is enabled by default for SSL VPN on FortiGate units.

The solution below describes how to configure FortiGate SSL VPN split tunneling using the FortiClient SSL VPN software, available from the Fortinet Support site.

Without split tunneling, all communication from remote SSL VPN users to the head office internal network and to the Internet uses an SSL VPN tunnel between the user’s PC and the head office FortiGate unit. Connections to the Internet are routed back out the head office FortiGate unit to the Internet. Replies come back into the head office FortiGate unit before being routed back through the SSL VPN tunnel to the remote user.

In short, enabling split tunneling protects the head office from potentially harmful access and external threats that may occur as a result of the end user’s indiscretion while browsing the Internet. By contrast, disabling split tunneling protects the end user by forcing all their Internet traffic to pass through the FortiGate firewall.

Creating a firewall address for the head office server

  1. Go to Policy & Objects > Addresses and select Create New and add the head office server address:
Category Address
Name Head office server
Type Subnet
Subnet / IP Range 192.168.1.12
Interface Internal

Split Tunnel

  1. Select OK.

Creating an SSL VPN IP pool and SSL VPN web portal

  1. Go to VPN > SSL-VPN Portals and select tunnel-access.
  2. Enter the following:
Name Connect to head office server
Enable Tunnel Mode Enable
Enable Split Tunneling Enable
Routing Address Internal
Source IP Pools SSLVPN_TUNNEL_ADDR1
  1. Select OK.

Creating the SSL VPN user and user group

Create the SSL VPN user and add the user to a user group.

  1. Go to User & Device > User Definition, select Create New and add the user:
User Name twhite
Password password
  1. Select OK.
  2. Go to User & Device > User Groups and select Create New to add the new user to the SSL VPN user group:
Name Tunnel
Type Firewall
  1. Move twhite to the Members
  2. Select OK.

Creating a static route for the remote SSL VPN user

Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.

  1. Go to Network > Static Routes and select Create New
Destination IP/Mask 10.212.134.0/255.255.255.0
Device ssl.root
  1. Select OK.

Split Tunnel

Creating security policies

Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. Create a normal security policy from ssl.root to wan1 to allow SSL VPN traffic to connect to the Internet.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Complete the following:
Incoming Interface ssl.root
Source Address all
Source User(s) Tunnel
Outgoing Interface internal
Destination Address Head office server
  1. Select OK.
  2. Add a security policy that allows remote SSL VPN users to connect to the Internet.
  3. Select Create New.
  4. Complete the following and select OK:
Incoming Interface ssl.root
Source Address all
Source User(s) Tunnel
Outgoing Interface wan1
Destination Address all
Schedule always
Service ALL
Action ACCEPT

Configuring authentication rules

  1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
  2. Add an authentication rule for the remote user:
Users/Groups Tunnel
Portal tunnel-access
  1. Select OK and Apply.

 

Results

Using the FortiClient SSL VPN application on the remote PC, connect to the VPN using the address https://172.20.120.136:443/ and log in with the twhite user account. Once connected, you can connect to the head office server or browse to web sites on the Internet.

From the web-based manager, go to Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects SSL VPN sessions to the Internet.

Multiple user groups with different access permissions

You might need to provide access to several user groups with different access permissions. Consider the following example topology in which users on the Internet have controlled access to servers and workstations on private networks behind a FortiGate unit. In this example configuration, there are two users:

l User1 can access the servers on Subnet_1. l User2 can access the workstation PCs on Subnet_2.

You could easily add more users to either user group to provide them access to the user group’s assigned web portal.

General configuration steps

  1. Create firewall addresses for: l The destination networks.
    • Two non-overlapping tunnel IP address ranges that the FortiGate unit will assign to tunnel clients in the two user groups.
  2. Create two web portals.
  3. Create two user accounts, User1 and User2.
  4. Create two user groups. For each group, add a user as a member and select a web portal. In this example, User1 will belong to Group1, which will be assigned to Portal1 (similar configuration for User2).
  5. Create security policies:
    • Two SSL VPN security policies, one to each destination. l Two tunnel-mode policies to allow each group of users to reach its permitted destination network.
  6. Create the static route to direct packets for the users to the tunnel.

Creating the firewall addresses

Security policies do not accept direct entry of IP addresses and address ranges. You must define firewall addresses in advance.

Creating the destination addresses

SSL VPN users in this example can access either Subnet_1 or Subnet_2.

Multiple user groups with different access permissions

To define destination addresses – web-based manager:

  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information, and select OK:
Name Subnet_1
Type Subnet
Subnet/IP Range 10.11.101.0/24
Interface port2
  1. Select Create New, enter the following information, and select OK:
Name Subnet_2
Type Subnet
Subnet/IP Range 10.11.201.0/24
Interface port3

Creating the tunnel client range addresses

To accommodate the two groups of users, split an otherwise unused subnet into two ranges. The tunnel client addresses must not conflict with each other or with other addresses.

To define tunnel client addresses – web-based manager:

  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information, and select OK:
Name Tunnel_group1
Type IP Range
Subnet/IP Range 10.11.254.1-10.11.254.50
Interface Any
  1. Select Create New, enter the following information, and select OK.
Name Tunnel_group2
Type IP Range
Subnet/IP Range 10.11.254.51-10.11.254.100
Interface Any

Creating the web portals

To accommodate two different sets of access permissions, you need to create two web portals, portal1 and portal2, for example. Later, you will create two SSL VPN user groups, one to assign to portal1 and the other to assign to portal2.

To create the portal1 web portal:

  1. Go to VPN > SSL-VPN Portals and select Create New.
  2. Enter portal1 in the Name
  3. In Source IP Pools, select Tunnel_ group1.
  4. Select OK.

To create the portal2 web portal:

  1. Go to VPN > SSL-VPN Portals and select Create New.
  2. Enter portal2 in the Name field and select OK. In IP Pools, select Tunnel_ group2
  3. Select OK.

Later, you can configure these portals with bookmarks and enable connection tool capabilities for the convenience of your users.

Creating the user accounts and user groups

After enabling SSL VPN and creating the web portals that you need, you need to create the user accounts and then the user groups that require SSL VPN access.

Go to User & Device > User Definition and create user1 and user2 with password authentication. After you create the users, create the SSL VPN user groups.

To create the user groups – web-based manager:

  1. Go to User & Device > User Groups.
  2. Select Create New and enter the following information:
Name Group1
Type Firewall
  1. From the Available list, select User1 and move it to the Members list by selecting the right arrow button.
  2. Select OK.
  3. Repeat steps 2 through 4 to create Group2, assigned to Portal2, with User2 as its only member.

Creating the security policies

You need to define security policies to permit your SSL VPN clients, web-mode or tunnel-mode, to connect to the protected networks behind the FortiGate unit. Before you create the security policies, you must define the source and destination addresses to include in the policy. See Creating the firewall addresses on page 59.

Multiple user groups with different access permissions

Two types of security policy are required:

  • An SSL VPN policy enables clients to authenticate and permits a web-mode connection to the destination network. In this example, there are two destination networks, so there will be two SSL VPN policies. The authentication ensures that only authorized users can access the destination network.
  • A tunnel-mode policy is a regular ACCEPT security policy that enables traffic to flow between the SSL VPN tunnel interface and the protected network. Tunnel-mode policies are required if you want to provide tunnel-mode connections for your clients. In this example, there are two destination networks, so there will be two tunnel-mode policies.

To create the SSL VPN security policies – web-based manager:

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and click OK:
Incoming Interface ssl.root (sslvpn tunnel interface)
Source Address All
Source User(s) Group1
Outgoing Interface port2
Destination Address Subnet_1
Service All
  1. Select Create New.
  2. Enter the following information:
Incoming Interface ssl.root (sslvpn tunnel interface)
Source Address All
Source User(s) Group2
Outgoing Interface port3
Destination Address Subnet_2
Service All
  1. Click OK.

Configuring authentication rules

  1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
  2. Add an authentication rule for the first remote group:
Users/Groups Group1
Portal Portal1
  1. Select OK and Apply.
  2. Select Create New and add an authentication rule for the second remote group:
Users/Groups Group2
Portal Portal2
  1. Select OK and Apply.

To create the tunnel-mode security policies – web-based manager:

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information, and select OK:
Incoming Interface ssl.root (sslvpn tunnel interface)
Source Address Tunnel_group1
Source User(s) Group1
Outgoing Interface port2
Destination Address Subnet_1
Service All
Action ACCEPT
Enable NAT Enable
  1. Select Create New.
  2. Enter the following information, and select OK:
Incoming Interface ssl.root (sslvpn tunnel interface)
Source Address Tunnel_group2
Source User(s) Group2
Outgoing Interface port3
Destination Address Subnet_2
Service All
Action ACCEPT
Enable NAT Enable

Client device certificate authentication with multiple groups

Create the static route to tunnel mode clients

Reply packets destined for tunnel mode clients must pass through the SSL VPN tunnel. You need to define a static route to allow this.

To add a route to SSL VPN tunnel mode clients – web-based manager:

  1. Go to Network > Static Routes and select Create New.
  2. Enter the following information and select OK.
Destination IP/Mask 10.11.254.0/24

This IP address range covers both ranges that you assigned to SSL VPN tunnel-mode users. See Creating the tunnel client range addresses on page 60.

Device Select the SSL VPN virtual interface, ssl.root for example.

Client device certificate authentication with multiple groups

In the following example, we require clients connecting to a FortiGate SSL VPN to have a device certificate installed on their machine in order to authenticate to the VPN.

Employees (in a specific OU in AD) will be required to have a device certificate to connect, while vendors (in a separate OU in AD) will not be required to have a device certificate.

This can only be performed in the CLI console.

The Authentication-rule option is only available in theCLI as an advanced setting to achieve your requirements. It is not available on the GUI. So in VPN > SSL-VPN Settings, do not enable Require Client Certificate, but selectively enable client-cert in each authentication-rule based on the requirements through CLI instead.

Configuring SSL VPN shared settings and authentication rules – CLI:

The following example assumes that remote LDAP users/groups have been pre-configured.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1”

set port 443 set source-interface “wan1” set source-address “all”

 

Client device certificate authentication with multiple groups

set default-portal “full-access” config authentication-rule edit 1 set source-interface “wan1 set source-address “all” set groups “Employees” set portal “full-access” set client-cert enable

next edit 2 set source-interface “wan1” set source-address “all” set groups “Vendors” set portal “full-access” set client-cert disable <– Set by default and will not be displayed.

next

end

end

Configure the remainder of the SSL VPN tunnel as normal (creating a firewall policy allowing SSL VPN access to the internal network, including the VPN groups, necessary security profiles, etc.).

If configured correctly, only the ‘Employees’ group should require a client certificate to authenticate to the VPN.

FortiOS 5.6 SSL VPN Troubleshooting

$
0
0

Troubleshooting

This section contains tips to help you with some common challenges of SSL VPNs.

  • Enter the following to display debug messages for SSL VPN: diagnose debug application sslvpn -1

This command enables debugging of SSL VPN with a debug level of -1. The -1 debug level produces detailed results. l Enter the following command to verify the debug configuration:

diagnose debug info debug output: disable console timestamp: disable console no user log message: disable sslvpn debug level: -1 (0xffffffff) CLI debug level: 3

This output verifies that SSL VPN debugging is enabled with a debug level of -1, and shows what filters are in place. The output above indicates that debug output is disabled, so debug messages are not displayed. The output also indicates that debugging has not been enabled for any software systems.

  • Enter the following to enable displaying debug messages: diagnose debug enable

To view the debug messages, log into the SSL VPN portal. The CLI displays debug output similar to the following:

FGT60C3G10002814 # [282:root]SSL state:before/accept initialization (172.20.120.12)

[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)

[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)

[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)

[282:root]SSL state:SSLv3 write finished B (172.20.120.12)

[282:root]SSL state:SSLv3 flush data (172.20.120.12)

[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)

[282:root]SSL state:SSLv3 read finished A (172.20.120.12)

[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)

[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 l Enter the following to stop displaying debug messages: diagnose debug disable

The following is a list of potential issues. The suggestions below are not exhaustive, and may not reflect your network topology.

There is no response from the SSL VPN URL.

  • Go to VPN > SSL-VPN Settings and check the SSL VPN port assignment. Also, verify that the SSL VPN policy is configured correctly. l Check the URL you are attempting to connect to. It should follow this pattern:

https://<FortiGate IP>:<Port>/remote/login

Troubleshooting

  • Ensure that you are using the correct port number in the URL.

FortiClient cannot connect.

Read the Release Notes to ensure that the version of FortiClient you are using is compatible with your version of FortiOS.

Tunnel-mode connection shuts down after a few seconds.

This issue can occur when there are multiple interfaces connected to the Internet (for example, a dual WAN). Upgrade to the latest firmware then use the following CLI command:

config vpn ssl settings set route-source-interface enable

end

When you attempt to connect using FortiClient or in Web mode, you are returned to the login page, or you receive the following error message: “Unable to logon to the server. Your user name or password may not be configured properly for this connection. (-12).

  • Ensure that cookies are enabled in your browser. l If you are using a remote authentication server, ensure that the FortiGate is able to communicate with it.
  • Access to the web portal or tunnel will fail if Internet Explorer has the privacy Internet Options set to High. If set to High, Internet Explorer will block cookies that do not have a compact privacy policy, and that use personally identifiable information without your explicit consent.

You receive an error message stating: “Destination address of Split Tunneling policy is invalid.

The SSL VPN security policy uses the ALL address as its destination. Change the address to that of the protected network instead.

The tunnel connects but there is no communication.

Go to Network > Static Routes and ensure that there is a static route to direct packets destined for the tunnel users to the SSL VPN interface.

You can connect remotely to the VPN tunnel but are unable to access the network resources.

Go to Policy & Objects > IPv4 Policy and examine the policy allowing VPN access to the local network. If the destination address is set to all, create a firewall address for the internal network. Change the destination address and attempt to connect remotely again.

Users are unable to download the SSL VPN plugin.

Go to VPN > SSL-VPN Portals to make sure that the option to Limit Users to One SSL-VPN Connection at a Time is disabled. This allows users to connect to the resources on the portal page while also connecting to the VPN through FortiClient.

Users are being assigned to the wrong IP range.

Ensure that the same IP Pool is used in VPN Portal and VPN Settings to avoid conflicts. If there is a conflict, the portal settings will be used.

Troubleshooting

Flow-based (vdom) AntiVirus profiles in SSL VPN web mode limitation

In flow mode vdom, SSL VPN web mode doesn’t block antivirus even when av-profile is set (however, SSL VPN tunnel mode AV profile does work).

Sending tunnel statistics to FortiAnalyzer

By default, logged events include tunnel-up and tunnel-down status events. Other events, by default, will appear in the FortiAnalyzer report as “No Data Available”. More accurate results require logs with action=tunnelstats, which is used in generating reports on the FortiAnalyzer (rather than the tunnel-up and tunnel-down event logs). The FortiGate does not, by default, send tunnel-stats information.

To allow VPN tunnel-stats to be sent to FortiAnalyzer, configure the FortiGate unit as follows using the CLI:

config system settings set vpn-stats-log ipsec ssl set vpn-stats-period 300 end


FortiOS 5.4 VM Install Guide

$
0
0

Introduction

FortiGate virtual appliances allow you to mitigate blind spots by implementing critical security controls within your virtual infrastructure. They also allow you to rapidly provision security infrastructure whenever and wherever it is needed. FortiGate virtual appliances feature all of the security and networking services common to traditional hardware-based FortiGate appliances. With the addition of virtual appliances from Fortinet, you can deploy a mix of hardware and virtual appliances, operating together and managed from a common centralized management platform.

Document scope

This document describes how to deploy a FortiGate virtual appliance in several virtualization server environments. This includes how to configure the virtual hardware settings of the virtual appliance.

This document assumes:

  • you have already successfully installed the virtualization server on the physical machine,
  • you have installed appropriate VM management software on either the physical server or a computer to be used for VM management.

This document does not cover configuration and operation of the virtual appliance after it has been successfully installed and started. For these issues, see the FortiGate 5.2 Handbook.

This document includes the following sections:

  • FortiGate VM Overview l Deployment example – VMware l Deployment example – MS Hyper-V l Deployment example – KVM l Deployment example – OpenXen l Deployment example – Citrix XenServer

6

What’s new in VM in 5.4                                                                                                         New Features in 5.4.0

What’s new in VM in 5.4

New Features in 5.4.0

FGT-VM VCPUs (308297)

Fortinet has now launched licensing for FortiGate VMs that support larger than 8 vCPUs. The new models/licenses include:

l Support for up to 16 vCPU – FortiGate-VM16 l Support for up to 32 vCPU – FortiGate-VM32 l Support for unlimited vCPU – FortiGate-VMUL

Each of these models should be able to support up to 500 VDOMs.

Improvements to License page (382128)

The page has been rewritten with some minor improvements such as:

  • An indicator to show when a VM is waiting for authentication or starting up l Shows VM status when license is valid
  • Shows CLI console window when VM is waiting too long for remote registration of server

Citrix XenServer tools support for XenServer VMs (387984)

This support allows users, with Citrix XenServer tools to read performance statistics from XenServer clients and do Xenmotion with servers in the same cluster

There are no changes to the GUI, but there are some changes to the CLI.

A setting has been edited to control the debug level of the XenServer tools daemon diag debug application xstoolsd <integer>

Integer = Debug level

An additional update has been added to set the update frequency for XenServer tools

config system global set xstools-update-frequency Xenserver <integer> end

Enter an integer value from 30 to 300 (default = 60).

New Features in 5.4.0                                                                                                         What’s new in VM in 5.4

FOS VM supports more interfaces (393068)

The number of virtual interfaces that the VM version of FortiOS supports has been raised from 3 to 10.

NSX security group importing (403975)

A feature has been added to allow the importation of security group information from VMware’s NSX firewall.

CLI Changes: nsx group list

This is used to list NSX security Groups

Syntax:

execute nsx group list <name of the filter>

nsx group import

This is used to import NSX security groups.

Syntax:

execute nsx group import <vdom> <name of the filter>

nsx group delete

This is used to delete NSX security Groups

Syntax:

execute nsx group delete <vdom> <name of the filter>

nsx.setting.update-period

This is used to set the update period for the NSX security group

Syntax:

config.nsx.setting.update-period <0 – 3600 in seconds>

0 means disabled

Default value: 0

Non-vdom VM models FGVM1V/FGVM2V/FGVM4V (405549)

New models of the FortiGate-VM have been introduced. These match up with the existing FortiGate-VM models of FG-VM01, FG-VM02 and FG-VM04. The difference being that the new models don’t support VDOMs. 8

What’s new in VM in 5.4                                                                                                         New Features in 5.4.0

New FortiGate-VM without VDOM support
Original FortiGate-VM
FG-VM01
FG-VM02
FG-VM02v

FG-VM01v

FG-VM04                                                                      FG-VM04v

 

FortiGate VM models and licensing

FortiGate VM Overview

$
0
0

FortiGate VM Overview

The following topics are included in this section:

FortiGate VM models and licensing

Registering FortiGate VM with Customer Service & Support

Downloading the FortiGate VM deployment package

Deployment package contents

Deploying the FortiGate VM appliance

FortiGate VM models and licensing

Fortinet offers the FortiGate VM in five virtual appliance models determined by license. When configuring your FortiGate VM, be sure to configure hardware settings within the ranges outlined below. Contact your Fortinet Authorized Reseller for more information.

FortiGate VM model information

Technical Specification FG-VM00 FG-VM01 FG-VM02 FG-VM04 FG-VM08
Virtual CPUs (min / max) 1 / 1 1 / 1 1 / 2 1 / 4 1 / 8
Virtual Network

Interfaces (min / max)

2 / 10
Virtual Memory (min / max) 1GB / 1GB 1GB / 2GB 1GB / 4GB 1GB / 6GB 1GB /12GB
Virtual Storage (min / max) 32GB / 2TB
Managed Wireless APs (tunnel mode / global) 32 / 32 32 / 64 256 / 512 256 / 512 1024 / 4096
Virtual Domains (default / max) 1 / 1 10 / 10 10 / 25 10 / 50 10 / 250

After placing an order for FortiGate VM, a license registration code is sent to the email address used on the order form. Use the registration number provided to register the FortiGate VM with Customer Service & Support and then download the license file. Once the license file is uploaded to the FortiGate VM and validated, your FortiGate VM appliance is fully functional.

10

FortiGate VM Overview                                                    Registering FortiGate VM with Customer Service & Support

The number of Virtual Network Interfaces is not solely dependent on the FortiGate VM. Some virtual environments have their own limitations on the number of interfaces allowed. As an example, if you go to https://docs.microsoft.com/en-us/azure/virtualnetwork/virtual-networks-multiple-nics, you will find that Azure has its own restrictions for VMs, depending on the type of deployment or even the size of the VM.

FortiGate VM evaluation license

FortiGate VM includes a limited embedded 15-day trial license that supports: l 1 CPU maximum l 1024 MB memory maximum

l low encryption only (no HTTPS administrative access) l all features except FortiGuard updates

You cannot upgrade the firmware, doing so will lock the Web-based Manager until a license is uploaded. Technical support is not included. The trial period begins the first time you start FortiGate VM. After the trial license expires, functionality is disabled until you upload a license file.

Registering FortiGate VM with Customer Service & Support

To obtain the FortiGate VM license file you must first register your FortiGate VM with Customer Service & Support.

To register your FortiGate VM:

  1. Log in to the Customer Service & Support portal using an existing support account or select Sign Up to create a new account.
  2. In the main page, under Asset, select Register/Renew.

The Registration page opens.

  1. Enter the registration code that was emailed to you and select Register. A registration form will display.
  2. After completing the form, a registration acknowledgement page will appear.
  3. Select the License File Download
  4. You will be prompted to save the license file (.lic) to your local computer. See “Upload the license file” for instructions on uploading the license file to your FortiGate VM via the Web-based Manager.

Downloading the FortiGate VM deployment package

FortiGate VM deployment packages are included with FortiGate firmware images on the Customer Service & Support site. First, see the following table to determine the appropriate VM deployment package for your VM platform.

Downloading the FortiGate VM deployment package

Selecting the correct FortiGate VM deployment package for your VM platform

VM Platform FortiGate VM Deployment File
Citrix XenServer v5.6sp2, 6.0 and later FGT_VM64-v500-buildnnnn-FORTINET. out.CitrixXen.zip
OpenXen v3.4.3, 4.1 FGT_VM64-v500-buildnnnn-FORTINET.

out.OpenXen.zip

Microsoft Hyper-V Server 2008R2 and 2012 FGT_VM64-v500-buildnnnn-FORTINET. out.hyperv.zip
KVM (qemu 0.12.1) FGT_VM64-v500-buildnnnn-FORTINET.

out.kvm.zip

VMware ESX 4.0, 4.1

ESXi 4.0/4.1/5.0/5.1/5.5

FGT_VM32-v500-buildnnnn-FORTINET.

out.ovf.zip (32-bit)

FGT_VM64-v500-buildnnnn-FORTINET. out.ovf.zip

For more information see the FortiGate product datasheet available on the Fortinet web site, http://www.fortinet.com/products/fortigate/virtualappliances.html.

The firmware images FTP directory is organized by firmware version, major release, and patch release. The firmware images in the directories follow a specific naming convention and each firmware image is specific to the device model. For example, the FGT_VM32-v500-build0151-FORTINET.out.ovf.zip image found in the v5.0 Patch Release 2 directory is specific to the FortiGate VM 32-bit environment.

You can also download the FortiOS Release Notes, FORTINET-FORTIGATE MIB file, FSSO images, and SSL VPN client in this directory. The Fortinet Core MIB file is located in the main FortiGate v5.00 directory.

To download the FortiGate VM deployment package:

  1. In the main page of the Customer Service & Support site, select Download > Firmware Images.

The Firmware Images page opens.

  1. In the Firmware Images page, select FortiGate.
  2. Browse to the appropriate directory on the FTP site for the version that you would like to download.
  3. Download the appropriate .zip file for your VM server platform.

You can also download the FortiGate Release Notes.

  1. Extract the contents of the deployment package to a new file folder.

 

FortiGate VM Overview                                                                                            Deployment package contents

Deployment package contents

Citrix XenServer

The FORTINET.out.CitrixXen.zip file contains:

  • vhd: the FortiGate VM system hard disk in VHD format l fortios.xva: binary file containing virtual hardware configuration settings l in the ovf folder:
  • FortiGate-VM64.ovf: Open Virtualization Format (OVF) template file, containing virtual hardware settings for

Xen l fortios.vmdk: the FortiGate VM system hard disk in VMDK format l datadrive.vmdk: the FortiGate VM log disk in VMDK format

The ovf folder and its contents is an alternative method of installation to the .xva and VHD disk image.

OpenXEN

The FORTINET.out.OpenXen.zip file contains only fortios.qcow2, the FortiGate VM system hard disk in qcow2 format. You will need to manually:

l create a 32GB log disk l specify the virtual hardware settings

Microsoft Hyper-V

The FORTINET.out.hyperv.zip file contains:

  • in the Virtual Hard Disks folder:
  • vhd: the FortiGate VM system hard disk in VHD format l DATADRIVE.vhd: the FortiGate VM log disk in VHD format
  • In the Virtual Machines folder:
  • xml: XML file containing virtual hardware configuration settings for Hyper-V. This is compatible with Windows Server 2012.
  • Snapshots folder: optionally, Hyper-V stores snapshots of the FortiGate VM state here

KVM

The FORTINET.out.kvm.zip contains only fortios.qcow2, the FortiGate VM system hard disk in qcow2 format. You will need to manually:

l create a 32GB log disk l specify the virtual hardware settings

VMware ESX/ESXi

You will need to create a 32GB log disk.

Deploying the FortiGate VM appliance

The FORTINET.out.ovf.zip file contains:

  • vmdk: the FortiGate VM system hard disk in VMDK format l datadrive.vmdk: the FortiGate VM log disk in VMDK format l Open Virtualization Format (OVF) template files:
  • FortiGate-VM64.ovf: OVF template based on Intel e1000 NIC driver l FortiGate-VM64.hw04.ovf: OVF template file for older (v3.5) VMware ESX server l FortiGate-VMxx.hw07_vmxnet2.ovf: OVF template file for VMware vmxnet2 driver l FortiGate-VMxx.hw07_vmxnet3.ovf: OVF template file for VMware vmxnet3 driver

Deploying the FortiGate VM appliance

Prior to deploying the FortiGate VM appliance, the VM platform must be installed and configured so that it is ready to create virtual machines. The installation instructions for FortiGate VM assume that

  • You are familiar with the management software and terminology of your VM platform.
  • An Internet connection is available for FortiGate VM to contact FortiGuard to validate its license or, for closed environments, a FortiManager can be contacted to validate the FortiGate VM license. See “Validate the FortiGate VM license with FortiManager”.

For assistance in deploying FortiGate VM, refer to the deployment chapter in this guide that corresponds to your VMware environment. You might also need to refer to the documentation provided with your VM server. The deployment chapters are presented as examples because for any particular VM server there are multiple ways to create a virtual machine. There are command line tools, APIs, and even alternative graphical user interface tools.

Before you start your FortiGate VM appliance for the first time, you might need to adjust virtual disk sizes and networking settings. The first time you start FortiGate VM, you will have access only through the console window of your VM server environment. After you configure one FortiGate network interface with an IP address and administrative access, you can access the FortiGate VM web-based manager.

After deployment and license validation, you can upgrade your FortiGate VM appliance’s firmware by downloading either FGT_VM32-v500-buildnnnn-FORTINET.out (32-bit) or FGT_VM64-v500-buildnnnnFORTINET.out (64-bit) firmware. Firmware upgrading on a VM is very similar to upgrading firmware on a hardware FortiGate unit.

FortiGate VM Deployment example – VMware

$
0
0

Deployment example – VMware

Once you have downloaded the FGT_VMxx-v5-build0xxx-FORTINET.out.ovf.zip file from http://support.fortinet.com and extracted the package contents to a folder on your local computer, you can use the vSphere client to create the virtual machine from the deployment package OVF template.

The following topics are included in this section:

Open the FortiGate VM OVF file with the vSphere client

Configure FortiGate VM hardware settings

Open the FortiGate VM OVF file with the vSphere client

To deploy the FortiGate VM OVF template:

  1. Launch the VMware vSphere client, enter the IP address or host name of your server, enter your user name and password and select Login.

The vSphere client home page opens.

  1. Select File > Deploy OVF Template to launch the OVF Template wizard.

 

Open the                    OVF file with the vSphere client

Source page opens.

  1. Select the source location of the OVF file. Select Browse and locate the OVF file on your computer. Select Next to continue.

The OVF Template Details page opens.

  1. Verify the OVF template details. This page details the product name, download size, size on disk, and description. Select Next to continue.

End User License Agreement page opens.

  1. Read the end user license agreement for FortiGate VM. Select Accept and then select Next to continue.

Open the                    OVF file with the vSphere client

Name and Location page opens.

  1. Enter a name for this OVF template. The name can contain up to 80 characters and it must be unique within the inventory folder. Select Next to continue.

Disk Format page opens.

  1. Select one of the following:
  • Thick Provision Lazy Zeroed: Allocates the disk space statically (no other volumes can take the space), but does not write zeros to the blocks until the first write takes place to that block during runtime (which includes a full disk format).
  • Thick Provision Eager Zeroed: Allocates the disk space statically (no other volumes can take the space), and writes zeros to all the blocks.
  • Thin Provision: Allocates the disk space only when a write occurs to a block, but the total volume size is

reported by VMFS to the OS. Other volumes can take the remaining space. This allows you to float space between your servers, and expand your storage when your size monitoring indicates there is a problem. Note that once a Thin Provisioned block is allocated, it remains on the volume regardless if you have deleted data, etc.

  1. Select Next to continue.

The OVF Template Network Mapping page opens.

 

Configure                       hardware settings

  1. Map the networks used in this OVF template to networks in your inventory. Network 1 maps to port1 of the FortiGate VM. You must set the destination network for this entry to access the device console. Select Next to continue.

The OVF Template Ready to Complete page opens.

  1. Review the template configuration. Make sure that Power on after deployment is not enabled. You might need to configure the FortiGate VM hardware settings prior to powering on the FortiGate VM.
  2. Select Finish to deploy the OVF template. You will receive a Deployment Completed Successfully dialog box once the FortiGate VM OVF template wizard has finished.

Configure FortiGate VM hardware settings

Before powering on your FortiGate VM you must configure the virtual memory, virtual CPU, and virtual disk configuration to match your FortiGate VM license.

Configure FortiGate VM hardware settings

Configure                       hardware settings                                                   Transparent mode VMware configuration

FortiGate VM Transparent Mode VMware Configuration

$
0
0

Transparent mode VMware configuration

If you want to use your FortiGate-VM in transparent mode, your VMware server’s virtual switches must operate in promiscuous mode. This permits these interfaces to receive traffic that will pass through the FortiGate unit but was not addressed to the FortiGate unit.

In VMware, promiscuous mode must be explicitly enabled:

  1. In the vSphere client, select your VMware server in the left pane and then select the Configuration tab in the right pane.
  2. In Hardware, select Networking.
  3. Select Properties of vSwitch0.
  4. In the Properties window left pane, select vSwitch and then select Edit.
  5. Select the Security tab, set Promiscuous Mode to Accept, then select OK.
  6. Select Close.
  7. Repeat steps 3 through 6 for other vSwitches that your transparent mode FortiGate-VM uses.

 

High Availability VMware configuration                                                                           Power on your FortiGate VM

FortiGate VM High Availability VMware configuration

$
0
0

High Availability VMware configuration

If you want to combine two or more FortiGate-VM instances into a FortiGate Clustering Protocol (FGCP) High Availability (HA) cluster the VMware server’s virtual switches used to connect the heartbeat interfaces must operate in promiscuous mode. This permits HA heartbeat communication between the heartbeat interfaces. HA heartbeat packets are non-TCP packets that use Ethertype values 0x8890, 0x8891, and 0x8890. The FGCP uses link-local IPv4 addresses in the 169.254.0.x range for HA heartbeat interface IP addresses.

To enable promiscuous mode in VMware:

  1. In the vSphere client, select your VMware server in the left pane and then select the Configuration tab in the right pane.
  2. In Hardware, select Networking.
  3. Select Properties of a virtual switch used to connect heartbeat interfaces.
  4. In the Properties window left pane, select vSwitch and then select Edit.
  5. Select the Security tab, set Promiscuous Mode to Accept, then select OK.
  6. Select Close.

You must also set the virtual switches connected to other FortiGate interfaces to allow MAC address changes and to accept forged transmits. This is required because the FGCP sets virtual MAC addresses for all FortiGate interfaces and the same interfaces on the different VM instances in the cluster will have the same virtual MAC addresses.

To make the required changes in VMware:

  1. In the vSphere client, select your VMware server in the left pane and then select the Configuration tab in the right pane.
  2. In Hardware, select Networking.
  3. Select Properties of a virtual switch used to connect FortiGate VM interfaces.
  4. Set MAC Address ChangestoAccept.
  5. Set Forged Transmits to Accept.

Power on your FortiGate VM

You can now proceed to power on your FortiGate VM. There are several ways to do this:

  • Select the name of the FortiGate VM you deployed in the inventory list and select Power on the virtual machine in the Getting Started
  • In the inventory list, right-click the name of the FortiGate VM you deployed, and select Power > Power On. l Select the name of the FortiGate VM you deployed in the inventory list. Click the Power On button on the toolbar.

Select the Console tab to view the console. To enter text, you must click in the console pane. The mouse is then captured and cannot leave the console screen. As the FortiGate console is text-only, no mouse pointer is visible. To release the mouse, press Ctrl-Alt.

Viewing all 2380 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>