Scribd
Upload
59 views9 pages

Configuring FortiClient SSL VPN Tunnel

Uploaded by

manuteoihu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
59 views9 pages

Configuring FortiClient SSL VPN Tunnel

Uploaded by

manuteoihu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Exercise 1: Configuring SSL VPN

Tunnel Mode
In this exercise, you will examine how to change the SSL VPN settings to allow remote
access to the resources in the local subnet ([Link]/24), but perform a connection in
tunnel mode from the Remote-Client VM.

You will use the remote access module of FortiClient, which supports the Fortinet SSL VPN
client.

FortiClient is already installed on the Remote-Client VM.

Configure the SSL VPN Settings


You will configure the SSL VPN settings to allow the remote connection shown in the
following image:

By default, SSL VPN


tunnel mode settings and
the VPN > SSL-VPN men
us are hidden on the GUI
in FortiOS version 7.4. To
enable the GUI menu,
enter the following CLI
commands:
config system settings

set gui-sslvpn enable

end

The configuration file is


preconfigured for you to
show the SSL VPN
menus.

To create a user for SSL VPN connections


1. Connect to the Local-FortiGate GUI, and then log in with the username admin and
password password.

2. Click User & Authentication > User Definition.

3. Click Create New.

4. Click Local User, and then click Next.

5. Type the following credentials for the remote user, and then click Next:

Username student

Password fortinet

6. Leave the contact information field empty, and then click Next.

7. In the User Account Status field, verify that Enabled is selected.

8. Enable User Group, click +, and then in the section on the right,
select SSL_VPN_USERS.

9. Click Submit.

The SSL_VPN_USERS gr
oup was preconfigured for
this lab.

To review the settings of


this group, click User &
Authentication > User
Groups.

To configure the SSL VPN settings for access


1. Continuing on the Local-FortiGate GUI, click VPN > SSL-VPN Settings.

2. In the Connection Settings section, configure the following settings:

Field Value

Listen on port1
Interface(s)

Listen on Port 10443

Server Fortinet_Factory
Certificate

Restrict Access Allow access from


any host

Inactive For 3000 seconds

3. In the Tunnel Mode Client Settings section, verify the following setting:

Field Value

Address Automatically assign


Range addresses

4. In the Authentication/Portal Mapping section, select All Other Users/Groups,


and then click Edit.

5. In the Portal field, select tunnel-access, and then click OK.

6. Click Apply to save the changes.


Configure the Routing for Tunnel Mode
You will establish the routing address to use in tunnel mode.

In tunnel mode, FortiClient establishes one or more routes in the SSL VPN user's host after
the tunnel is connected. Traffic destined to the internal subnets is correctly routed through
the tunnel.

To configure the routing for tunnel mode


1. Continuing on the Local-FortiGate GUI, click VPN > SSL-VPN Portals.

2. Select the tunnel-access portal, and then click Edit.

3. In the Tunnel Mode section, in the Routing Address Override field,


select LOCAL_SUBNET.

4. Click OK.

Create a Firewall Policy for SSL VPN


You will create a firewall policy that allows traffic to the local subnet ( [Link]/24) from
remote users connected to the SSL VPN.

To create a firewall policy for SSL VPN


1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.

2. Click Create New, and then configure the following firewall policy settings:

Field Value

Name SSL-VPN-Access

Incoming SSL-VPN tunnel interface


Interface ([Link])

Outgoing port3
Interface

Source Address >


SSLVPN_TUNNEL_ADDR
1

User > SSL_VPN_USERS

Destinatio LOCAL_SUBNET
n

Schedule always

Service ALL

Action ACCEPT

Inspection Flow-based
mode

NAT Disabled

3. Click OK to save the configuration.

Configure FortiClient for SSL VPN


Connections
SSL VPN connections in tunnel mode require FortiClient. You will use FortiClient, which is
installed on the Remote-Client VM, to test your configuration.

To configure FortiClient for SSL VPN in tunnel mode


1. Connect to the Remote-Client VM with the username Administrator and
password password.
2. Click Desktop > forticlientsslvpn > 64bit, and then double-
click forticlientsslvpn to configure SSL VPN client settings.

3. Configure the following settings for the FortiClient SSL VPN application:

Field Value

Server [Link]

Customize port 10443

4. Continuing on the FortiClient SSL VPN application, in the User field, type student,
and then in the Password field, type fortinet.

5. Click Connect.

6. Click Continue to accept the certificate.

The tunnel is connected.


To test the tunnel
1. Continuing on the Remote-Client VM, open Firefox, and then access the following
URL:

[Link]

2. Look at the URL.

You are connected to the web server URL as if you were based in the local subnet
([Link]/24).

Monitor an SSL VPN User


You will monitor and disconnect an SSL VPN user from the FortiGate GUI.

To monitor and disconnect an SSL VPN user


1. Return to the Local-FortiGate GUI.

2. Click Dashboard > Network, and then view the SSL-VPN widget.

You can see that the student user is connecting from the remote host [Link].

3. Right-click student, and then select End Session.

4. Click OK.
The student user no longer appears in the SSL VPN monitor.

Review VPN Events


You will review the VPN events for the SSL VPN connection you performed in this lab.

To review VPN events for the SSL VPN connection


1. Connect to the Local-FortiGate GUI, and then log in with the username admin and
password password.

2. Click Log & Report > System Events, and then expand the VPN Events widget to
view the logs.

3. View the log details of the tunnel-up log you see.

Hint: Use your log filters to filter on Action = tunnel-up.

The tunnel-up log in the VPN event list shows the SSL VPN connection in tunnel mode
through FortiClient. Notice this log displays two IP addresses:

 Remote IP: IP address of the remote user's gateway (egress interface)


 Tunnel IP: IP address FortiGate assigns to the virtual network adapter fortissl

Common questions

Powered by AI

To configure SSL VPN tunnel mode client settings, navigate in the Local-FortiGate GUI to VPN > SSL-VPN Settings and set options such as listening interface (port1) and port (10443) while allowing access from any host . Routing for secure access is established by selecting the tunnel-access portal in VPN > SSL-VPN Portals, clicking Edit, and setting the Routing Address Override field to LOCAL_SUBNET .

Configuring 'Restrict Access' in SSL VPN tunnel mode is critical to define and control which hosts are allowed to connect, mitigating unauthorized access. In the configuration, it is set to 'Allow access from any host', a default configuration that could increase vulnerability if not adjusted per security policies .

An SSL VPN user session can be monitored from the FortiGate GUI by navigating to Dashboard > Network and viewing the SSL-VPN widget where user connections such as 'student' from remote host '10.200.3.1' are displayed. To end a session, right-click the user and select 'End Session', confirming with OK. The terminated session no longer appears in the monitor .

Leaving 'NAT' disabled in the SSL VPN firewall policy implies that original source IPs are maintained for traffic exiting through the interface. This configuration affects data routing by ensuring traffic can be correctly returned to its source, preserving client IP addresses for logging, tracking, and routing through the established VPN path .

FortiClient on the Remote-Client VM is configured by opening the application, entering the Server IP '10.200.1.1', and setting Customize port to '10443'. User credentials 'student' and 'fortinet' are entered before connecting. The connection is verified by accessing 'http://10.0.1.10' via Firefox, confirming the remote connection to the local subnet .

To enable SSL VPN settings in the FortiOS version 7.4 GUI, enter the CLI command 'config system settings set gui-sslvpn enable end' . After enabling the GUI, set up a user for SSL VPN access by logging into the Local-FortiGate GUI with admin credentials, navigating to User & Authentication > User Definition, creating a new Local User with username 'student' and password 'fortinet', and adding the user to the SSL_VPN_USERS group .

'Tunnel-up' log entries in the VPN events, which can be accessed in the FortiGate GUI under Log & Report > System Events by applying a filter for Action = tunnel-up, reveal the remote user's gateway (Remote IP) and the virtual network adapter's Tunnel IP assigned by FortiGate .

Setting 'Inspection Mode' to 'Flow-based' benefits the firewall policy by reducing overhead and improving performance efficiency as packets are streamed through the inspection engine. This mode enables real-time analysis and threat detection without the need for full content reassembly, influencing traffic handling by optimizing speed and resource usage .

Create a firewall policy by accessing Policy & Objects > Firewall Policy on the Local-FortiGate GUI. Configure the policy with Name 'SSL-VPN-Access', Incoming Interface as SSL-VPN tunnel interface (ssl.root), Outgoing Interface as port3, Source Address from SSLVPN_TUNNEL_ADDR1, User as SSL_VPN_USERS, Destination as LOCAL_SUBNET, Schedule set to always, Service to ALL, Action to ACCEPT, with Flow-based Inspection mode, and NAT disabled .

'Portal Mapping' settings for 'All Other Users/Groups' direct users to specific portals that determine access and resources available. The default portal setting is 'tunnel-access', which ensures users connect through tunnel mode, providing a consistent and controlled access experience across users while enforcing policies .

You might also like