1. Go toSystem > Feature Visibilityand ensureCertificatesis enabled.
2. Go toSystem > Certificatesand selectImport > Local Certificate.
3. SetTypetoCertificate.
4. Choose theCertificate fileand theKey filefor your certificate, and enter thePassword.
5. If required, change theCertificate Name.
The server certificate now appears in the list ofCertificates.
To install the CA certificate:
The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.
1. Go toSystem > Certificatesand selectImport > CA Certificate.
2. SelectLocal PCand then select the certificate file.
The CA certificate now appears in the list ofExternal CA Certificates. In this example, it is calledCA_Cert_1.
To configure SSL VPN using the GUI:
1. Configure the interface and firewall address. The port1 interface connects to the internal network.
a. Go toNetwork > Interfacesand edit thewan1interface.
b. SetIP/Network Maskto172.20.120.123/255.255.255.0.
c. Editport1interface and setIP/Network Maskto192.168.1.99/255.255.255.0.
d. ClickOK.
e. Go toPolicy & Objects > Addressand create an address for internet subnet192.168.1.0.
2. Configure the LDAP server:
a. Go toUser & Authentication > LDAP Serversand clickCreate New.
b. SpecifyNameandServer IP/Name.
c. SetDistinguished Nametodc=fortinet-fsso,dc=com.
d. SetBind TypetoRegular.
e. SetUsernametocn=admin,ou=testing,dc=fortinet-fsso,dc=com.
f. SetPassword.
g. ClickOK.
3. Configure PKI users and a user group:
To use certificate authentication, use the CLI to create PKI users.
config user peer edit user1
set ca CA_Cert_1
set mfa-server "ldap-AD"
set mfa-mode subject-identity next
end
When you have create a PKI user, a new menu is added to the GUI:
a. Go toUser & Authentication > PKIto see the new user.
b. Go toUser & Authentication > User > User Groupsand create a groupsslvpn-group.
c. Add the PKI peer object you created as a local member of the group.
d. Add a remote group on the LDAP server and select the group of interest.
You need these users to be members using the LDAP browser window.
4. Configure SSL VPN web portal:
a. Go toVPN > SSL-VPN Portalsto edit thefull-accessportal.
This portal supports both web and tunnel mode.
b. DisableEnable Split Tunnelingso that all SSL VPN traffic goes through the FortiGate.
5. Configure SSL VPN settings:
a. Go toVPN > SSL-VPN Settings.
b. Select theListen on Interface(s), in this example,wan1.
c. SetListen on Portto10443.
d. SetServer Certificateto the authentication certificate.
e. UnderAuthentication/Portal Mapping, set default Portalweb-accessforAll Other Users/Groups.
f. Create newAuthentication/Portal Mappingfor groupsslvpn-groupmapping portalfull-access.
6. Configure SSL VPN firewall policy:
a. Go toPolicy & Objects > Firewall Policy.
b. Fill in the firewall policy name. In this example,sslvpn certificate auth.
c. Incoming interface must beSSL-VPN tunnel interface(ssl.root).
d. Set theSource AddresstoallandSource Usertosslvpn-group.
e. Set theOutgoing Interfaceto the local network interface so that the remote user can access the internal network. In this example,port1.
f. SetDestination Addressto the internal protected subnet192.168.1.0.
g. SetScheduletoalways,ServicetoALL, andActiontoAccept.
h. EnableNAT.
i. Configure any remaining firewall and security options as desired.
j. ClickOK.
To configure SSL VPN using the CLI:
1. Configure the interface and firewall address:
config system interface edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0 next
end
2. Configure internal interface and protected subnet, then connect the port1 interface to the internal network:
config system interface edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0 next
end
config firewall address edit "192.168.1.0"
set subnet 192.168.1.0 255.255.255.0 next
end
3. Configure the LDAP server:
config user ldap edit "ldap-AD"
set server "172.18.60.206"
set cnid "cn"
set dn "dc=fortinet-fsso,dc=com"
set type regular
set username "cn=admin,ou=testing,dc=fortinet-fsso,dc=com"
set password ldap-server-password next
end
4. Configure PKI users and a user group:
config user peer edit user1
set ca CA_Cert_1
set mfa-server "ldap-AD"
set mfa-mode subject-identity next
end
config user group edit "sslvpn-group"
set member "ldap-AD" "user1"
config match edit 1
set server-name "ldap-AD"
set group-name "CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM"
next end next end
5. Configure SSL VPN web portal:
config vpn ssl web portal edit "full-access"
set tunnel-mode enable set web-mode enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling disable next
end
6. Configure SSL VPN settings:
config vpn ssl settings
set servercert "server_certificate"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set source-interface "wan1"
set source-address "all"
set default-portal "web-access"
config authentication-rule edit 1
set groups "sslvpn-group"
set portal "full-access"
next
end end
7. Configure one SSL VPN firewall policy to allow remote user to access the internal network:
config firewall policy edit 1
set name "sslvpn web mode access"
set srcintf "ssl.root"
set dstintf "port1"
set srcaddr "all"
set dstaddr "192.168.1.0"
set groups “sslvpn-group”
set action accept set schedule "always"
set service "ALL"
set nat enable next
end
To see the results of tunnel connection:
1. Download FortiClient fromwww.forticlient.com.
2. Open the FortiClient Console and go toRemote Access > Configure VPN.
3. Add a new connection.
a. Set the connection name.
b. SetRemote Gatewayto the IP of the listening FortiGate interface, in this example,172.20.120.123.
c. SelectCustomize Portand set it to10443.
d. EnableClient Certificateand select the authentication certificate.
4. Save your settings.
Connecting to the VPN only requires the user's certificate. It does not require username or password.
To see the results of web portal:
1. In a web browser, log into the portalhttp://172.20.120.123:10443.
A message requests a certificate for authentication.
2. Select the user certificate.
You can connect to the SSL VPN web portal.
To check the SSL VPN connection using the GUI:
1. Go toDashboard > Networkand expand theSSL-VPNwidget to verify the user’s connection.
2. Go toLog & Report > VPN Eventsto view the details of the SSL VPN connection event log.
3. Go toLog & Report > Forward Trafficto view the details of the SSL VPN traffic.
To check the SSL VPN connection using the CLI:
Below is a sample output ofdiagnose debug application fnbamd -1while the user connects. This is a shortened output sample of a few locations to show the important parts. This sample shows lookups to find the group memberships (three groups total) of the user and that the correct group being found results in a match.
[1148] fnbamd_ldap_recv-Response len: 16, svr: 172.18.60.206
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-result [864] fnbamd_ldap_parse_response-ret=0
[1386] __fnbamd_ldap_primary_grp_next-Auth accepted [910] __ldap_rxtx-Change state to 'Done'
[843] __ldap_rxtx-state 23(Done)
[925] fnbamd_ldap_send-sending 7 bytes to 172.18.60.206 [937] fnbamd_ldap_send-Request is sent. ID 5
[753] __ldap_stop-svr 'ldap-AD'
[53] ldap_dn_list_del_all-Del CN=test3,OU=Testing,DC=Fortinet-FSSO,DC=COM [399] ldap_copy_grp_list-copied CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM [399] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=Fortinet-FSSO,DC=COM [2088] fnbamd_auth_cert_check-Matching group 'sslvpn-group'
[2007] __match_ldap_group-Matching server 'ldap-AD' - 'ldap-AD'
[2015] __match_ldap_group-Matching group 'CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM' - 'CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM'
[2091] fnbamd_auth_cert_check-Group 'sslvpn-group' matched
[2120] fnbamd_auth_cert_result-Result for ldap svr[0] 'ldap-AD' is SUCCESS
[2126] fnbamd_auth_cert_result-matched user 'test3', matched group 'sslvpn-group'
You can also usediagnose firewall auth listto validate that a firewall user entry exists for the SSL VPN user and is part of the right groups.