Windows VPN provider (built-in) Connection name vpn.lab.local The name or address of the vpn.lab.local server. Optionally enable connection to these servers and enter the FQDN of your NPS server, in this case DC.lab.local.
IPsec IKE load balancing based on FortiSASE account information
FortiSASE provides secure Internet access for users on the local FortiGate network and allows other remote FortiSASE users secure private access to private FortiGate resources.
IPsec SA key retrieval from a KMS server using KMIP
KMS: rekey using old child_sa keys
The backup overlay can monitor all primary overlays and is not activated until the number of unhealthy primary overlays equals or exceeds the default threshold. When all four primary overlays go down, the backup overlay is activated and used to forward traffic.
VPN IPsec troubleshooting
Understanding VPN related logs
IPsec related diagnose commands
SSL VPN
SSL VPN best practices
By default, the SSL VPN web mode settings are disabled and hidden from the GUI and CLI. If this setting is disabled, although SSL VPN tunnel mode can be configured correctly, when you try to access SSL VPN Internet mode using the SSL VPN portal by navigating to the listening IP address, domain, and port using a web browser , an error message will appear.
Tunnel mode
Web mode
Security best practices
Using SSL VPN realms simplifies defining a control structure for mapping users and groups to the appropriate resources. Once SSL VPN settings are configured, you can disable SSL VPN when not in use.
SSL VPN quick start
SSL VPN split tunnel for remote user
Setting the destination address will cause the portal to function as a full tunnel, potentially leading to misconfigurations and complicating troubleshooting efforts. Configure an SSL VPN firewall policy to allow the remote user to access the internal network.
Connecting from FortiClient VPN client
On the FortiGate, go to VPN > Monitor > SSL-VPN Monitor To verify the list of SSL users. On the FortiGate, go to Log & Report > Forward Traffic to view the details of the SSL record.
Set up FortiToken multi-factor authentication
When a FortiToken is added to usersslvpnuser1, an email is sent to the user's email address. Follow the instructions to install your FortiToken mobile application on your device and activate your token.
SSL VPN tunnel mode
Optionally, you can right-click the FortiTray icon in the system tray and select a VPN configuration to connect to.
SSL VPN full tunnel for remote user
Configure the internal interface and secure subnet, then connect the port1 interface to the internal network. On the FortiGate, go to Log & Report > Traffic Forwarding and view the details for the SSL entry.
SSL VPN tunnel mode host check
Use CLI to configure the SSL VPN web portal so that the host can check whether there is compatible antivirus software on the user's computer. Configure a single SSL VPN firewall policy to allow remote users to access the internal network.
SSL VPN split DNS
SSL VPN portals configured with their own DNS servers and suffixes underconfig vpn ssl web portal override the settings configured underconfig vpn ssl settings. The DNS split tunneling option can be used to configure domains that apply to a specific SSL VPN portal by specifying primary and secondary DNS servers to be used to resolve specific suffixes.
Split tunneling settings
SSL VPN web mode
This includes the elapsed time since login and the volume of incoming and outgoing HTTP and HTTPS traffic. Clicking the button opens the FortiClient Remote Access tab, but FortiClient does not automatically create a VPN connection based on the web mode connection information.
Web portal configurations
When Split Tunneling is set to Enabled for Trusted Destinations, the selected IPv4 firewall address becomes a trusted destination that will not be tunneled through SSL VPN. When Split Tunneling is set to Enabled for Trusted Destinations, the selected IPv6 firewall address becomes a trusted destination that will not be tunneled through SSL VPN. See Displaying the SSL VPN Portal Login Page in the Browser Language on page 2141 for more details.
Quick Connection tool
SSL VPN bookmarks
SSL VPN web mode for remote user
Make sure SSL VPN web mode and SSL VPN feature visibility are enabled before starting configuration. This IP pool is configured as the source IP address in either a firewall policy for SSL VPN web mode or a proxy policy for clear web proxy. Please note that FortiOS SSL VPN web mode does not support virtual to actual IP mapping.
Customizing the RDP display size
Do not set the virtual IP addresses as destination addresses in a firewall policy when using SSL VPN web mode as this will result in no destination address being accessible. Create a new personal RDP bookmark (+ New Bookmark) or hover over an existing bookmark and click the edit icon (pencil). When the user connects to the RDP servers using the bookmarks, the custom screen resolutions are applied regardless of the screen resolution of the client PC.
Showing the SSL VPN portal login page in the browser's language
SSL VPN custom landing page
Go to User & Authentication > User Groups to create the ssl-webgroup user group with the custom_landing_user member. Once the SSL VPN web portal is configured, the connected user can access FGT_B through the FGT_A SSL VPN web portal.
SSL VPN authentication
SSL VPN with LDAP user authentication
Set the outgoing interface to the local network interface so that the remote user can access the internal network, in this example, port1. Go to Log & Report > System Events and select the VPN Events tab to view SSL VPN connection event log details. Go to Log & Report > Forward Traffic to view SSL VPN traffic details.
SSL VPN with LDAP user password renew
SSL VPN with certificate authentication
Using this method, the user is authenticated based on their regular username and password, but SSL VPN will still require an additional certificate check. This method can be configured by enabling Require Client Certificate (reqclientcert) in the SSL-VPN settings. The server certificate enables the clients to authenticate the server and to encrypt the SSL VPN traffic.
SSL VPN with LDAP-integrated certificate authentication
To view the details of the SSL VPN connection event log, go to Log & Report > VPN Events. In this example, you'll see queries to find the user's group memberships (three groups in total) and see if the correct group found results in a match. You can also diagnose the firewall verification list to validate that a firewall user entry exists for the SSL VPN user and is part of the correct groups.
SSL VPN for remote users with MFA and user sensitivity
The username is retrieved from the LDAP server with the same case as it is on the server. In both cases, the remote user is matched against the external LDAP user object and prompted for multifactor authentication. In this case, the user is allowed to log in without a FortiToken because the username entered did not match the name defined on the external LDAP user object.
SSL VPN with FortiToken mobile push authentication
Log in to the tunnel with the username, using the same box as it is on the FortiGate. Log in to the tunnel with the username, with a different capitalization than on the FortiGate. On the FortiGate, go to Dashboard > Network and expand the SSL-VPN widget to verify the user's connection.
SSL VPN with RADIUS on FortiAuthenticator
Log in using thesslvpnuser1credentials and make sure you are logged into the SSL VPN tunnel. This is an example configuration of SSL VPN using FortiAuthenticator as a RADIUS authentication server and FortiToken mobile push two-factor authentication. On the FortiAuthenticator, go to System > Administration > System Access and set a Public IP/FQDN for FortiToken Mobile.
SSL VPN with RADIUS password renew on FortiAuthenticator
Configure the internal interface and the protected subnet, then connect the port1 interface to the internal network.
SSL VPN with RADIUS on Windows NPS
Set outgoing interface to the local network interface so that the remote user can access the internal network. Configure an SSL VPN firewall policy to allow remote user access to the internal network.
SSL VPN with multiple RADIUS servers
Connect to the SSLVPN tunnel using FortiClient with user radkeith
SSL VPN with local user password policy
If the password expires, the user cannot renew the password and must contact the administrator for assistance. In FortiOS 6.0/5.6, users are warned about the expiring password after one day and must renew it. In FortiOS 6.2, when the password expires, the user cannot renew the password and must contact the administrator.
Dynamic address support for SSL VPN policies
Go to Log and Report > System Events and select the VPN event card to see the SSL VPN warning labeled ssl-login-failure. This attribute is used by FortiGate to send temporary update account messages to the RADIUS server. The collector agent can now accept accounting requests from FortiGate and retrieve SSL VPN client IP addresses and usernames from FortiGate with accounting request notifications.
SSL VPN multi-realm
To use an FQDN, leave the routing address blank and use the FQDN as the destination address for the firewall policy. Configure two SSL VPN firewall policies to allow external QA user access to internal QA network and HR user access to HR network. Alternatively, if a virtual host is specified, use the FQDN defined for the realm (hr.mydomain.com).
NAS-IP support per SSL-VPN realm
If the user's computer has anti-virus software, the connection is established; otherwise, FortiClient displays a compliance warning. On the FortiGate, go to Log and Report > Forward Traffic and view traffic details. Since the RADIUS server and NAS-IP are listed in realm1, its NAS-IP is used for authentication.
SSL VPN with Okta as SAML IdP
First, you'll test SSL VPN web authentication using Firefox with the SAML tracer plugin enabled. If authentication fails, examine the SAML tracer to verify the SAML assertion attributes that were passed between. You can also run the diagnose debug application samld -1 command to verify that the SAML IdP has sent the correct information.
SSL VPN with Azure AD SSO integration
SSL VPN to IPsec VPN
Sample topology
Sample configuration
Under Tunnel Mode Client Settings, select Define Custom IP Ranges and include the SSL VPN subnet range created by the IPsec wizard. Click Create New to create a policy that allows SSL VPN users to access the IPsec VPN tunnel. Go to Control Panel > Network and click the routing utility to verify that IPsec and SSL VPN are added.
Troubleshooting
SSL VPN protocols
For example, when a client tries to access a website that supports TLS 1.3, FortiOS sends the traffic to the IPS engine. The IPS engine then decodes TLS 1.3 and the client can access the website.
SMBv2 support
Connect to the SSL VPN web portal and create an SMB bookmark to the SMBv2 server.
DTLS support
This improves the success rate of establishing a DTLS tunnel in congested or jittery networks. Set the number of missing heartbeats before the connection is considered lost, in seconds (3-10, default = 3). To configure DTLS heartbeat parameters:. set dtls-heartbeat-idle-timeout 3 set dtls-heartbeat-interval 3 set dtls-heartbeat-fail-count 3 end.
Configuring OS and host check
Verifying remote user OS
Host check
Replacing the host check error message
MAC address check
Creating a custom host check list
In this example, the home FortiGate (FGT-A) is configured as an SSL VPN client and the business FortiGate (FGT-B) is configured as an SSL VPN server. Use the CA that signed certificatefgt_gui_automation and the CN of this certificate on the SSL VPN server. Create the SSL VPN client to use the PKI user and client certificate fgtb_gui_automation:.
Verification
In the FortiGate SSL VPN Client (FGT-A), go to VPN > SSL-VPN Clients to view the list of tunnels.
Dual stack IPv4 and IPv6 support for SSL VPN
It will access the target website via IPv4 or IPv6 based on your preferred DNS setting.
