100001001010111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001

001001010111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001000
001010111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001000100
010111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001000100001
FortiGate SSL VPN How To
William Lee CISA
111011010110100010010001000010010101110110101101000100100010000100101011101101011010001001000100001001
011010110100010010001000010010101110110101101000100100010000100101011101101011010001001000100001001010
William Lee CISA
May 9, 2010
010110100010010001000010010101110110101101000100100010000100101011101101011010001001000100001001010111
110100000100010000100101011101101011010001100100010000100101011101101011010001001000100001001010111011
100010010001000010010101110110101101000100100010000100101011101101011010001001000100001001010111011010
010010001000010010101110110101101000100100010000100101011101101011010001001000100001001010111011010110
The article aims to show an easier way to setup SSL VPN with a FortiGate UTM appliance. The equipment
0100010000100101011101101011010001
used was a FortiGate 100A with FortiOS 4.0 MR2.

FortiGate SSL VPN How To

Prerequisites for the setup:

1.
2.
3.
4.

A working FortiGate box with FortiOS 4.0 MR2

Administrative credential to the box
A working internet connection with no restriction to inbound traffic on TCP port 443
Ability to generate a private key, certificate signing request (CSR) and obtaining a certificate from
a trusted CA

The author started with the box that had completed factory reset.
factoryreset from CLI.

This can be done by execute

SSLVPNDEMO # execute factoryreset

This operation will reset the system to factory default!
Do you want to continue? (y/n)

Please be reminded that if you do this, all the configurations on the box will be erased. Afterwards, have
the IP address of your administrative PC set to 192.168.1.100/24 and point to https://192.168.1.99 from
your favorite browser.

Figure 1 Pointing the browser to a FortiGate box

Because of the certificate is not trusted and the common name of the certificate does not match the URL,
so your favorite browser presents a warning. Use Add Exception in Firefox or Continue to this website
(not recommended) in Internet Explorer.

FortiGate SSL VPN How To

William Lee CISA

Next, you will see a login prompt. The look and feel of FortiOS 4.0 MR2 is completely different from the
previous versions.

Figure 2 Login Prompt for FortiGate Web-base Manager

Figure 3 Dashboard
Once you can get here, configure all basic settings like timezone, clock, interfaces IP, dynamic DNS, etc.

FortiGate SSL VPN How To

William Lee CISA

Configuration Steps
The configuration involves the following high level tasks, namely
1.
2.
3.
4.
5.
6.
7.
8.
9.

Setup user account(s)

Setup user group(s) that allow SSL VPN access and include intended users
Setup tunnel mode IP address range
Add the tunnel mode IP address range to static route
Load the private key and certificate to the box
Enable SSL VPN
Create Firewall Policy to allow SSL VPN and/or tunnel mode access
Specify web-base manager TCP port not to use 443
Specify SSL VPN portal TCP port to use 443

Lets start in a step-by-step manner.

FortiGate SSL VPN How To

William Lee CISA

1. Setup user account(s)

Web-base manager User > User > New User

Figure 4 Create User

Enter user name and password for the user. Create as many as users that you need.
CLI user name sslvpn01 and password Password (without quotes) for example:
config user local
edit "sslvpn01"
set type password
set passwd Password
next
end

FortiGate SSL VPN How To

William Lee CISA

2. Setup user group(s) that allow SSL VPN access and include intended users
Web-base manager User > User Group > User Group

Figure 5 Create User Group

Enter name of the group, select Firewall, check on Allow SSL-VPN Access and select full-access, select
the available users created in the previous step, check on the arrow sign and click OK.
CLI user group UserGroup_VPN_SSL (without quotes) for example:
config user group
edit "UserGroup_VPN_SSL"
set sslvpn-portal "full-access"
set member "sslvpn01"
next
end

FortiGate SSL VPN How To

William Lee CISA

3. Setup tunnel mode IP address range

You may leave this unchanged for a default of 10.0.0.1 10.0.0.10.

Figure 6 SSLVPN_TUNNEL_ADDR1 address range definition

FortiGate SSL VPN How To

William Lee CISA

4. Add the tunnel mode IP address range to static route

In order to make the tunnel mode IP address range routable to the FortiGate UTM appliance, you need to
add the IP range specified in the previous step to the static route table.
Web-base Manager Router > Static > Static Route > Create New

Figure 7 Define Static Route for Tunnel IP Range

Enter the IP Range defined in previous step as Destination IP/Mask and select ssl.root as Device and click
OK.
CLI 10.0.0.1/24 for example:
config router static
edit 2
set device "ssl.root"
set dst 10.0.0.0 255.255.255.0
next
end

FortiGate SSL VPN How To

William Lee CISA

5. Load the private key and certificate to the box

This step involves creating the private key, generating CSR and obtaining a certificate from a trusted CA.
The author suggested not to use FortiGate on box feature to generate the private key and CSR because
the certificate cannot be renewed (reimport the renewed certificate using the same key).
The author generated the private key and CSR on a linux box using OpenSSL, and obtained the certificate
from CACert.org. You can choose to trust any CA of your choice.
Web-base Manager System > Certificates > Local Certificates > Import

Figure 8 Import certificate and private key

Select the certificate file and key file and click OK.
CLI You need to setup tftp server to store the certificate for import. Not demonstrated here.

FortiGate SSL VPN How To

William Lee CISA

6. Enable SSL VPN

This step aims to enable the SSL VPN service on the box.
Web-base Manager VPN > SSL > Config

Figure 9 Enable SSL-VPN

Check on Enable SSL-VPN, select the tunnel IP address range by clicking Edit from IP Pools, select the
certificate loaded from previous step, expand Advanced and type in the IP address of the internal interface
as DNS Server #1 and click Apply.
CLI Internal interface IP address as 192.168.127.254 as an example
config vpn ssl settings
set sslvpn-enable enable
set dns-server1 192.168.127.254
set servercert "home"
set algorithm high
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
end

FortiGate SSL VPN How To

William Lee CISA

7. Create Firewall Policy to allow SSL VPN and/or tunnel mode access
A number of firewall policies are required to be implemented.

internal
ssl.root
ssl.root
ssl.root
wan1
wan1
wan1

>
>
>
>
>
>
>

wan1
internal
internal
wan1
internal
ssl.root
wan1

(accept)
(SSL-VPN)
(accept)
(accept)
(SSL-VPN)
(SSL-VPN)
(SSL-VPN)

aims
aims
aims
aims
aims
aims
aims

at
at
at
at
at
at
at

internal to wan1 access

SSL VPN access to internal resource
tunnel mode access to internal resource
tunnel mode access to wan1
SSL VPN access to internal resource
wan1 to access SSL VPN portal
SSL VPN access to internet (e.g. outside website)

Web-base Manager Firewall > Policy > Policy > Create New

Figure 10 Final firewall policy layout

CLI Configuring all the firewall policies stated above
config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
edit 2
set srcintf "wan1"

10

FortiGate SSL VPN How To

William Lee CISA

set dstintf "ssl.root"

set srcaddr "all"
set dstaddr "all"
set action ssl-vpn
set sslvpn-cipher high
config identity-based-policy
edit 1
set schedule "always"
set groups "UserGroup_VPN_SSL"
set service "ANY"
next
end
next
edit 3
set srcintf "ssl.root"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action ssl-vpn
set sslvpn-cipher high
config identity-based-policy
edit 1
set schedule "always"
set groups "UserGroup_VPN_SSL"
set service "ANY"
next
end
next
edit 4
set srcintf "ssl.root"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
edit 5
set srcintf "wan1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action ssl-vpn
set sslvpn-cipher high
config identity-based-policy
edit 1
set schedule "always"
set groups "UserGroup_VPN_SSL"
set service "ANY"
next
end
next
edit 6
set srcintf "wan1"
set dstintf "internal"

11

FortiGate SSL VPN How To

William Lee CISA

set srcaddr "all"

set dstaddr "all"
set action ssl-vpn
set sslvpn-cipher high
config identity-based-policy
edit 1
set schedule "always"
set groups "UserGroup_VPN_SSL"
set service "ANY"
next
end
next
edit 7
set srcintf "ssl.root"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
end

12

FortiGate SSL VPN How To

William Lee CISA

8. Specify web-base manager TCP port not to use 443

The author aims to use TCP 8443 for web-base manager, this makes TCP 443 available for SSL VPN
portal.
Web-base Manager System > Admin > Settings > Web Administration Ports

Figure 11 Web-base manager administrators settings (modify HTTPS)

CLI Configure web-base manager to use TCP 8443
config system global
set admin-sport 8443
end

13

FortiGate SSL VPN How To

William Lee CISA

9. Specify SSL VPN portal TCP port to use 443

TCP 443 had been released from the previous steps. You can now use TCP 443 for SSL VPN portal.
Web-base Manager System > Admin > Settings > Web Administration Ports

Figure 12 Web-base manager administrators settings (modify SSLVPN Login Port)

CLI Configure SSL VPN portal to use TCP 443
config system global
set sslvpn-sport 443
end

14

FortiGate SSL VPN How To

William Lee CISA

About the author

William Lee, CISA, has been in the information security industry for more than 12 years. The author can
be reached at i.am@williamlee.org.

Document Revision and Change History

Version
GR1.0 This Version
[No Other Version]

Comments
First General Release (GR) of this document

William Lee

Created/Changed By
William Lee CISA

Digitally signed by William Lee

DN: o=VeriSign, Inc., ou=VeriSign Trust Network,
ou=www.verisign.com/repository/RPA Incorp. by
Ref.,LIAB.LTD(c)98, ou=Persona Not Validated, ou=Digital ID
Class 1 - Microsoft Full Service, cn=William Lee,
email=i.am@williamlee.org
Date: 2010.05.09 02:35:45 +08'00'

15