Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
1K views5 pages

Configure Remote SSL VPN in FortiGate With CLI

The document provides steps to configure a remote SSL VPN in FortiGate using the CLI: 1. Create an "ssl.root" interface for the SSL VPN tunnel and an IP pool ("SSLVPN_IP_POOL") to assign addresses to remote users. 2. Create a local user ("sslvpn") and group ("SSLVPN_GROUP") for remote access. 3. Configure the SSL VPN portal and settings to use the IP pool, DNS servers, and full portal access profile. 4. Create firewall policies to allow traffic between the SSL VPN tunnel and LAN interfaces for the SSLVPN_GROUP.

Uploaded by

Ayna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views5 pages

Configure Remote SSL VPN in FortiGate With CLI

The document provides steps to configure a remote SSL VPN in FortiGate using the CLI: 1. Create an "ssl.root" interface for the SSL VPN tunnel and an IP pool ("SSLVPN_IP_POOL") to assign addresses to remote users. 2. Create a local user ("sslvpn") and group ("SSLVPN_GROUP") for remote access. 3. Configure the SSL VPN portal and settings to use the IP pool, DNS servers, and full portal access profile. 4. Create firewall policies to allow traffic between the SSL VPN tunnel and LAN interfaces for the SSLVPN_GROUP.

Uploaded by

Ayna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Configure Remote SSL VPN In FortiGate With

CLI
November 2, 2018 by YongKW

Steps to configure Remote SSL VPN in FortiGate with CLI

Create a ssl.root interface for SSL VPN Tunnel

config system interface

edit "ssl.root"

set vdom "root"

set type tunnel

set alias "Remote SSL VPN interface"

end

Create an IP Pool called SSLVPN_IP_POOL (10.212.134.200 – 10.212.134.210) to


assign IP Addresses for Remote SSL VPN Users

config firewall address

edit "SSLVPN_IP_POOL"

set type iprange

set associated-interface "ssl.root"

set start-ip 10.212.134.200

set end-ip 10.212.134.210

end

Create an local user called sslvpn with password defined

config user local

edit "sslvpn"

set type password

set passwd P@ssw0rd

end

Create a group called SSLVPN_GROUP and assign sslvpn as member

config user group

edit "SSLVPN"

set member "sslvpn"

end

Enable Tunnel Mode and assign SSLVPN_IP_POOL in Full Access Profile


config vpn ssl web portal

edit "full-access"

set tunnel-mode enable

set ip-pools "SSLVPN_IP_POOL"

end

Configure SSL VPN with the following

SSL Certificate to be used – Default is using FortiGate Selfsign Certificate


IP Addresses to be assigned to Remote SSL VPN Client
SSL VPN Port No – Default is 443, and we had changed it to 12443
Source Interface – External Interface
Change the Default-Portal to full-access
DNS Servers – Point to Internal AD/DNS Server for name resolution

config vpn ssl settings

set servercert "AventisLab.com"

set tunnel-ip-pools "SSLVPN_IP_POOL"

set port 12443

set source-interface "wan1"

set source-address "all"

set default-portal "full-access"

set dns-server1 192.168.1.200

set dns-server2 192.168.1.201

set dtls-tunnel enable

end

SSL VPN Settings in Web UI


Create the following firewall policy to allow traffics from SSLVPN to LAN and via visa

SSLVPN-LAN – allow traffic from SSLVPN tunnel to LAN for SSLVPN_GROUP


only
LAN-SSLVPN – allow traffic from LAN to SSLVPN tunnel for SSLVPN_GROUP
only

config firewall policy

edit 100

set name "SSLVPN-LAN"

set srcintf "ssl.root"

set dstintf "internal"

set srcaddr "all"

set dstaddr "192.168.1.0"

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

set groups "SSLVPN_GROUP"

next

edit 101

set name "LAN-SSLVPN"

set srcintf "internal"

set dstintf "ssl.root"

set srcaddr "192.168.1.0"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

set groups "SSLVPN_GROUP"

end

Configure the FortiClient with the FQDN / IP Address of WAN Interface with custom port
= 12443 with username = sslvpn

Login to SSL VPN successfully


Some useful commands to troubleshoot on Remote SSL VPN

Show Active SSL VPN users with execute vpn sslvpn list

FG60E # execute vpn sslvpn list

SSL VPN Login Users:

Index User Auth Type Timeout From HTTP in/out HTTPS in/out

0 sslvpn 1(1) 296 14.1.227.206 0/0 0/0

SSL VPN sessions:

Index User Source IP Duration I/O Bytes Tunnel/Dest IP

0 sslvpn 14.1.227.206 670 24470/35484 10.28.28.10

To disconnect SSL VPN User – Replace the with the correct ID

execute vpn sslvpn del-tunnel <index>

To disconnect all SSL VPN Users

execute vpn ssl del-all tunnel

Reference Link

You might also like