FortiGate SSL VPN: A Beginner's Guide

Introduction
Welcome to this comprehensive guide designed to introduce you to the fundamental
concepts of Virtual Private Networks (VPNs), with a specific focus on FortiGate SSL VPNs,
including their tunnel and web modes. This guide is tailored for individuals with no prior
knowledge of VPNs, aiming to provide a clear and concise understanding of these essential
networking technologies. In today's interconnected world, understanding how to secure
your online communications is paramount, whether for personal privacy or corporate
network access. VPNs offer a robust solution by creating secure, encrypted connections over
public networks like the internet.
This document will cover:
• What a VPN is and why it's important.
• The specifics of FortiGate SSL VPNs.
• A detailed explanation of SSL VPN Tunnel Mode.
• A detailed explanation of SSL VPN Web Mode.
Let's begin our journey into the world of secure networking.

What is a VPN?
A Virtual Private Network (VPN) is a technology that establishes a secure, encrypted
connection over a less secure network, such as the internet. The primary purpose of a VPN
is to provide a secure and private channel for data transmission between a user's device and
a remote server. This is achieved by creating a 'tunnel' through which all internet traffic is
routed, effectively masking the user's IP address and encrypting their data. This process
ensures that online activities remain private, protected, and secure from potential
eavesdropping or surveillance [1].
The term 'VPN' itself offers insight into its core functionalities:
 • Virtual: The connection is not established through physical cables dedicated solely to
the VPN. Instead, it leverages existing public network infrastructure to create a logical,
secure link.
• Private: The data transmitted through the VPN tunnel is encrypted, making it
unreadable to anyone who intercepts it without the proper decryption key. This ensures
that browsing activity and sensitive information remain confidential.
• Network: A VPN involves multiple devices—typically your computer or mobile device
and a VPN server—working in conjunction to maintain this secure and established
connection.
In essence, a VPN acts as a shield, protecting your online identity and data from various
threats present on public networks. It's an indispensable tool for enhancing privacy,
bypassing geo-restrictions, and securing communications, especially when connected to
untrusted Wi-Fi networks.

FortiGate SSL VPN

FortiGate SSL VPN is a feature provided by Fortinet firewalls that allows remote users to
securely access an organization's internal network resources over the internet. Unlike
traditional IPsec VPNs that often require dedicated client software and complex
configurations, SSL VPNs leverage the widely available Secure Sockets Layer (SSL) or
Transport Layer Security (TLS) protocols, which are inherent to web browsers. This makes
them highly accessible and user-friendly, as users can often connect using just a web
browser.
An SSL VPN creates an encrypted tunnel between the user's device and the FortiGate
firewall. All traffic passing through this tunnel is encrypted, ensuring data confidentiality
and integrity. The FortiGate device acts as the VPN gateway, authenticating users and
controlling their access to internal network resources based on predefined policies.
FortiGate SSL VPNs offer flexibility in how users can connect and what resources they can
access. This flexibility is primarily manifested through two distinct modes of operation: SSL
Portal VPN (also known as Web Mode) and SSL Tunnel VPN (also known as Tunnel Mode).
These modes cater to different user needs and access requirements, providing a versatile
solution for secure remote access.

SSL VPN Web Mode

SSL VPN Web Mode, often referred to as SSL Portal VPN, provides clientless network access
through a standard web browser. This mode is particularly useful when users need to access
specific web-based applications or internal network services without installing any
dedicated VPN client software on their device. The FortiGate firewall presents a
customizable web portal to the user, through which they can access permitted resources.
Key characteristics and use cases for SSL VPN Web Mode include:
• Clientless Access: Users only need a web browser to connect, making it highly
convenient for temporary access or for users on devices where software installation is
restricted.
• Granular Control: Administrators have tight control over the resources accessible
through the web portal. They can define specific bookmarks and links to internal web
servers, file shares (SMB/CIFS), remote desktop services (RDP), and other network
services.
• Limited Scope: While convenient, Web Mode typically limits access to applications and
services that can be presented within a web browser. It does not provide full network
layer connectivity to the remote user's device. This means that applications requiring
direct IP connectivity (e.g., ping, certain client-server applications) may not function in
this mode.
• Security: All communication between the user's browser and the FortiGate SSL VPN
portal is encrypted using SSL/TLS, ensuring the confidentiality and integrity of the data.
Upon successful authentication, the user is presented with a personalized web page
containing links to the resources they are authorized to access. This mode is ideal for
scenarios where remote users primarily need access to internal websites, intranets, or
specific applications that are accessible via a web interface.
SSL VPN Tunnel Mode
SSL VPN Tunnel Mode provides full network layer connectivity to the remote user's device,
making it behave as if it were directly connected to the corporate network. This mode
requires the installation of a dedicated VPN client application, such as FortiClient, on the
user's device. Once the client is installed and a connection is established, all network traffic
from the user's device is routed through the encrypted SSL tunnel to the FortiGate firewall.
Key characteristics and advantages of SSL VPN Tunnel Mode include:
• Full Network Access: Unlike Web Mode, Tunnel Mode allows access to virtually any
network service or application, regardless of whether it is web-based. This includes file
shares, internal applications, network printers, and other resources that require direct
IP connectivity.
• Client Software Required: A dedicated VPN client (e.g., FortiClient) must be installed
on the user's device. This client handles the encryption and decryption of traffic and the
establishment of the tunnel.
• Transparent Operation: Once connected, the user's experience is largely transparent;
they can access internal resources as if they were physically present on the corporate
network.
• Split Tunneling vs. Full Tunneling:
• Full Tunneling: All internet traffic from the user's device, including traffic destined
for the public internet, is routed through the VPN tunnel to the corporate network
and then out to the internet. This provides maximum security and allows the
corporate network's security policies to be applied to all user traffic.
• Split Tunneling: Only traffic destined for the corporate network is routed through
the VPN tunnel. Traffic destined for the public internet is sent directly from the user's
device. This can improve performance for internet-bound traffic but may bypass
corporate security controls for non-VPN traffic.
• Enhanced Security: By routing all traffic through the FortiGate, the corporate firewall
and security policies can inspect and protect all communications, providing a higher
level of security compared to Web Mode for general network access.
SSL VPN Tunnel Mode is the preferred choice for users who require comprehensive access to
internal network resources and for organizations that need to enforce consistent security
policies across all remote user traffic.