Difference between revisions of "Fortinet firewall SSL VPN configuration"
From Notes_Wiki
| Line 5: | Line 5: | ||
== Create SSL VPN Group == | == Create SSL VPN Group == | ||
<pre> | <pre> | ||
User & Authentication > User Groups > Click on Create new | 1.1.1 User & Authentication > User Groups > Click on Create new | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Give the Group name and select Type as Firewall then click on OK | 1.1.2 Give the Group name and select Type as Firewall then click on OK | ||
</pre> | </pre> | ||
== Enable Feature Visibility == | == Enable Feature Visibility == | ||
<pre> | <pre> | ||
Systems > Feature Visibility > enable SSL VPN > Click on Apply | 1.2.1 Systems > Feature Visibility > enable SSL VPN > Click on Apply | ||
</pre> | </pre> | ||
== Create SSL VPN Portal == | == Create SSL VPN Portal == | ||
<pre> | <pre> | ||
VPN > SSL-VPN Portals > Select full-access > Click on Edit | 1.3.1 VPN > SSL-VPN Portals > Select full-access > Click on Edit | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
You can retain the Source IP Pools as it is or else you can delete the existing object and create the new object with the IP range that you want. Once the new object is created, we need to select the new object for the new source IP Pools. | 1.3.2 You can retain the Source IP Pools as it is or else you can delete the existing object and create the new object with the IP range that you want. Once the new object is created, we need to select the new object for the new source IP Pools. | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
based on your requirement, you can enable or disable the options for Tunnel Mode Client Options then click on OK | 1.3.3 based on your requirement, you can enable or disable the options for Tunnel Mode Client Options then click on OK | ||
</pre> | </pre> | ||
== SSL VPN Settings == | == SSL VPN Settings == | ||
<pre> | <pre> | ||
Go to VPN > SSL-VPN Settings > Enable | 1.4.1 Go to VPN > SSL-VPN Settings > Enable | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Select the appropriate WAN interface for the Listen on Interfaces. And mention the customized port number for the Listen on Port. And select the Fortinet_Factory from the drop_down_menu for the Server Certificate. | 1.4.2 Select the appropriate WAN interface for the Listen on Interfaces. And mention the customized port number for the Listen on Port. And select the Fortinet_Factory from the drop_down_menu for the Server Certificate. | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Under Authentication/Portal Mapping, Select All Other Users/Groups then Click on the Edit Option. | 1.4.3 Under Authentication/Portal Mapping, Select All Other Users/Groups then Click on the Edit Option. | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Select the SSL-VPN portal name that you would have created then click on OK. | 1.4.4 Select the SSL-VPN portal name that you would have created then click on OK. | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Go to VPN → SSL VPN Settings → Under Authentication/Portal Mapping → Click on Create New | 1.4.5 Go to VPN → SSL VPN Settings → Under Authentication/Portal Mapping → Click on Create New | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Once you click on Create New, New Windows will open, Here we need to Select the SSL-VPN Group that we would have created earlier and Select the VPN Portal also that was created previously then Click on OK. then click on Apply | 1.4.6 Once you click on Create New, New Windows will open, Here we need to Select the SSL-VPN Group that we would have created earlier and Select the VPN Portal also that was created previously then Click on OK. then click on Apply | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
If you want, you can assign custom IP ranges for Tunnel Mode Client Settings or else you can ignore this step. | 1.4.7 If you want, you can assign custom IP ranges for Tunnel Mode Client Settings or else you can ignore this step. | ||
</pre> | </pre> | ||
== Create Firewall Rule == | == Create Firewall Rule == | ||
<pre> | <pre> | ||
Policy & Objects > Firewall Policy > click on Create New | 1.5.1 Policy & Objects > Firewall Policy > click on Create New | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Give appropriate Firewall Rule Name, select Schedule as always from the drop down menu. Select Accept for Action. And for incoming interface select SSL-VPN tunnel interface (ss.root) from the drop down menu. And select LAN (internal) for Outgoing interface | 1.5.2 Give appropriate Firewall Rule Name, select Schedule as always from the drop down menu. Select Accept for Action. And for incoming interface select SSL-VPN tunnel interface (ss.root) from the drop down menu. And select LAN (internal) for Outgoing interface | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Under Source and Destination, For the source subnet, select SSL-VPN group that you would have created earlier. Create Object for LAN network and select it for the Destination. And select ALL for the Service | 1.5.3 Under Source and Destination, For the source subnet, select SSL-VPN group that you would have created earlier. Create Object for LAN network and select it for the Destination. And select ALL for the Service | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Disable the NAT and click on OK. | 1.5.4 Disable the NAT and click on OK. | ||
</pre> | </pre> | ||
== Create SSL VPN User == | == Create SSL VPN User == | ||
<pre> | <pre> | ||
User & Authentication > User Definition > click on Create new | 1.6.1 User & Authentication > User Definition > click on Create new | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
select User Type as Local User, and then click on Next. | 1.6.2 select User Type as Local User, and then click on Next. | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Once you click on Next in the previous step, Mention Username and assign appropriate password and then click on Next. | 1.6.3 Once you click on Next in the previous step, Mention Username and assign appropriate password and then click on Next. | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Select Enable for User Account Status, enable the User Group and select the User Group that you would have created. And then click on submit. | 1.6.4 Select Enable for User Account Status, enable the User Group and select the User Group that you would have created. And then click on submit. | ||
</pre> | </pre> | ||
== Download FortiClient and Configuration == | == Download FortiClient and Configuration == | ||
<pre> | <pre> | ||
Download FortiClient VPN App from the below Link. | 1.7.1 Download FortiClient VPN App from the below Link. | ||
Link: https://www.fortinet.com/support/product-downloads#vpn | Link: https://www.fortinet.com/support/product-downloads#vpn | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
For windows OS, select DOWNLOAD VPN for Windows | 1.7.2 For windows OS, select DOWNLOAD VPN for Windows | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Once the installer is downloaded, Installation is very straight forward, just follow onscreen instruction and Install the FortiClient application | 1.7.3 Once the installer is downloaded, Installation is very straight forward, just follow onscreen instruction and Install the FortiClient application | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Once the installation is completed, double-click on the FortiClient icon. It will take you to the following window. Here put the check mark for acknowledgement then click on I accept | 1.7.4 Once the installation is completed, double-click on the FortiClient icon. It will take you to the following window. Here put the check mark for acknowledgement then click on I accept | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Once you click on I accept in the previous step, it will take you to the next windows as following. Here we have to click on Configure VPN. | 1.7.5 Once you click on I accept in the previous step, it will take you to the next windows as following. Here we have to click on Configure VPN. | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Once you click on Configure VPN in the previous step, select SSL-VPN for VPN, we can mention company name for the connection name, For Remote Gateway we need to mention static public IP that we would have configured on the firewall on the WAN port, mention the customize port that you would have configured. For Authentication select Save login, mention the Username then click on save. | 1.7.6 Once you click on Configure VPN in the previous step, select SSL-VPN for VPN, we can mention company name for the connection name, For Remote Gateway we need to mention static public IP that we would have configured on the firewall on the WAN port, mention the customize port that you would have configured. For Authentication select Save login, mention the Username then click on save. | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Once you click on Save in the previous step, it will take you to the next window. Here you need to enter the password and click on connect. | 1.7.7 Once you click on Save in the previous step, it will take you to the next window. Here you need to enter the password and click on connect. | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Once you click on connect in the previous step, server certificate related warning message will pop up. Here click on Yes. | 1.7.8 Once you click on connect in the previous step, server certificate related warning message will pop up. Here click on Yes. | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
Once you click on Yes in the previous step, you will get acknowledgement telling VPN Connected. | 1.7.9 Once you click on Yes in the previous step, you will get acknowledgement telling VPN Connected. | ||
</pre> | </pre> | ||
Revision as of 15:57, 13 May 2025
Home > Enterprise security devices or applications > Fortigate firewall > Fortinet firewall SSL VPN configuration
Steps to be followed to configure the SSL VPN on FortiGate Fortinet Firewall
Create SSL VPN Group
1.1.1 User & Authentication > User Groups > Click on Create new
1.1.2 Give the Group name and select Type as Firewall then click on OK
Enable Feature Visibility
1.2.1 Systems > Feature Visibility > enable SSL VPN > Click on Apply
Create SSL VPN Portal
1.3.1 VPN > SSL-VPN Portals > Select full-access > Click on Edit
1.3.2 You can retain the Source IP Pools as it is or else you can delete the existing object and create the new object with the IP range that you want. Once the new object is created, we need to select the new object for the new source IP Pools.
1.3.3 based on your requirement, you can enable or disable the options for Tunnel Mode Client Options then click on OK
SSL VPN Settings
1.4.1 Go to VPN > SSL-VPN Settings > Enable
1.4.2 Select the appropriate WAN interface for the Listen on Interfaces. And mention the customized port number for the Listen on Port. And select the Fortinet_Factory from the drop_down_menu for the Server Certificate.
1.4.3 Under Authentication/Portal Mapping, Select All Other Users/Groups then Click on the Edit Option.
1.4.4 Select the SSL-VPN portal name that you would have created then click on OK.
1.4.5 Go to VPN → SSL VPN Settings → Under Authentication/Portal Mapping → Click on Create New
1.4.6 Once you click on Create New, New Windows will open, Here we need to Select the SSL-VPN Group that we would have created earlier and Select the VPN Portal also that was created previously then Click on OK. then click on Apply
1.4.7 If you want, you can assign custom IP ranges for Tunnel Mode Client Settings or else you can ignore this step.
Create Firewall Rule
1.5.1 Policy & Objects > Firewall Policy > click on Create New
1.5.2 Give appropriate Firewall Rule Name, select Schedule as always from the drop down menu. Select Accept for Action. And for incoming interface select SSL-VPN tunnel interface (ss.root) from the drop down menu. And select LAN (internal) for Outgoing interface
1.5.3 Under Source and Destination, For the source subnet, select SSL-VPN group that you would have created earlier. Create Object for LAN network and select it for the Destination. And select ALL for the Service
1.5.4 Disable the NAT and click on OK.
Create SSL VPN User
1.6.1 User & Authentication > User Definition > click on Create new
1.6.2 select User Type as Local User, and then click on Next.
1.6.3 Once you click on Next in the previous step, Mention Username and assign appropriate password and then click on Next.
1.6.4 Select Enable for User Account Status, enable the User Group and select the User Group that you would have created. And then click on submit.
Download FortiClient and Configuration
1.7.1 Download FortiClient VPN App from the below Link. Link: https://www.fortinet.com/support/product-downloads#vpn
1.7.2 For windows OS, select DOWNLOAD VPN for Windows
1.7.3 Once the installer is downloaded, Installation is very straight forward, just follow onscreen instruction and Install the FortiClient application
1.7.4 Once the installation is completed, double-click on the FortiClient icon. It will take you to the following window. Here put the check mark for acknowledgement then click on I accept
1.7.5 Once you click on I accept in the previous step, it will take you to the next windows as following. Here we have to click on Configure VPN.
1.7.6 Once you click on Configure VPN in the previous step, select SSL-VPN for VPN, we can mention company name for the connection name, For Remote Gateway we need to mention static public IP that we would have configured on the firewall on the WAN port, mention the customize port that you would have configured. For Authentication select Save login, mention the Username then click on save.
1.7.7 Once you click on Save in the previous step, it will take you to the next window. Here you need to enter the password and click on connect.
1.7.8 Once you click on connect in the previous step, server certificate related warning message will pop up. Here click on Yes.
1.7.9 Once you click on Yes in the previous step, you will get acknowledgement telling VPN Connected.
Home > Enterprise security devices or applications > Fortigate firewall > Fortinet firewall SSL VPN configuration
