Fortinet white logo
Fortinet white logo

Administration Guide

SSL VPN tunnel mode host check

SSL VPN tunnel mode host check

This is a sample configuration of remote users accessing the corporate network through an SSL VPN by tunnel mode using FortiClient with AV host check.

Sample topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

Note

The split tunneling routing address cannot explicitly use an FQDN or an address group that includes an FQDN. To use an FQDN, leave the routing address blank and apply the FQDN as the destination address of the firewall policy.

To configure SSL VPN using the GUI:
  1. Configure the interface and firewall address. The port1 interface connects to the internal network.
    1. Go to Network > Interfaces and edit the wan1 interface.
    2. Set IP/Network Mask to 172.20.120.123/255.255.255.0.
    3. Edit port1 interface and set IP/Network Mask to 192.168.1.99/255.255.255.0.
    4. Click OK.
    5. Go to Policy & Objects > Address and create an address for internet subnet 192.168.1.0.
  2. Configure user and user group.
    1. Go to User & Authentication > User Definition to create a local user sslvpnuser1.
    2. Go to User & Authentication > User Groups to create a group sslvpngroup with the member sslvpnuser1.
  3. Configure SSL VPN web portal.
    1. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-split-tunnel-portal.
    2. Enable Tunnel Mode and Enable Split Tunneling.
    3. Select Routing Address.
  4. Configure SSL VPN settings.
    1. Go to VPN > SSL-VPN Settings.
    2. For Listen on Interface(s), select wan1.
    3. Set Listen on Port to 10443.
    4. Choose a certificate for Server Certificate.
    5. Caution

      It is HIGHLY recommended that you acquire a signed certificate for you installation. Please review the SSL VPN best practices and learn how to Purchase and import a signed SSL certificate.

    6. In Authentication/Portal Mapping All Other Users/Groups, set the Portal to tunnel-access.
    7. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-split-tunnel-portal.
  5. Configure SSL VPN firewall policy.
    1. Go to Policy & Objects > Firewall Policy.
    2. Fill in the firewall policy name. In this example, sslvpn tunnel access with av check.
    3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
    4. Choose an Outgoing Interface. In this example, port1.
    5. Set the Source to all and group to sslvpngroup.
    6. In this example, the Destination is all.
    7. Set Schedule to always, Service to ALL, and Action to Accept.
    8. Click OK.
  6. Use CLI to configure SSL VPN web portal to enable the host to check for compliant antivirus software on the user’s computer.
    config vpn ssl web portal
        edit my-split-tunnel-access
            set host-check av
        next
    end
To configure SSL VPN using the CLI:
  1. Configure the interface and firewall address.
    config system interface 
        edit "wan1"
            set vdom "root"
            set ip 172.20.120.123 255.255.255.0
        next
    end
  2. Configure internal interface and protected subnet, then connect the port1 interface to the internal network.
    config system interface
        edit "port1"
            set vdom "root"
            set ip 192.168.1.99 255.255.255.0
        next
    end
    config firewall address
        edit "192.168.1.0"
            set subnet 192.168.1.0 255.255.255.0
        next
    end
  3. Configure user and user group.
    config user local
        edit "sslvpnuser1" 
            set type password
            set passwd your-password
        next 
    end
    config user group
        edit "sslvpngroup" 
            set member "vpnuser1"
        next 
    end
  4. Configure SSL VPN web portal.
    config vpn ssl web portal
        edit "my-split-tunnel-portal"
            set tunnel-mode enable
            set split-tunneling  enable
            set split-tunneling-routing-address "192.168.1.0"
            set ip-pools "SSLVPN_TUNNEL_ADDR1"
        next
    end
  5. Configure SSL VPN settings.
    config vpn ssl settings
        set servercert "Fortinet_Factory"
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set source-interface "wan1"
        set source-address "all"
        set source-address6 "all"
        set default-portal "full-access"
        config authentication-rule
            edit 1
                set groups "sslvpngroup"
                set portal "my-split-tunnel-portal" 
            next        
        end
    end
  6. Configure one SSL VPN firewall policy to allow remote user to access the internal network. Traffic is dropped from internal to remote client.
    config firewall policy 
        edit 1
            set name "sslvpn web mode access"
            set srcintf "ssl.root"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "192.168.1.0"
            set groups “sslvpngroup”
            set action accept
            set schedule "always"
            set service "ALL"
        next
    end
  7. Configure SSL VPN web portal to enable the host to check for compliant antivirus software on the user’s computer:
    config vpn ssl web portal
        edit my-split-tunnel-access
            set host-check av
        next
    end
To see the results:
  1. Download FortiClient from www.forticlient.com.
  2. Open the FortiClient Console and go to Remote Access.
  3. Add a new connection:
    • Set VPN Type to SSL VPN.
    • Set Remote Gateway to the IP of the listening FortiGate interface, in this example, 172.20.120.123.
  4. Select Customize Port and set it to 10443.
  5. Save your settings.
  6. Use the credentials you've set up to connect to the SSL VPN tunnel.

    If the user's computer has antivirus software, a connection is established; otherwise FortiClient shows a compliance warning.

  7. After connection, traffic to 192.168.1.0 goes through the tunnel. Other traffic goes through local gateway.
  8. On the FortiGate, go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users.
  9. On the FortiGate, go to Log & Report > Forward Traffic and view the details for the SSL entry.

SSL VPN tunnel mode host check

SSL VPN tunnel mode host check

This is a sample configuration of remote users accessing the corporate network through an SSL VPN by tunnel mode using FortiClient with AV host check.

Sample topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

Note

The split tunneling routing address cannot explicitly use an FQDN or an address group that includes an FQDN. To use an FQDN, leave the routing address blank and apply the FQDN as the destination address of the firewall policy.

To configure SSL VPN using the GUI:
  1. Configure the interface and firewall address. The port1 interface connects to the internal network.
    1. Go to Network > Interfaces and edit the wan1 interface.
    2. Set IP/Network Mask to 172.20.120.123/255.255.255.0.
    3. Edit port1 interface and set IP/Network Mask to 192.168.1.99/255.255.255.0.
    4. Click OK.
    5. Go to Policy & Objects > Address and create an address for internet subnet 192.168.1.0.
  2. Configure user and user group.
    1. Go to User & Authentication > User Definition to create a local user sslvpnuser1.
    2. Go to User & Authentication > User Groups to create a group sslvpngroup with the member sslvpnuser1.
  3. Configure SSL VPN web portal.
    1. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-split-tunnel-portal.
    2. Enable Tunnel Mode and Enable Split Tunneling.
    3. Select Routing Address.
  4. Configure SSL VPN settings.
    1. Go to VPN > SSL-VPN Settings.
    2. For Listen on Interface(s), select wan1.
    3. Set Listen on Port to 10443.
    4. Choose a certificate for Server Certificate.
    5. Caution

      It is HIGHLY recommended that you acquire a signed certificate for you installation. Please review the SSL VPN best practices and learn how to Purchase and import a signed SSL certificate.

    6. In Authentication/Portal Mapping All Other Users/Groups, set the Portal to tunnel-access.
    7. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-split-tunnel-portal.
  5. Configure SSL VPN firewall policy.
    1. Go to Policy & Objects > Firewall Policy.
    2. Fill in the firewall policy name. In this example, sslvpn tunnel access with av check.
    3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
    4. Choose an Outgoing Interface. In this example, port1.
    5. Set the Source to all and group to sslvpngroup.
    6. In this example, the Destination is all.
    7. Set Schedule to always, Service to ALL, and Action to Accept.
    8. Click OK.
  6. Use CLI to configure SSL VPN web portal to enable the host to check for compliant antivirus software on the user’s computer.
    config vpn ssl web portal
        edit my-split-tunnel-access
            set host-check av
        next
    end
To configure SSL VPN using the CLI:
  1. Configure the interface and firewall address.
    config system interface 
        edit "wan1"
            set vdom "root"
            set ip 172.20.120.123 255.255.255.0
        next
    end
  2. Configure internal interface and protected subnet, then connect the port1 interface to the internal network.
    config system interface
        edit "port1"
            set vdom "root"
            set ip 192.168.1.99 255.255.255.0
        next
    end
    config firewall address
        edit "192.168.1.0"
            set subnet 192.168.1.0 255.255.255.0
        next
    end
  3. Configure user and user group.
    config user local
        edit "sslvpnuser1" 
            set type password
            set passwd your-password
        next 
    end
    config user group
        edit "sslvpngroup" 
            set member "vpnuser1"
        next 
    end
  4. Configure SSL VPN web portal.
    config vpn ssl web portal
        edit "my-split-tunnel-portal"
            set tunnel-mode enable
            set split-tunneling  enable
            set split-tunneling-routing-address "192.168.1.0"
            set ip-pools "SSLVPN_TUNNEL_ADDR1"
        next
    end
  5. Configure SSL VPN settings.
    config vpn ssl settings
        set servercert "Fortinet_Factory"
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set source-interface "wan1"
        set source-address "all"
        set source-address6 "all"
        set default-portal "full-access"
        config authentication-rule
            edit 1
                set groups "sslvpngroup"
                set portal "my-split-tunnel-portal" 
            next        
        end
    end
  6. Configure one SSL VPN firewall policy to allow remote user to access the internal network. Traffic is dropped from internal to remote client.
    config firewall policy 
        edit 1
            set name "sslvpn web mode access"
            set srcintf "ssl.root"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "192.168.1.0"
            set groups “sslvpngroup”
            set action accept
            set schedule "always"
            set service "ALL"
        next
    end
  7. Configure SSL VPN web portal to enable the host to check for compliant antivirus software on the user’s computer:
    config vpn ssl web portal
        edit my-split-tunnel-access
            set host-check av
        next
    end
To see the results:
  1. Download FortiClient from www.forticlient.com.
  2. Open the FortiClient Console and go to Remote Access.
  3. Add a new connection:
    • Set VPN Type to SSL VPN.
    • Set Remote Gateway to the IP of the listening FortiGate interface, in this example, 172.20.120.123.
  4. Select Customize Port and set it to 10443.
  5. Save your settings.
  6. Use the credentials you've set up to connect to the SSL VPN tunnel.

    If the user's computer has antivirus software, a connection is established; otherwise FortiClient shows a compliance warning.

  7. After connection, traffic to 192.168.1.0 goes through the tunnel. Other traffic goes through local gateway.
  8. On the FortiGate, go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users.
  9. On the FortiGate, go to Log & Report > Forward Traffic and view the details for the SSL entry.