Fortinet black logo

FortiGate VPN Integration

Home FortiNAC 9.4.0 FortiGate VPN Integration
9.4.0
9.4.0

SSL VPN

SSL VPN

Important: When SSL VPN Settings are applied, all existing SSL VPN connections are disconnected, regardless of portal. Applying SSL VPN Settings should be done during a Maintenance Window.

Note

Configure both DNS addresses via CLI. DNS addresses do not appear in the UI until after they've been configured once in CLI.

Configure the VPN portals and settings:

  • Address Object(s) configured with the VPN scope(s) just created

  • Production DNS server IP address for DNS Server #1

  • FortiNAC's VPN interface address for DNS Server #2

  • Domain Name for agent communication (required if agents are delivered through Captive Portal):

    • Must match the domain to be configured in the VPN scope of FortiNAC. FortiNAC only answers SRV queries from connecting agents sourced from this domain. See DNS File Entry Descriptions in the Appendix for details.

    • If FortiNAC is managing multiple VPN scopes where agents are delivered through the portal, they must all use the same domain.

    • Avoid using .local suffix. macOS and some Linux systems may have communication issues.

VPN Portals

UI

  1. Navigate to VPN > SSL-VPN Portals

  2. Configure using VPN IP address objects just configured

  3. Click OK to save

A screenshot of a cell phone Description automatically generated

A screenshot of a cell phone Description automatically generated

CLI Example

config vpn ssl web portal

edit "FNAC_SSL_Portal"

set tunnel-mode enable

set web-mode enable

set ip-pools "FNAC_SSL_VPN_ADDR" >> Address Object

set split-tunneling disable

set dns-server1 10.200.20.50 >> Production DNS

set dns-server2 10.200.5.22 >> FortiNAC ETH1_VPN Interface IP

set dns-suffix "Internal-Lab.info" >> Set Domain Name as DNS-Suffix

config bookmark-group

edit "gui-bookmarks"

next

end

next

end

VPN Settings

Important:

  • Applying SSL VPN Settings disconnects all existing SSL VPN connections on the FortiGate. If there are VPN tunnels in production, this should be done during a Maintenance Window.

  • VPN settings should be configured via CLI in order to apply them to the specific portal (UI configures all SSL portals).

  • Domain Name for agent communication

config vpn ssl settings

set ssl-min-proto-ver tls1-1

set servercert "Fortinet_Factory"

set tunnel-ip-pools "FNAC_SSL_VPN_ADDR"

set dns-suffix "Internal-Lab.info" >> Set Domain Name as DNS-Suffix

set dns-server1 10.200.20.50 >> Production DNS

set dns-server2 10.200.5.22 >> FortiNAC ETH1_VPN Interface IP

set port 4443

set source-interface "wan1"

set source-address "all"

set source-address6 "all"

set default-portal "full-access"

config authentication-rule

edit 2

set groups "SSL-Users"

set portal "full-access"

next

edit 3

set portal "FNAC_SSL_Portal" >> Apply to "FNAC_SSL_Portal" only

next

end

end

Proceed to Configure FortiNAC.

Previous
Next

SSL VPN

Important: When SSL VPN Settings are applied, all existing SSL VPN connections are disconnected, regardless of portal. Applying SSL VPN Settings should be done during a Maintenance Window.

Note

Configure both DNS addresses via CLI. DNS addresses do not appear in the UI until after they've been configured once in CLI.

Configure the VPN portals and settings:

  • Address Object(s) configured with the VPN scope(s) just created

  • Production DNS server IP address for DNS Server #1

  • FortiNAC's VPN interface address for DNS Server #2

  • Domain Name for agent communication (required if agents are delivered through Captive Portal):

    • Must match the domain to be configured in the VPN scope of FortiNAC. FortiNAC only answers SRV queries from connecting agents sourced from this domain. See DNS File Entry Descriptions in the Appendix for details.

    • If FortiNAC is managing multiple VPN scopes where agents are delivered through the portal, they must all use the same domain.

    • Avoid using .local suffix. macOS and some Linux systems may have communication issues.

VPN Portals

UI

  1. Navigate to VPN > SSL-VPN Portals

  2. Configure using VPN IP address objects just configured

  3. Click OK to save

A screenshot of a cell phone Description automatically generated

A screenshot of a cell phone Description automatically generated

CLI Example

config vpn ssl web portal

edit "FNAC_SSL_Portal"

set tunnel-mode enable

set web-mode enable

set ip-pools "FNAC_SSL_VPN_ADDR" >> Address Object

set split-tunneling disable

set dns-server1 10.200.20.50 >> Production DNS

set dns-server2 10.200.5.22 >> FortiNAC ETH1_VPN Interface IP

set dns-suffix "Internal-Lab.info" >> Set Domain Name as DNS-Suffix

config bookmark-group

edit "gui-bookmarks"

next

end

next

end

VPN Settings

Important:

  • Applying SSL VPN Settings disconnects all existing SSL VPN connections on the FortiGate. If there are VPN tunnels in production, this should be done during a Maintenance Window.

  • VPN settings should be configured via CLI in order to apply them to the specific portal (UI configures all SSL portals).

  • Domain Name for agent communication

config vpn ssl settings

set ssl-min-proto-ver tls1-1

set servercert "Fortinet_Factory"

set tunnel-ip-pools "FNAC_SSL_VPN_ADDR"

set dns-suffix "Internal-Lab.info" >> Set Domain Name as DNS-Suffix

set dns-server1 10.200.20.50 >> Production DNS

set dns-server2 10.200.5.22 >> FortiNAC ETH1_VPN Interface IP

set port 4443

set source-interface "wan1"

set source-address "all"

set source-address6 "all"

set default-portal "full-access"

config authentication-rule

edit 2

set groups "SSL-Users"

set portal "full-access"

next

edit 3

set portal "FNAC_SSL_Portal" >> Apply to "FNAC_SSL_Portal" only

next

end

end

Proceed to Configure FortiNAC.

Previous
Next