Tuesday, April 28, 2020

SSLVPN fortigate with certificates

In this post, I will demonstrate how to use and enable sslvpn with end-user certificates. The remote firewall is running 6.2.3 and we are using the 6.2 vpn client




I'm using firefox to test the web-portal and an android & macosx device running the basic forticlient

In the fortigate you should set a "config user peer" and define the CA that's signing the end-user certificates. This cert along with the rootCA certificate needs to be uploaded into the fortigate via the

System > certificate


In my setup, I have a root and intermediate CA. The "config user peer" is using my intermediate CA for the config.

config user peer
    edit "socpuppets-intermediate"
        set ca "CA_Cert_3"
    next
end

Now you will need to build your sslvpn settings to include an authentication-rule.

config vpn ssl settings
    set reqclientcert enable
    set ssl-min-proto-ver tls1-1
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_POOL_1"
    set port 8443
    set source-interface "wan1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "full-access"
    config authentication-rule
        edit 1
            set source-interface "wan1"
            set source-address "all"
            set groups "vpnusers1"
            set portal "full-access"
            set client-cert enable
            set user-peer "socpuppets-intermediate"
        next
    end
end


And the portal cfg with address pool

config firewall address
    edit "SSLVPN_POOL_1"
        set subnet 10.199.199.0 255.255.255.0
    next
end



config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set ipv6-tunnel-mode enable
        set web-mode enable
        set ip-pools "SSLVPN_POOL_1"
        set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    next
end


So no when a end-user authenticates and matches that auth-rule, he will need a valid certificate that matches the use-peer

Once you have connected you can validate users via the cli or webUi





















if your forticlient can not connect, use firefox and access the webportal , import the certificate that's being used by the forticlient. If you can access the webportal, than the certificate and authentication rule is good.









One last tidbit, when the user certificate has expired the user will be locked out of the vpn. Since the certificate verification is done before the acceptance of the "username/password" you will not see this in the logs but "diag debug application sslvpnd -1" will clearly show this scenario







For traffic that's allowed by the firewall policy you can use 

diag debug flow or run a diag packet sniffer on ssl.root interface to see the traffic flow






This vpn method offers a means to easily control vpn-users for a timed-access-control by signing the certificate for "X"  amount of days. Great for vendors, auditors, or consultant access.




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


No comments:

Post a Comment