Scribd
Upload
99 views

FortiClient 5.2 Cookbook

Forticlient cookbook

Uploaded by

Trong Oganort Gampoula
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
99 views

FortiClient 5.2 Cookbook

Forticlient cookbook

Uploaded by

Trong Oganort Gampoula
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

FortiClient - Cookbook

Version 5.2
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE
https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com

FORTINET COOKBOOK
https://cookbook.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM
https://www.fortinet.com/support-and-training/training.html

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://fortiguard.com/

END USER LICENSE AGREEMENT
https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

April 25, 2019


FortiClient 5.2 Cookbook
04-520-554121-20190425
TABLE OF CONTENTS

Remote Internet browsing using a VPN 4


IPsec VPN with FortiClient 7
SSL VPN using FortiClient (iOS) 10
IPsec VPN with two-factor authentication 12
Change log 15

FortiClient Cookbook Fortinet Technologies Inc.


Remote Internet browsing using a VPN

This recipe uses remote IPsec and SSL VPN tunnels to bypass Internet access restrictions. Restricted Internet access is
simulated with a Web Filter profile that blocks google.com. You will create FortiClient SSL and IPsec VPN tunnels to
bypass the web filter, connect to a remote FortiGate unit, and transparently browse the Internet to google.com.
The recipe assumes that you have already created a “vpn_users“ user group and a local LAN firewall address.
In this example, restricted Internet access is simulated using a Web Filter profile to block Google. With the user situated
behind this FortiGate, google.com cannot be accessed, and instead the FortiGuard “Web Page Blocked!” message
appears. For the user to bypass this Web Filter, the following VPN configurations must be made on a remote FortiGate
(which is not blocked by any filter), and the user must connect to it using FortiClient.
This recipe consists of the following steps:
1. Configure the IPsec VPN connection.
2. Configure the SSL VPN connection.
3. Create security policies for VPN access to the Internet.
4. Configure FortiClient for IPsec and SSL VPN.

To configure the IPsec VPN connection:

1. In FortiOS on the remote FortiGate, go to VPN > IPsec > Wizard.


2. Enter the VPN connection name, and under Template, select Dialup - FortiClient (Windows, Mac OS, Android).
Click Next.
3. From the Incoming Interface dropdown list, select the Internet-facing interface. In this example, it is wan1.

4. For Authentication Method, select Pre-shared Key.


5. In the Pre-shared Key field, enter the desired preshared key. From the User Group dropdown list, select the vpn_
users user group. Click Next.
6. From the Local Interface dropdown list, select the internal interface. From the Local Address dropdown list, select
Local LAN.
7. In the Client Address Range field, enter an IP range for VPN users. Click Next.
8. Configure client options as desired. Click Create. When using the IPsec VPN wizard, FortiOS automatically creates
an IPsec firewall address range using the configured tunnel name. Since the wizard creates an IPsec-to-internal
IPv4 policy, you only need to create the Internet access policy.

FortiClient Cookbook Fortinet Technologies Inc.


Remote Internet browsing using a VPN 5

To configure the SSL VPN connection:

1. In FortiOS on the remote FortiGate, go to VPN > SSL > Portals. Select the full-access portal, then click Edit.
2. Deselect Enable Split Tunneling. This allows all VPN traffic to go through the FortiGate firewall.
3. Go to VPN > SSL > Settings. Under Connection Settings, set Listen on Port to 10443.
4. Under Authentication/Portal Mapping, assign the vpn_users user group to the full-access portal. Assign All Other
Users/Groups to the desired portal. Since the FortiGate has an ssl.root firewall address by default, you only need to
create the Internet access policy.

To create security policies for VPN access to the Internet:

1. In FortiOS, go to Policy & Objects > Policy > IPv4.


2. Create two security policies (one for each VPN tunnel) that allow remote users to access the Internet securely
through the FortiGate unit. Configure the policies as follows:
a. From the Incoming Interface dropdown list, select the tunnel interface. From the Source Address dropdown
list, select all.
b. For the SSL VPN tunnel policy, from the Source User(s) dropdown list, select the vpn_users user group.
c. From the Outgoing Interface dropdown list, select wan1. From the Destination Address dropdown list, select
all.
d. From the Service dropdown list, select ALL. Ensure that NAT is enabled.

To configure FortiClient for IPsec and SSL VPN:

1. In FortiClient, on the Remote Access tab, add a new connection for each VPN tunnel.
2. Enter the desired connection name, and set Type to SSL-VPN or IPsec VPN depending on the tunnel
configuration.
3. In the Remote Gateway field, enter the FortiGate IP address.
4. For the IPsec VPN tunnel, select Pre-Shared Key from the Authentication Method dropdown list. In the Pre-
Shared Key field, enter the key.
5. For the SSL VPN tunnel, enable Customize port and set to 10443.

FortiClient Cookbook Fortinet Technologies Inc.


Remote Internet browsing using a VPN 6

6. (Optional) In the Username field, enter a username from the vpn_users user group.
7. Select the newly created tunnel, enter the username and password, and click Connect.
8. If the system displays a server authentication warning, click Yes. Once the FortiClient has established the
connection, the FortiGate assigns the user an IP address and FortiClient displays the connection status, including
the IP address, connection duration, and bytes sent and received.

With the tunnel up, you can now visit google.com without being blocked, since the remote FortiGate is handling
Internet traffic and the web filter on the local FortiGate has been bypassed.

FortiClient Cookbook Fortinet Technologies Inc.


IPsec VPN with FortiClient

This recipe uses the IPsec VPN wizard to provide a group of remote users with secure, encrypted access to the
corporate network. The tunnel provides group members with access to the internal network, but forces them through the
FortiGate unit when accessing the Internet. When the tunnel is configured, you will connect using the FortiClient
application.
This recipe consists of the following steps:
1. Create a user group for remote users.
2. Add a firewall address for the local network.
3. Configure the IPsec VPN connection.
4. Create security policies for VPN access to the Internet.
5. Configure FortiClient for IPsec VPN.

To create a user group for remote users:

1. In FortiOS, go to User & Device > User > User Definition.


2. Create a new local user using the user creation wizard. Enter the appropriate information in each step of the wizard.
3. Go to User & Device > User > User Groups.
4. Create a user group for the remote users and add the user that you just created.

To add a firewall address for the local network:

1. In FortiOS, go to Policy & Objects > Objects > Addresses.


2. Add a firewall address for the local LAN, including the subnet and local interface.

To configure the IPsec VPN connection:

1. In FortiOS, go to VPN > IPsec > Wizard.


2. Enter the VPN connection name, and under Template, select Dialup - FortiClient (Windows, Mac OS, Android).
Click Next.
3. From the Incoming Interface dropdown list, select the Internet-facing interface. In this example, it is wan1.

4. For Authentication Method, select Pre-shared Key.


5. In the Pre-shared Key field, enter the desired preshared key. From the User Group dropdown list, select the vpn_
users user group. Click Next.

FortiClient Cookbook Fortinet Technologies Inc.


IPsec VPN with FortiClient 8

6. From the Local Interface dropdown list, select the internal interface. From the Local Address dropdown list, select
Local LAN.
7. In the Client Address Range field, enter an IP range for VPN users. Click Next.
8. Configure client options as desired. Click Create. When using the IPsec VPN wizard, FortiOS automatically creates
an IPsec firewall address range using the configured tunnel name. Since the wizard creates an IPsec-to-internal
IPv4 policy, you only need to create the Internet access policy.

To create security policies for VPN access to the Internet:

1. In FortiOS, go to Policy & Objects > Policy > IPv4.


2. Create a security policy that allows remote users to access the Internet securely through the FortiGate unit.
Configure the policies as follows:
a. From the Incoming Interface dropdown list, select the tunnel interface. From the Source Address dropdown
list, select all.
b. From the Outgoing Interface dropdown list, select wan1. From the Destination Address dropdown list, select
all.
c. From the Service dropdown list, select ALL. Ensure that NAT is enabled.

To configure FortiClient for IPsec VPN:

1. In FortiClient, on the Remote Access tab, add a new connection.


2. Enter the desired connection name, and set Type to IPsec VPN.
3. In the Remote Gateway field, enter the FortiGate IP address.
4. Select Pre-Shared Key from the Authentication Method dropdown list. In the Pre-Shared Key field, enter the key.
5. Select the newly created tunnel, enter the username and password, and click Connect. Once the FortiClient has
established the connection, the FortiGate assigns the user an IP address and FortiClient displays the connection
status, including the IP address, connection duration, and bytes sent and received.

6. In FortiOS, go to VPN > Monitor > IPsec Monitor. Verify that the tunnel status is up.
7. Go to Log & Report > Traffic Log > Forward Traffic to view the traffic. Verify that the Sent/Received column

FortiClient Cookbook Fortinet Technologies Inc.


IPsec VPN with FortiClient 9

displays traffic successfully flowing through the tunnel.

FortiClient Cookbook Fortinet Technologies Inc.


SSL VPN using FortiClient (iOS)

In this recipe, you will create an SSL VPN that remote users connect to using FortiClient running on iOS. When a user
using an iOS device connects to this SSL VPN, they can access servers and data on the internal network. They can also
securely browse the Internet using the FortiGate’s Internet connection. This example uses FortiClient (iOS) 5.2.0.028.
This recipe consists of the following steps:
1. Create users and a user group.
2. Configure the SSL VPN connection.
3. Create security policies for VPN access to the Internet and internal network.
4. Configure FortiClient (iOS) for SSL VPN.

To create users and a user group:

1. In FortiOS, go to User & Device > User > User Definition.


2. Create as many local users as required using the user creation wizard. Enter the appropriate information in each
step of the wizard.
3. Go to User & Device > User > User Groups.
4. Create a user group for the remote users and add the user(s) that you just created.

To configure the SSL VPN connection:

1. In FortiOS, go to VPN > SSL > Portals. Select the web-access portal, then click Edit. By default, this portal
supports web mode.
2. Deselect Enable Split Tunneling. This allows all SSL VPN traffic to go through the FortiGate firewall.
3. Go to VPN > SSL > Settings. From the Listen on Interface(s) dropdown list, select wan1.
4. Under Connection Settings, set Listen on Port to 10443.
5. For Address Range, select Specify custom IP ranges.
6. From the IP Ranges dropdown list, select the default IP range, SSLVPN_TUNNEL_ADDR1.
7. Under Authentication/Portal Mapping, add the FortiClient user group and map it to the web-access portal. If
necessary, map a portal for Assign All Other Users/Groups.

To create security policies for VPN access to the Internet and internal network:

1. In FortiOS, go to Policy & Objects > Policy > IPv4.


2. Create a security policy that allows VPN users to access the internal network:
a. From the Incoming Interface dropdown list, select ssl.root.
b. From the Source Address dropdown list, select all. From the Source User(s) dropdown list, select the new
user group. From the Outgoing Interface dropdown list, select the local network interface so that the remote
user can access the internal network.
c. From the Destination Address dropdown list, select all. Enable NAT and configure any remaining options as
desired.

FortiClient Cookbook Fortinet Technologies Inc.


SSL VPN using FortiClient (iOS) 11

3. Create a security policy that allows SSL VPN users to access the Internet securely through the FortiGate unit:
a. From the Incoming Interface dropdown list, select ssl.root.
b. From the Outgoing Interface dropdown list, select wan1.

To configure FortiClient (iOS) for SSL VPN:

1. Install FortiClient on the iOS device.


2. Add a new VPN gateway:
a. Set Host Name to the FortiGate's IP address. In this example, it is 172.20.120.236.
b. Set Host Port to 10443.
c. Set the User Name to match the user account created earlier.

3. Select the VPN. Enter the user password and select Login. FortiClient connects to VPN.
4. In FortiOS, go to VPN > Monitor > SSL-VPN Monitor to verify that the user is connected.

FortiClient Cookbook Fortinet Technologies Inc.


IPsec VPN with two-factor authentication

In this recipe, two-factor authentication is added to a user account to provide extra security when connecting to an IPsec
VPN using FortiClient (macOS).
Two-factor authentication requires a user to authenticate twice before being allowed to access the IPsec VPN. In this
recipe the FortiToken Mobile app for iOS provides a one-time password (OTP) (a six-digit number) that you must enter
at a second authentication prompt.
This recipe assumes that you have already activated FortiToken Mobile.
This recipe consists of the following steps:
1. Create a user and user group.
2. Add a firewall address for the LAN.
3. Configure the IPsec VPN connection.
4. Create a security policy for VPN access to the Internet.
5. Send the FortiToken activation code to the user.
6. Set up FortiToken Mobile on an iOS device.
7. Configure FortiClient (macOS).

To create a user and user group:

1. In FortiOS, go to User & Device > User > User Definition. Create a new local user using the user creation wizard.
2. On the Login Credentials tab, enter the user's login credentials. This example simply creates a local user.

3. On the Contact Info tab, select SMS. In the Phone Number field, enter a phone number without dashes or spaces.
This example uses SMS to send an activation code to the user. Even if your FortiGate cannot send SMS messages,
you must include a phone number. Do not add an email address.

4. On the Extra Info tab, select the FortiToken assigned to this user. Click Create. The user list shows the FortiToken
in the Two-factor Authentication column for the new user account.

5. Go to User & Device > User > User Groups.


6. Create a user group for the remote users and add the user that you just created.

FortiClient Cookbook Fortinet Technologies Inc.


IPsec VPN with two-factor authentication 13

To add a firewall address for the LAN:

1. In FortiOS, go to Policy & Objects > Objects > Addresses.


2. Create a firewall address for your LAN's subnet.

To configure the IPsec VPN connection:

1. In FortiOS, go to VPN > IPsec > Wizard.


2. Enter the VPN connection name.
3. From the Local Interface dropdown list, select the internal interface. In the example, this is port1. From the Local
Address dropdown list, select the LAN address.
4. In the Client Address Range field, enter an IP range for VPN users. Click Next.

5. Configure client options as desired. Click Create.

To create a security policy for VPN access to the Internet:

1. In FortiOS, go to Policy & Objects > Policy > IPv4.


2. Create a security policy that allows remote users to access the Internet securely through the FortiGate unit.
Configure the policies as follows:
a. From the Incoming Interface dropdown list, select the tunnel interface. From the Source Address dropdown
list, select all. From the Source User(s) dropdown list, select the new user group.
b. From the Outgoing Interface dropdown list, select your Internet-facing interface. From the Destination
Address dropdown list, select all.
c. Ensure that NAT is enabled.

To send the FortiToken activation code to the user:

Do one of the following:


1. If your FortiGate can send SMS messages, go to User & Device > User > User Definition. Edit the new user
account. Select Send Activation Code and send the code by SMS.
2. If your FortiGate cannot send SMS messages, go to System > Dashboard > Status. Enter the following commands
in the CLI console, using your FortiToken serial number:
config user fortitoken
edit <serial_number>
show
The output displays the activation code. You must give this code to a user.

FortiClient Cookbook Fortinet Technologies Inc.


IPsec VPN with two-factor authentication 14

To set up FortiToken Mobile on an iOS device:

1. On an iOS device, download and install FortiToken Mobile.


2. Open the app and add a new account. Select Enter Manually, then select Fortinet under FORTINET ACCT.
3. In the Key field, enter the activation code. FortiToken Mobile can now generate a token for use with the FortiGate.
4. (Optional) For additional security, set a PIN for FortiToken Mobile using the app's Settings options.

To configure FortiClient (macOS):

1. On a macOS device, download and install FortiClient (macOS).


2. In FortiClient, on the Remote Access tab, select Add a new connection.
3. Enter the desired connection name, and set Type to IPsec VPN.
4. In the Remote Gateway field, enter the FortiGate IP address.
5. Select Pre-Shared Key from the Authentication Method dropdown list. In the Pre-Shared Key field, enter the key.
6. Select the newly created tunnel, enter the username and password, and click Connect.
7. FortiClient prompts you to enter your code from FortiToken Mobile. In the Answer field, enter the code. Once your
code has been verified, the IPsec VPN connection is established.

FortiClient Cookbook Fortinet Technologies Inc.


Change log

Date Change Description

2019-04-25 Initial release

FortiClient Cookbook Fortinet Technologies Inc.


Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.

You might also like