Scribd
Upload
21 views

How To Configure FortiOS SSL VPN With FortiToken

Uploaded by

chachengoo444
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
21 views

How To Configure FortiOS SSL VPN With FortiToken

Uploaded by

chachengoo444
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Configuration Tip: How to configure FortiOS SSL VPN with

FortiToken
Scope:-
FortiOS v4.3.0 and above.

SSL VPN Client v4.0.2143 and above.

Network Configuration

WAN IP : 192.168.140.216/23

Internal IP: 10.129.0.216/23

SSLVPN Tunnel range: 192.168.168.100-200

1. In User > FortiToken > FortiToken > Create New > enter the serial number of the FortiToken and click on
‘+’ symbol, and click OK.
2. To activate the FortiToken serial number, the FortiToken will communicate with FortiGuard Servers and
validate the license, once validated the status is shown as Active.

3. Add a local user with Two-factor authentication and FortiToken:

Enable the Two factor authentication, and select the FortiToken serial number which has already been created.
4. Add the local user to the SSL VPN User Group
5. Specify the SSL VPN address range as shown in Firewall Objects> Address:-
6. Verify the SSL Config ensure that the IP Pools are applied.
7. Configure the SSL VPN Portal.
8. Add Static Route for destination network.
9. Configure Firewall Policies for SSLVPN authentication.
NB : Ensure to create policies from ssl.root (ssl vpn interface) to internal and vice-verse.

For more information on SSL VPN configuration examples consult the FortiOS v4.0 MR3 Handbook.
FortiGate CLI configuration

config user fortitoken


edit "FTKxxxxxxxxxxxx"
set seed
"rRw6EGBcSdUjc2W4kov0Rcqfdert02mQPpaRrLabtTVxQ0sWo/1zcZJ/tIY="
next
end

config vpn ssl settings


set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
end
config vpn ssl web portal
edit "full-access"
set allow-access web ftp smb telnet ssh vnc rdp citrix rdpnative
portforward
set heading "Welcome to SSL VPN Service"
set page-layout double-column
config widget
edit 4
set name "Session Information"
set type info
next
edit 2
set name "Bookmarks"
set allow-apps web ftp smb telnet ssh vnc rdp citrix
rdpnative portforward
next
edit 3
set name "Connection Tool"
set type tool
set column two
set allow-apps web ftp smb telnet ssh vnc rdp citrix
rdpnative portforward
next
edit 1
set name "Tunnel Mode"
set type tunnel
set column two
set tunnel-status enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
next
end
next
end
config user local
edit "fortitoken"
set fortitoken " FTKxxxxxxxxxxxx "
set two-factor fortitoken
set type password
set passwd ENC
+xc8aV7kckEqzxkrAO2V2ZTqSWobo8duiTtWSbLkReJFrU29xIRyTQXyOAxhXzoXXeSiv0rzg/Aff
Imq5zvdKw7fwl4uBMED7+N1ivrUfpx3FMoS
next
end

config user group


edit "sslvpngrp"
set sslvpn-portal "full-access"
set member "fortitoken"
next
end

config router static


edit 2
set device "ssl.root"
set dst 192.168.168.0 255.255.255.0
next
end
config firewall policy
edit 4
set srcintf "port9"
set dstintf "port10"
set srcaddr "all"
set dstaddr "internal"
set action ssl-vpn
set identity-based enable
config identity-based-policy
edit 1
set schedule "always"
set logtraffic enable
set groups "sslvpngrp"
set service "ANY"
next
end
next
end

config firewall policy


edit 5
set srcintf "ssl.root"
set dstintf "port10"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "internal"
set action accept
set schedule "always"
set service "ANY"
set logtraffic enable
next
end
config firewall policy
edit 6
set srcintf "port10"
set dstintf "ssl.root"
set srcaddr "internal"
set dstaddr "SSLVPN_TUNNEL_ADDR1"
set action accept
set schedule "always"
set service "ANY"
next
end
FortiToken Authentication

There are 3 ways to authenticate using FortiToken and SSL VPN:-

-Use SSL VPN Standalone Client with Username/Password/FortiToken Code.

-Use Web-access with Username/Password , then FortiOS will prompt for the FortiToken Code.

-Use Web-access with Username/Password+FortiToken Code.

1. SSL VPN client configuration:


2.Web-Access authentication

1. Enter user name and password and click login, the FortiGate will prompt for the FortiToken code.

2. Enter Username and password as password +FortiToken Code

You might also like