Checklist for Fortigate admin access over SSL-VPN

This is a Checklist for Fortigate admin access over SSL-VPN

1. Trusted hosts

Ensure that the SSL-VPN source address or SSL-VPN address pool is on the trusted host list for admin access to the Fortigate.

config system admin
    edit "admin" 
        set trusthost5 10.212.134.0 255.255.255.0
        set accprofile "super_admin"
        set vdom "root"
        set password yourpassword
    next
end

2. Allowaccess on Interface

Ensure you have allowed the service or port access on the interface using the following command “set allowaccess ping https ssh” under the interface configuration.

config system interface
    edit "vlan100"
        set vdom "root"
        set ip 10.100.0.254 255.255.255.0
        set allowaccess ping https ssh
        set vlanforward enable
        set device-identification enable
        set role lan
        set snmp-index 12
        set interface "internal5"
        set vlanid 100
    next
end

3. Firewall policy

Ensure you have a firewall policy from the SSL-VPN interface to the LAN to where you intend to connect to.

config firewall policy
    edit 3
        set name "SSL_VPN_LAN"
        set srcintf "ssl.root"
        set dstintf "vlan100"
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "SSL_VPN"
    next

4. Routing table

Ensure you have a route to the Firewall interface. You may have split-tunneling specifying the routable addresses by SSL-VPN any route not specified will route locally via users local internet breakout. 10.100.0.0/24 is the LAN network directly connected to the firewall. You can specify just the individual firewall interface address if you wanted to.

config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set web-mode enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set split-tunneling-routing-address "10.100.0.0/24"
        config bookmark-group
            edit "gui-bookmarks"
            next
        end
    next
end

If using Windows you can check the routing table by running the command route print.

C:\WINDOWS\system32>route print

Please let me know what you thought of the guide and if it worked, what issues you ran into or if anything wasn’t clear. Thank you for reading.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s