After configuring HA between the two available firewalls, we decided for our employees to offer them remote access (work from home). This will be possible using SSL-VPN feature and an authentication profile using 1FA (we can also configure 2FA).

As we will require a remote user, create a new Linux node (you can use the already existing image called: linux-ubuntu-18.04-server_machine), use for 'First Eth MAC Address' the following format 50:00:00:byte_2_eveng_ip:byte3_eveng_ip+3:byte4_eveng_ip and connect it to Network Cloud (connected to Management Cloud0).

Topology:

Note: keep the configuration already made on the latest lab (HA on both firewalls).

The first task is a quick start to ssl vpn on fortigate: configure 'tunnel split' for letting traffic for a specific subnets only - for example: let remote user only access the first branch (subnet: 192.168.0.0/24).

e1.1: Go to Policy and Objects > Address and create 2 new address objects:

First one (for branch1):

- name: internal_subnet1

- type: subnet

- IP/Netmask: 192.168.0.0/24

- interface: port2

Second one (for vpn client pool):

- name: source_ip_pools

- type: subnet

- IP/Netmask: 192.168.100.0/24

- interface: leave any

- subnet: e1.2: For the beginning, we will use only local authentication. Go to User & Authentication > User definition and create the local user test1 with password fortigate.

e1.3: Create a group for the user test1. Go to User & Authentication > User Groups, create new:

- name: testgroup

- type: firewall

- members: test1

e1.4: Create the ssl-vpn portal - go to VPN > SSL-VPN Portals, create new:

- name: ssl_vpn_tunnel_split

- enable tunnel mode and split tunneling

- Routing Address: internal_subnet1 (only the traffic to this network will be accepted)

- Source IP Pools: source_ip_pools (ip pool that will be used for allocating ip addresses to clients)

Keep the rest of config as it is.

e1.5: Configure ssl-vpn settings - go to VPN > SSL-VPN Settings:

- Listen on Interface(s): port1 (mgmt interface that has access to Cloud area and also remote clients)

- Listen on Port: 10443 (use a custom one)

- keep for portal certificate the self-signed one

- Tunnel Mode Client Settings > Specify custom IP Ranges > select address source_ip_pools (this way the source ip from range 192.168.0.0/24 will be let to access internal networks. If we keep the default ip pools here, clients will receive an ip from pool configured on Portal above)

- Authentication/Portal Mapping > All Other Users/Groups > select tunnel access. Add another entry for user group configured above testgroup and portal ssl_vpn_tunnel_split

- click apply

e1.6: At last, configure the firewall policy:

- from SSL.VPN to port2

- source: select address all (already defined) and user tesgroup

- destination: internal_subnet1

- service ALL and keep the rest as they are

e1.7: After firewall configuration, we need to check SSL-VPN configuration: on Remote device, go to Firefox and type address: http://FW_Address:10443. Authenticate and see the welcome page.

e1.8: As FortiClient download link is not included in portal webpage, we need to install it directly from cli:

# install gpg key
wget -O - https://repo.fortinet.com/repo/6.4/ubuntu/DEB-GPG-KEY | sudo apt-key add -
# add to /etc/apt/sources.list
deb [arch=amd64] https://repo.fortinet.com/repo/6.4/ubuntu/ /bionic multiverse
sudo apt-get update
sudo apt-get install forticlient

e1.9: Go to FortiClient GUI > Remote Access > add a new connection:

- connection name: SslVpnToHQ

- remote gateway: firewall address for port1

- customize port: 10443

- no client certificate and prompt on login

Save and login user credentials from e1.2 (accept portal certificate).

e1.10: Check the newly configured interface for vpn:

eve@ubuntu:~$ ifconfig vpn
vpn: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1400
        inet 192.168.100.1  netmask 255.255.255.255  destination 192.168.100.1
[...]

See also the routing table:

eve@ubuntu:~$ ip r s
[...]
192.168.0.0/24 via 192.168.100.1 dev vpn scope link 
192.168.100.1 dev vpn proto kernel scope link src 192.168.100.1 metric 450 
# see that branch1 route is injected

For test, ping client1 from branch1:

eve@ubuntu:~$ ping -c 5 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=63 time=1.69 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=63 time=2.57 ms
64 bytes from 192.168.0.2: icmp_seq=3 ttl=63 time=2.79 ms
64 bytes from 192.168.0.2: icmp_seq=4 ttl=63 time=5.44 ms
64 bytes from 192.168.0.2: icmp_seq=5 ttl=63 time=4.00 ms

--- 192.168.0.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4011ms
rtt min/avg/max/mdev = 1.690/3.300/5.441/1.301 ms