FortiGate v7.2.0 SSLVPN Configuration (Local & LDAP Auth)
ฝัง
- เผยแพร่เมื่อ 9 มิ.ย. 2024
- 👊Thanks for taking time to watch my video. If you could, pressing LIKE and SUBSCRIBING helps with TH-cam's algorithm so that more people can discover my videos. Feel free to leave a comment for any other topics you would like to see me cover or what your general opinion is of the video.
This video aims to cover all that you need to know to configure basic SSLVPN connectivity from a client to your FortiGate firewall. We will be looking at how SSLVPN works, how the portals work, how the SSLVPN settings work and finally how to configure access to remote networks using policies. What makes this video different is that I will show you the configuration in real time and explain the changes as best I can while doing this for accounts/groups that are configured locally on a Firewall, but also for groups that you may be polling from something like a remote AD via LDAP. I hope this video teaches you something new and that you enjoy watching it.
Timestamps:
📕00:00 - Introduction
📕01:18 - Lab Overview
📕03:32 - SSLVPN Portals
📕07:20 - SSLVPN Settings
📕15:14 - Firewall Policies for SSLVPN
📕17:14 - FortiClient Connection
📕19:10 - Testing SSLVPN Access
📕20:41 - Configuring Local Groups
📕24:06 - LDAP Integration
Support the Channel:
⭐Become a Patreon: / thenetworkberg
⭐Become a TH-cam Member: / @thenetworkberg
Social Media:
🌏 / thenetworkberg
🌏 / bergnetwork
🌏 / the-network-berg-39451...
MTCRE Playlist:
• Free MTCRE RoSv6
MTCNA Playlist:
• Free MTCNA RoSv6
Airport Lounge - Disco Ultralounge by Kevin MacLeod is licensed under a Creative Commons Attribution 4.0 license. creativecommons.org/licenses/...
Source: incompetech.com/music/royalty-...
Artist: incompetech.com/
Thanks again for watching
I appreciate the simplicity of your presentation! Please keep up the great work!
Thanks for the awesome videos on fortigate,...I think fortigate is possibly the best firewall for the money..🙏🏼
Really appreciate this. Thank you!
awesome lesson...greatly appreicated
Keep it coming bro 💯 💪
Thanks.. every simple and easy to understand.
Awesome explanation!! Can you do a video showing us how you created that picture perfect network diagram in Draw io?
Maybe I can do a video going over how I create topologies on draw.io, that flow plugin is quite nice :D!
Just a tip that might save some headaches for other peeps... I'd set everything up correctly but my DMZ servers I set as destinations in my VPN policy weren't reachable so I watched your video to confirm I'd done everything correctly and I still had the issue. My deployment is on AWS and I have a management VRF0 and everything else in VRF1 so I can run two default routes to the Internet. VRF1 for data and VRF0 for access via Internet to MGMT interface. In the end I checked my SSL tunnel interface (only way I could find to do it was via the VPN policy I setup) and I found the interface belonged to VRF0. I changed it to VRF1 and everything working perfectly now.
Really appreciate the content. Just a question.. when we use both the User Group and the RA-VPN_Pool, does it mean it is required to match both or only 1 match is required for source.
Great Video
please do video for AD auth access via Fortigate and Security profiles
Definitely part of my planned content :D!
@@TheNetworkBerg thanks
thanks a lot, when we create a group should we configure anything on SSL-VPN Portals , like you did when creating ssl-vpn LDAP , 28 min ?
Thanks for a great video, could you do one on VPN with LDAP & DUO 2-Factor as having issues doing this at the moment,
i like the stencils you use , where i can get them for Drawio?
What if your Fortigate sits behind a public facing firewall, where the ISP connects into? Do I need to setup some sort of NAT or port forwarding for the Fortigate's WAN interface? ISP Firewall Fortigate LAN
Per your comment when are you going to do one for SSO AZURE vpn?
thank you, why SSL over IPSEC?
can fortigate verify the forticlient security posture before allowing sslvpn? to verify that the client is a windows client, with latest security patch.
Can you please help me. So I am doing a training at some company and they only gave me a fortigate firewall and one switch and a server and only a 4G modem that does not have port forwarding and I wanted to access my firewall from home. Is there a way to do it?
Awesome video bro! Regarding the LDAP Auth method, let's say I have different groups in AD, and each AD-User-Group, when connected via SSL-VPN, needs access to their respective VLAN only. It means I need to create a Fortigate User Group and policy for each? Thanks.
Basically yes, you can create separate groups for specific access. So let's say you want the sales people to only get to the sales network you could create a sales-sslvpn group and assign members to that group which the firewall can poll through LDAP.
Just need to remember to create the relevant SSLVPN Config and Firewall policies for the group.
Do you have video for SSL vpn with Radius server + Microsoft MFA
عاشت إيدك.... شرح لطيف.... بس اريد مايكروتك vpn.... هل تعلم تحديث أندرويد 12 لا يقبل انشاء vpn pptp or l2tp..... خرب شغلنا 🤕🥀
I have a question. How can i restrict access to the DMZ, lets say, you have configured the LDAP group which contain about 10 users and only 2 users are supposed to access the DMZ and the rest are not supposed to access it? Or, the Local group has lets say 10 users, only 2 are supposed to access Resource X and the rest are required to access resource Y. How can you configure the restricting scenario in the above example?
You would create another group with just the two users and reference that group to allow or restrict access based off of your requirements.
Hi Network Beg, I did not get the software that was used for the network design. Kindly clarify for me.
Thanks
draw.io is what I used to create the network topology. It's a free opensource alternative to stuff like Visio.
Is it possible to restrict the source IP address of the remote user that establish the VPN connection? Ideally I want to restrict a specific user coming from a specific address. Thanks!
You can limit access to specific hosts, geography, subnets and IP ranges.
Thanks. I have issue ssl vpn in eve can not connect
The default trial VM template does not support SSL, you need to get a hold of the FortiOS VM, but this also stops working after an hour or so instead of dying after 24 hours like the trial VM.
@@TheNetworkBerg noted with thanks brother.
what if the fortigate is actually inside the private network.
end user - - - internet - - - CPE - - - core router - - - Aggregate router - - - Fortigate - - - LAN
Then just add the interface inside the network on the SSLVPN settings you want users to connect to
*Hi, very nice video congratulations!!! please could you helpme or give me any idea?
I must autenticate a user with 2FA in Fortigate with email, that have already worked but, now I must autenticate that same way but with all users from an Active Directory and I can't add a group of vpn, so all users from AD must autenticate with 2FA throught email . Any idea for do this ? Thanks a lot.*
ssl vpn with azure Ad integration video link
My SSLVPN stopped connecting, on fortivpn client just go to 10%
If you don't even hit 40% when the client asks to use the security cert then it is generally a client/internet issue, can you actually reach the FortiGate you are trying to SSLVPN to? Can you ping it? Is the SSLVPN port correct on your client? You may want to use debugging commands or review the firewall logs to see if traffic is hitting the firewall and what the potential errors could be.
@@TheNetworkBerg it does ping, no matter what i do its just doesnt reach the server, i read in some forum that using mobile data did entablish connection, i tired, its doesnt work, but goes up to 40%, but then error again.
It's not clear why you switched to Forti. Without a license, there is no point in using it. And even for educational purposes. Without a license, it is heavily curtailed.
I just happen to use Forti and I figured sharing some of my experience in tutorial formats could help a few other people in the ISP space. I definitely agree that the temp VM license is very... limited in what you can achieve :(, although what I have seen the FortiOS image does give you full license functionality so you can really do everything including UTM filters. But Forti has definitely hard coded this with something to break the VM after like 30 minutes or so. So for demonstration purposes I have been recreating a VM and reimporting backups to showcase stuff, like SSLVPN in this video.
@@TheNetworkBerg I use Forti in production. On Forti lot of features can be used in cli, not in gui. it was so interesting to watch your video about solutions that can be implemented immediately without licenses. Of course, you can see it, but, in my opinion, you turned somewhere in the wrong direction :-)