Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anthony_E
Community Manager
Community Manager

Created on ‎08-26-2020 10:38 PM Edited on ‎02-25-2022 07:23 AM By Anonymous

Article Id 196799

Technical Tip: SSLVPN configuration for FortiGate-6000/7000 series

Description
This article describes the mandatory configuration requirement to turn on SSL VPN for FortiGate-6000/7000 series for FortiOS 5.x.x, 6.2.x, 6.4.2, and 6.4.6.

 

Note: SSL VPN load balancing is now supported by FortiGate-6000/7000 for FortiOS 6.4.8, see FortiGate-6000F SSL VPN load balancing, FortiGate-7000E SSL VPN load balancing, or FortiGate-7000F SSL VPN load balancing.


Solution
The recommended configuration is to forward SSL VPN sessions terminated by the FortiGate-6000 /7000 series interface to the primary FPC/FPM.
This requires manually adding one or more flow rules.
It applies to both Web-mode traffic and Tunnel-mode traffic.

This configuration also applies to FortiOS 6.4.8 if you disable SSL VPN load balancing.

 

Additional information

  • As a best practice, use a custom port for SSL VPN listening port (for example, 10443). By default the listening port is 443. If default port 443 is used, a flow rule configured with 443 as destination port sends all other 443/https traffic to a single FPC/FPM not just SSL VPN traffic.
  • If it is not possible to add custom SSL VPN listening port, you can add the IP address of the interface that listens for SSL VPN sessions along with port number to the flow rule to make it more specific.
  • Make sure your FortiClient settings are configured with correct SSL VPN port.

    Network Topology
SSL VPN user -----WAN-------(listening on  port 8443) 6K/7k (Primary FPC/FPM)------------------LAN     

Example flow rule if the SSL VPN server listening port is set to 8443:

# config load-balance flow-rule
    edit 0
        set status enable
        set ether-type ipv4
        set protocol tcp
        set dst-l4port 8443-8443
        set forward-slot master
        set comment " ssl vpn server to primary worker"
    next
end

If DTLS is used for tunnel mode SSLVPN, another flow rule has to be configured with protocol as UDP(17).

# config load-balance flow-rule
    edit 0
        set status enable
        set ether-type ipv4
        set protocol udp
        set dst-l4port 8443-8443
        set forward-slot master
        set comment " ssl vpn server to primary worker "
    next
end

If SSL VPN port customization is not possible, add the SSL VPN server IP address with listening port 443:

For example.

# config load-balance flow-rule
    edit 0
        set status enable
        set ether-type ipv4
        set protocol tcp
        set dst-addr-ipv4 <ip-address with subnet mask>
        set dst-l4port 443
        set forward-slot master
        set comment " ssl vpn server to primary worker"
    end

Related link:

https://docs.fortinet.com/document/fortigate-6000/6.4.6/fortigate-6000-release-notes/398770/special-...

Related Articles

Technical Tip : How to load balance SSLVPN web-mode traffic on FortiGate-6000 series

1867
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.