Configuring a FortiGate SSL VPN

Configuring SSL VPN settings

To reserve a range of IP addresses for tunnel-mode clients

1Go to VPN > SSL > Config.

2In the Tunnel IP Range fields, type the starting and ending IP addresses (for example, 10.254.254.80 to 10.254.254.100).

3Select Apply.

Enabling strong authentication through security certificates

The FortiGate unit supports strong (two-factor) authentication through X.509 security certificates (version 1 or 3). Strong authentication can be configured for SSL VPN user groups by selecting the Server Certificate and Require Client Certificate options on the VPN > SSL > Config page. However, you must first ensure that the required certificates have been installed.

To generate certificate requests, install signed certificates, import CA root certificates and certificate revocation lists, and back up and/or restore installed certificates and private keys, refer to the FortiGate Certificate Management User Guide.

Specifying the cipher suite for SSL negotiations

The FortiGate unit supports a range of cryptographic cipher suites to match the capabilities of various web browsers. The web browser and the FortiGate unit negotiate a cipher suite before any information (for example, a user name and password) is transmitted over the SSL link.

1Go to VPN > SSL > Config.

2In Encryption Key Algorithm, select one of the following options:

If the web browser on the remote client is capable of matching a 128-bit or greater cipher suite, select Default - RC4(128 bits) and higher.

If the web browser on the remote client is capable of matching a high level of SSL encryption, select High - AES(128/256 bits) and 3DES. This option enables cipher suites that use more than 128 bits to encrypt data.

If you are not sure which level of SSL encryption the remote client web browser supports, select Low - RC4(64 bits), DES and higher. The web browser must at least support a 64-bit cipher length.

3Select Apply.

Setting the idle timeout setting

The idle timeout setting controls how long the connection can remain idle before the system forces the remote user to log in again. To improve security, keep the default value of 300 seconds.

1Go to VPN > SSL > Config.

2In the Idle Timeout field, type an integer value. The valid range is from 10 to 28800 seconds.

3Select Apply.

FortiOS v3.0 MR7 SSL VPN User Guide

 

01-30007-0348-20080718

37

Page 37
Image 37
Fortinet FORTIOS V3.0 MR7 manual Specifying the cipher suite for SSL negotiations, Setting the idle timeout setting

FORTIOS V3.0 MR7 specifications

Fortinet's FortiOS v3.0 MR7 marks a significant advancement in network security and management, providing organizations with enhanced features, technologies, and characteristics to better protect their IT environments. This version of FortiOS is designed to facilitate comprehensive security and optimized performance, ensuring that organizations can safeguard their networks against evolving threats.

One of the main features in FortiOS v3.0 MR7 is its robust firewall capabilities. The stateful firewall technology enables dynamic packet filtering based on predefined security policies. This strengthens the organization's perimeter defense by allowing or denying traffic based on user-defined rules. Additionally, the integrated Application Control feature extends the firewall's capabilities by identifying and controlling applications regardless of port usage, enabling organizations to enforce security policies on a finer-grained level.

FortiOS v3.0 MR7 also introduces advanced intrusion prevention system (IPS) functionalities. The next-generation IPS utilizes deep packet inspection and real-time threat intelligence to detect and block attacks before they can compromise the network. Coupled with Fortinet’s threat research team, which ensures timely updates of security signatures, this system helps organizations mitigate risks posed by sophisticated cyber threats.

Another key characteristic of FortiOS v3.0 MR7 is its enhanced VPN capabilities. The support for both SSL and IPsec VPN allows secure remote access for employees and offers flexible options for secure communication over the internet. This feature is essential for organizations that embrace remote work, ensuring that sensitive data remains protected regardless of the user's location.

In addition to its powerful security features, FortiOS v3.0 MR7 includes advanced reporting and logging capabilities. Users can generate detailed reports that highlight security events, traffic patterns, and performance metrics. This data not only improves visibility into network security but also assists in compliance with regulatory requirements.

Moreover, the platform's user-friendly interface enhances the overall management experience. Administrators can quickly configure settings, monitor activity, and respond to incidents effectively. With centralized management capabilities, FortiOS v3.0 MR7 allows organizations to manage multiple devices from a single console, simplifying operations and reducing administrative overhead.

In summary, Fortinet's FortiOS v3.0 MR7 integrates a wealth of security features, including a stateful firewall, advanced IPS, VPN support, and comprehensive reporting functions. Together, these technologies ensure that organizations can maintain a strong security posture in an increasingly complex threat landscape.