SSL-VPN using the browser [FortiGate Firewall]

 Network Diagram:




Configuration:

Interface:

config system interface
       edit "port2"
        set vdom "root"
        set ip 10.10.10.108 255.255.255.0
        set allowaccess ping ssh http
        set type physical
        set alias "LAN"
        set snmp-index 2
    next
    edit "port3"
        set vdom "root"
        set ip 14.140.40.108 255.255.255.0
        set allowaccess ping https ssh
        set type physical
        set alias "WAN"
        set lldp-reception enable
        set role wan
        set snmp-index 3
    next

 

Address book:

config firewall address

edit "SSLVPN_TUNNEL_ADDR1"
        set uuid ad606276-d523-51ec-bf32-87226020dd8c
        set type iprange
        set start-ip 10.212.134.200
        set end-ip 10.212.134.210
    next
edit "14.140.40.0/24"
        set uuid 1985c2e4-0caa-51ed-73e9-f60c5378342e
        set associated-interface "port3"
        set subnet 14.140.40.0 255.255.255.0
    next

Policy:

config firewall policy
    edit 3
        set name "allow"
        set uuid 707d673a-0ca7-51ed-0f95-6ebc0f5815d5
        set srcintf "ssl.root"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "14.140.40.0/24"
        set schedule "always"
        set service "ALL"
        set users "test"
    next
end

User:

config user local

edit "test"
        set type password
        set passwd-time 2022-07-25 23:10:37
        set passwd ENC sMIT5FQP9O11aMYZsvbUxwibxt08nQwW0ko5FSYtljFrcpbUK7kndnQRqKZXFrbrnf+dbfJ9AkAf2KCDECb8d4KGrjoyXoJ2LJFVHvanMSC0535fO+C854QG2YasD4lL9YDwVjpY39JjebY7aGrjR+xRPR98PpRc23/19W2s68Lg7/3UU6eZgfGfegOYnB2kLJszXQ==
    next
end

SSL VPN:

config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set ipv6-tunnel-mode enable
        set web-mode enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    next
end
    edit "full-access"
        set tunnel-mode enable
        set ipv6-tunnel-mode enable
        set web-mode enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    next
end
config vpn ssl settings
    set servercert "SSL"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 4430
    set source-interface "port2"
    set source-address "all"
    set source-address6 "all"
    set default-portal "full-access"
    config authentication-rule
        edit 1
    set source-address "all"
    set source-address6 "all"
    set default-portal "full-access"
    config authentication-rule
        edit 1
            set users "test"
            set portal "full-access"
        next
    end
end


















Comments

Post a Comment

Popular posts from this blog

Configure IPsec site-to-site VPN in Linux Machine

Image
 Configure IPsec site-to-site VPN in Linux Machine: Update the system and install the package  apt update && sudo apt upgrade -y  apt install strongswan -y Check if the following kernel parameter is set or not sysctl net.ipv4.ip_forward=1 To list all configured parameters: sysctl -a root@ubuntu-server-main:~# sysctl net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1 root@ubuntu-server-main:~# sysctl net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.all.accept_redirects = 0 root@ubuntu-server-main:~# sysctl net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.all.send_redirects = 0 root@ubuntu-server-main:~# Network Diagram: IPsec Config: Configure the PSK and update the VPN endpoints ++++++++++++++ cat /etc/ipsec.secrets # source      destination 192.168.0.2   192.168.0.108 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ" ++++++++++++++ cat /etc/ipsec.conf: config setup         charondebug="all"         uniqueids=yes  
Read more

TACACS+ Installation on Linux [CentOS]

 TACACS+  Installation on CentOS: In the example below I will show you how to install tac_plus on a CentOS server. There’s a RPM available so this will save you the hassle of compiling the source code yourself. Let’s add the repository first: [root@server ~]# cd /etc/yum.repos.d/ [root@server yum.repos.d]# vim nux-misc.repo We will create a new repository file where we can grab tac_plus. This is what you should enter: [nux-misc] name=Nux Misc baseurl=http://li.nux.ro/download/nux/misc/el6/x86_64/ enabled=0 gpgcheck=1 gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro Save the file and install tac_plus with the following command: [root@server ~]# yum --enablerepo=nux-misc install tac_plus That’s all you need to do. All configuration is done from a single config file. Let’s take a look at its contents: [root@server /]# vim /etc/tac_plus.conf You will see a lot of things in this default configuration file. Let me walk you through some of the fields. The first thing you see is a key,
Read more

Free Radius setup/configuration in Linux [Ubuntu/CentOS]

Free Radius setup/configuration in Linux [Ubuntu/CentOS]   1) Free RADIUS Client: CentOS:  yum install freeradius-utils Ubuntu: apt-get install freeradius-utils   2) Free RADIUS Server: Add the client device to free RADIUS server: i) vi /etc/freeradius/3.0/clients.conf  ii) Append below lines to the file above ############# client FortiGate-VM64-Xen {        ipaddr           = 192.168.0.108        secret           = testing123 } client sumit-linux-amp {        ipaddr           = 192.168.0.190        secret           = testing123 } #############   iii) Add users to the RADIUS server: Append below lines to the file "users" > vi /etc/freeradius/3.0/users #############  sumit1 Cleartext-Password := "password" sumit2 Cleartext-Password := "password"   #############   iv) restart the free RADIUS services: Ubuntu: > systemctl restart freeradius   CentOS: >  systemctl restart freeradius                   > sudo firewall-cmd --add-service={http,https,ra
Read more