SSL VPN
New SSL VPN features include:
SSL VPN Configuration
Several changes have been made to how SSL VPNs are created and configured.
VPN Settings
The SSL VPN settings page, found at VPN > SSL > Settings, has been reorganized to be more intuitive. The settings are now found in the following sections:
- Connection Settings define how users connect and interact with an SSL VPN portal. This section includes Listen on Interface(s), Idle Logout, and Server Certificate.
- Tunnel Mode Client Settings define the settings that clients will receive upon connecting to the VPN. This section includes Address Range and Allow Endpoint Registration.
- Authentication/Portal Mapping allows you to define different portals to different users and groups.
VPN Portal
New options for split tunneling have been added to SSL VPN portals, which are configured by going to VPN > SSL > Portals, including a routing address and a tunnel mode for IPv6. These options can also be configured in the CLI, using the command config vpn ssl web portal
.
Creating the Firewall Policy
When creating a firewall policy for your SSL VPN, you will select ssl.root as the Incoming Interface. Also, source devices are not applicable to SSL VPN firewall policies.
For more information about using a virtual WAN link, please see the FortiGate Cookbook recipe SSL VPN for Remote Users.
ECDSA Local Certificates
The use of ECDSA Local Certificates for SSL VPN Suite B support is now supported. This will allow the following:
- Importing ECDSA certificate.
- Generating ECDSA certificate requests.
- Using ECDSA certificate in SSL VPN.
- Using ECDSA certificate in web-based manager.
ECDSA certificates can be generating using the following command in the CLI: exec vpn certificate local generate ec
.
RSA certificates are now generated using the following command:exec vpn certificate local generate rsa . |
Host Security Check Error Replacement Message
The replacement message that now appears when an SSL VPN host security check fails can now be customized using the CLI.
Syntax
config system replacemsg sslvpn hostcheck-error
set buffer <string>
set header {none | http | 8bit}
set format {none | text | html}
end