SSL VPN

This chapter describes new SSL VPN features added to FortiOS 5.4.

Control the cipher suites that can be used by an SSL VPN (304741)

Administrators can now ban the use of specific cipher suites in the CLI for SSL VPN, so PCI-DSS (Payment Card Industry Data Security Standard) certification can be met.

CLI syntax

config vpn ssl settings

set banned-cipher [RSA | DH | DHE | ECDH | ECDHE | DSS | ECDSA | AES | AESGCM | CAMELLIA | 3DES | SHA1 | SHA256 | SHA384]

SSL VPN monitor enhancements (258700)

SSL VPN monitor GUI page is updated, with additional usability improvements.

Change to SSL VPN authentication (306982)

SSL VPN authentication has been refined to fix an issue regarding authentication policies being ignored.

Local and remote users with multiple groups and policies will authenticate with the first matched policy (user in policy has higher priority), and traffic will go through all matched policies.

Significant SSL VPN web portal improvements (287328, 292726, 299319)

Significant updates and improvements have been made to the SSL VPN web portal in preparation for future browser updates, and in order to support all browsers:

  • SSL VPN web portal redesigned.
  • SSL VPN tunnel mode widget no longer works in the web portal. The tunnel mode widget used a deprecated NPAPI plugin mechanism to send the tunnel client to the browser for local system execution—this is a popular exploitation vector. FortiClient is now required for tunnel mode SSL VPN.
  • SSL VPN Web mode RDP Native java applet removed.
  • Removed unnecessary options from RDP bookmark and changed to HTML5 RDP.
  • Cache cleaning function has been removed.
  • If updating to 5.4.1, see above (258700).

Implement post-authentication CSRF protection in SSL VPN web mode (287180)

This attribute can enable/disable verification of a referrer in the HTTP request header in order to prevent a Cross-Site Request Forgery attack.

Syntax:

config vpn ssl settings

set check-referer [enable|disable]

end

 

Group-based SSL VPN bookmarks (292125)

This CLI-only feature allows administrators to add bookmarks for groups of users. SSL VPN will only output the matched group-name entry to the client.

Syntax:

config vpn ssl web portal

edit "portal-name"

set user-group-bookmark enable*/disable

next

end

config vpn ssl web user-group-bookmark

edit "group-name"

config bookmark

edit "bookmark1"

....

next

end

next

end

DTLS support (227138)

The Datagram Transport Layer Security (DTLS) protocol is supported for SSL VPN connections. DTLS support can be enabled in the CLI as described below.

Syntax

config vpn ssl settings

set dtls-tunnel [enable | disable] (default: enabled)

end

Added options to allow firewall addresses to be used in routing table for SSL VPN (265430)

If destination Named Address is set in Network > Static Routes and Address Range is set to Automatically assign addresses in VPN > SSL-VPN Settings, SSL VPN should refresh the routing table automatically.

HTTP to HTTPS redirect support (278728)

The admin HTTP port can now be redirected to the admin HTTPS port. This is enabled in VPN > SSL-VPN Settings using the option Redirect port 80 to this login port.

There are two likely scenarios for this:

  • SSL VPN is not in use, in which case the admin GUI runs on port 443 or 10443, and port 80 is redirected.
  • SSL VPN runs on port 443, in which case port 80 is redirected to 443 and the admin port runs on 10443.

If the administrator chooses to run SSL VPN on port 80, the redirect option is invalid.

This can also be configured in the CLI as described below.

Syntax:

config vpn ssl settings

set https-redirect [enable | disable] (default: disabled)

end

Removed guest group and SSO group (303041)

Guest group and SSO group have been removed from config user group and config vpn ssl web user-group-bookmark.

CLI changes (299319)

Removed the following obsolete/unnecessary portal options from the CLI:

config vpn ssl web portal

edit <name>

set auto-prompt-mobile-user-download    REMOVED

set display-forticlient-download    REMOVED

set display-history-limit    REMOVED

set page-layout    REMOVED

set cache-cleaner    REMOVED

end

 

Removed the following unnecessary RDP bookmark options from the CLI in preparation for HTML5 RDP:

config vpn ssl web <user-bookmark|user-group-bookmark>

edit <group/user name>

config bookmarks

edit <bookmark>

set full-screen-mode    REMOVED

set screen-height    REMOVED

set screen-width    REMOVED

set keyboard-layout    REMOVED

end

end