tags: apache   archive   business   charity   climbing   comic   communication   database   email   exchange   family   fm2008   hack   hardware   humour   linux   liverpool   microsoft   money   mysql   network   oes   opensource   outlook   php   pictures   process   project   quote   real_life   review   rss   science   security   software   thought   tsm   updates   webdev   website   windows  

FortiGate SSL VPN Config

Mon, 21 Jul 2008 11:20:49

I've recently started using the FortiGate products and put together a guide for setting up an SSL VPN. If at any time you want to factory reset the box, get to the CLI and type: 'exe factory reset'

Enjoy
Ryan Partington

Fortinet SSL VPN Configuration
v0.02

Please find the manufacturers documentation here

1

The following guide requires an up to date firmware to have been applied. In this example, version 6, update 2 is running on a FortiGate 50B. Assuming the FortiGate box is running the factory config, connect the WAN1 port to the router, and your PC/Laptop  to one of the internal ports. Once you have received an IP from DHCP start a persistent ping to 4.2.2.2 – this will be used to assess our connection to the internet. At present, as the FortiGate box has not been configured you should see the above.

 

3 

Login to the FortiGate box by browsing to the default IP address in a browser of your choice.
http://192.168.1.99 – when prompted for the username and password, type 'admin' for Name: and leave the Password: field blank.

 

2 

On the above screen, type in the external IP address and subnet the FortiGate box will use. All other options can remain as default.  In this example we use 217.155.48.156

 

4

Next we must configure the default gateway for the FortiGate box. This IP address is usually the external static IP address of the router. In this example we use 217.155.48.158

 

5

The VPN tunnel will run on a separate subnet. Configure the subnet clients will use when connected to the tunnel. Ensure the ssl.root device is selected and 2 is used for the distance.

 

6

 Next is to enable the SSL technology and specify the range of IP addresses the clients will use. Under advance settings you may manually add a DNS server, if not the FortiGate box will automatically be used for DNS. (In the above screenshot we have typed the FortiGate box IP address in for DNS, this is not required)

 

7

Now we must create all the users whom will have access to the VPN tunnel.

 

8

Create a new group which contains all the users created earlier on. Ensure 'Enable SSL-VPN Tunnel Service' has been selected. All other options are.... optional.

 

9

Create a new address using the subnet defined earlier for the VPN clients and selecting the ssl.root interface.

 

0

Copy the above configuration to ensure all traffic is routable. Please be aware of the final policy, the action is "SSL-VPN". No additional options need configuring whilst creating rules, just ensure the Interface and Devices match those as above.

Once complete, your ping requests should be returned from 4.2.2.2. You may also want to try internet browsing.

 

The following instructions focus on testing the VPN tunnel

 

-

Browse to https://externalIP:10443 and type in the username and password of the account you created earlier.

 

76

Once you’ve logged in, use the ‘Test Reachability’ tool and type in the local IP address of the router or a device behind the router. If the test fails, please refer to the ‘Setup and Configuration’ documentation. If the test is successful, click ‘Activate SSL-CPN Tunnel Mode’

 

4

You may need to install an active x controller which will control the VPN tunnel, once installed you should see the above. When the Link Status is ‘Up’ try and ping the router IP address or another local device using a terminal or cmd prompt. You should now have a secure connection to the office network.

Update: One of our clients was experiencing SSL time out issues after a number of hours connection. I logged a call with Fortinet Support, who have been very good and responded with this:
Dear Customer,

You can set the ssl vpn time out through the following cli commands

config vpn ssl settings
set idle-timeout #You can set a value of 0 for no timeout.
set auth-timeout #You can set a value of 0 for no timeout.
end

Regards
Jiji Thomas

I've also been passed the details on how to perform a password reset. Enjoy

To do a password recovery, you need to do the following

• Lost Password / Password Reset

Connect the terminal to the FortiGate unit using the provided null modem console cable and start your terminal program.
Power down the FortiGate unit, and power it up again and follow the following steps within one minute of the restart.
Log on at the console with the user name "maintainer" and password "bcpb" followed immediately by the unit serial number exactly as it appears during the boot process or on the label on the device. E.g.

login as: maintainer
maintainer@192.168.1.99's password: bcpbF60DSL2903XXXXX8

If this does not work, check that you are typing the serial correctly (cut and paste the serial number on bootup) and confirm this is being entered within 30 seconds of bootup.


Once logged in, change the admin password with the following commands:

config system admin
edit admin
set password
end

network/      

Open your ears

Sun, 09 Sep 2007 06:09:30

Yesterday I was working on an SQL cluster and part of the job was to change the IP address. Doing so caused the application dependent on the cluster to fail. I was required to make a registry changes so the SQL server would listen on the new IP address. What helped me determine the issues and resolve it quickly was running 'netstat -a -n' from the command prompt and looking at what IP address the SQL server was listening on. 'netstat -a -n' is a handy command worth running on secure servers as part of a schedule so you can view what ports/services your server is open to.

Cheers
Ryan Partington

network/