NSE4_FGT-6.4 Fortinet NSE 4 – FortiOS 6.4 – FortiGate Firewall V6.4 Part 31
May 5, 2023

78. Lecture-78:Remote Access SSL VPN Web Portal Theory & Lab.

So last time we discussed about remote access VPN. Remote access VPN means some if some user from home or other premises and they want to access your enterprise network remotely. So we call them Remote access VPN. They can use their mobile phone, they can use their PC, they can use their laptop. And there are two ways to configure remote Access VPN. One is client based VPN and the other one is client less VPN. Client based VPN means you have to install one application, okay? So when you install that application, your entire system will be encrypted and they will send the traffic to your enterprise network until then, unless you have configured split tunneling while the other one is just a web based. So web based only you require a web browser to open your resources and that browser you are limited to encrypt your traffic. So these are the two possible way to configure remote access VPN. Now, there are two protocol used for remote access VPN.

One is IPsec which can be used for side to side VPN as well, and we use them as well, which is an open standard. And I told you all the detail about IPsec VPN. So you can use IPsec VPN as well for side to side VPN and also it can be used for remote access VPN. But you need a 40 client. 40 client is just an application like Palo Alto have their own application, global Protect, so they have their own 40 client to install on your system, okay? So that you can encrypt your data and send to your organization and access their resources. While another protocol is SSL.

We also discuss this one in detail, secure socket layer, either TLS SSL and TLS we call them altogether. By the way, these are two different vendor protocol, but altogether we call them as a one SSL NTLs. So you can use SSL to access the resources through web and also to install 40 clients. So you can use this one as well for that purpose. And these are the major difference which we discussed last time. Okay? So we will use such type of topology to configure client based VPN and client list VPN. First we will configure SSL VPN for web portal only. Okay? So let’s go there.

So this is the same topology which we used last time. I just connected everything, nothing is configured. So this far wall has port one which is 192 one 6800 range and this side 192 168 to one range. So this is my N side where two server are configured 1921-6811 and 192 160 at one two. Okay? While this side we have internet access and also we have somewhere in the internet there is one PC, 192, one 6800 IP and somewhere on the web there is a web server which has 192 one 6800 200 IP. Okay? So first we will access this fortynet, what is the IP? So we will access this one admin one two, three and show system interface. So first interface is always there is enable. So we’ll type this IP in the browser to access it. Okay, advance and proceed admin. And one, two, three. I put one two, three password because I start once I register this 40 gate, that’s why I put the IP, otherwise it’s the same, nothing is configured. So this is from where? 6. 42, which is the latest one last time we upgraded. Okay, and what else? So let’s go to network. Sorry to go to network interfaces you will see there are four interfaces. First port is connected to the van. Okay. This one. So let’s assign when here and this domain will I be from the same range because I’m using this vein as a management as well. So that’s why I enable all these things as well. And they said okay, another port is this one, port two.

So let’s go to port two and give them some name like lane suppose and we decide to assign 192, 168, 100 IP 24 is the subnet mass and just allowed ping for test purpose this interface. Okay. So two interfaces are configured. Now, second thing we need to configure under network DNS. So let me apply Google DNS and the other DNS one, one, one, that’s it. So two thing has been configured interfaces and DNS. The third thing we need to configure static route. So static route 192, 168, 101. This my next hop which is a gateway for us. Okay, and on which interface definitely unwin interface and okay, now what I need for VPN, I need some user to test them so when they log in. So for that purpose we already know and we discuss in detail user and group. So go to user and authentication. There is user definition. User definition means to create user here, we already discussed this in detail. Local user, remote radius and LDAP. And these two we already done. And also we create local. So for local user I will say local and let me give them suppose VPN one and password one, two, three I will put in next two factor authentication I don’t need okay. And group because I did not create group. So leave it for now. So I created VPN one and let’s create a new user as well just for test purpose. VPN two and one, two, three. Next you can give any name by the way.

So two user are created locally. Now let’s go to user group, create new and let me give them VPN group, group suppose and firewall means local. We already done this one. Okay. And member click on the member and add those two user which we just created. So VPN group is created locally. Now everything is ready, but before moving to VPN, let’s create one address as well. Address object, you know, we know address object. So address subject, go to policy and object. There is addresses you remember we discuss in detail all these. So let’s create new address and give them suppose lane subnet. So my lane subnet give them any color you want this to my lane subnet 192-1681 drank this one by the way, this is the correct one. Let me copy this one. This is my lane subnet.

Okay? And put that lane subnet here an interface. It can be from any interface. I don’t need static route for this purpose. But Lancermit object has been created. So now my everything is ready. I created user, I create one group for test purpose. I configure DNS, I configure interfaces which we normally do and I configure route. Now I can go to VPN for VPN I need to go to let me put like this one. So that you can see on the top. So these are VPN. Last time we discussed for SSL VPN there are two things SSL VPN portal and SSL VPN setting. Let’s go to SSL VPN portal. By default when your device is licensed, either you are using old model I would suggest if you don’t have a license, use VIP version.

So you will find all these three. Like last time I get issue because the new firewall, they don’t have these three options without license. But I make them a license now. So that’s why issuing all these three for this purpose is better to use old model version five. So you will see all these just for VPN test. So by default there are three SSL VPN portal already configured. One is full access. It means tunnel mode and web mode. We just discussed there are two type of VPN, okay? For client base and client less VPN. So both are enabled which they call them full access. Another, this is just a name by the way. Another one is tunnel access.

Tunnel XS is also no, they have only tunnel mode but they don’t have a web mode. And the third one is web access. So they don’t have a tunnel mode but they have a web mode. So Full access have both means. If you want to use this one, it’s already predefined template which is created for you and you can utilize these as well. And even you can modify if you go to full access and click on it. So there’s the name, just change the name. There’s the tunnel mode which address they will use. These are more all the detail and which group and bookmark and everything is mentioned here which is already created. But before using one of them either to create our own. Second thing is SSL VPN setting. Click on VPN setting SSL VPN because we want to do SSL based VPN first. So they say SSL VPN setting are not fully configured. They say not configure. You have to configure them first. So you will find like this in a new firewall. Okay, so live with this one. We will come here later on. First they say listen on an interface, on which interface VPN traffic will come. Definitely is always coming on. When? Most of the time. So I say when. That’s why I give them a Win port. So that I know that which port is my Win. Okay, now they say listen on port four four three. As you know this when port I’m using for management as well, already enabled here. So because management is also using Https means four four three and also SSL VPN is also using SSL is nothing but Https. So both are using same port. So they say listen on port, change the port if you say otherwise it’s a complex.

So I say okay, just give them anything. Suppose I say 4433 now I change it. So the conflict is not anymore now. Then they say redirect http to SSL VPN If somebody type bimistak Http, I will redirect them to Https. If you want that, just enable that one. Otherwise you have to strictly type Https to work. Then they say restrict access means who going to come on VPN allow access from any host. Anybody can come either you want to limit them if you know your user, who’s going to come. So you can put the detail here and you can create addresses as well. But anyway I say it can be anyone from internet. Then they say idle log out how long if somebody is not using web portal? So after 300 seconds, if it is inactive, I will log out that person. If you say no, don’t log out to say uncheck. But anyway it’s a good idea if somebody is not using log out and you can change the second time as well, which is in second. Then for SSL VPN we already know everything is using a certificate. You know every website when you visit, so there is a certificate. So they say you have a certificate too, you can upload a certificate here, there is a certificate place. But anyway we will use their self signed certificate for test purposes. Enough for us to use this one. Now they say require a client certificate. Client require a certificate, it is must or not. So we say no because we want to test and the lab purpose. Then there is a tunnel mode client setting. This is tunnel related. If somebody is using client base right now we are not using client base. But anyway if they are using so they require extra IP, extra IP range to assign them. Okay, so they say automatically assign address. Either specify custom. You can specify custom. So there is already one created for us versus ten two to one. This is already by default created. An address is object. If you want to create your own, just create your own and apply.

But anyhow they already created for you to utilize, even you can modify as well if you don’t like this range, so use this object we just created one object for our lane. So this is the same object but this is range. The one which we use. We use subnet so change the range. If you don’t like the range either it is not the one which you like. But anyway I say okay this range if somebody is using tunnel base right now we will not use tunnel but just to configure them for next lab then say suppose which DNS they will get same as client system DNS their client either specify whatever the client using DNS they will get their DNS. If you want no assign this DNS to their user. Put their DNS DNS One and DNS two. When server we are normally on our window. We are using when server like a PC one, PC two, windows server one. This is called Venz but we are normally not using. So if you want you can assign that as well. Now they say authentication and portal mapping which user will get which portal you can assign different portal to different group and different user as well by the way.

So they say create new either there is already all other user and group which is not set portal first let’s set this one for all other user. Assign them webex’s. You remember I just showed you three portal already and webexis means only web limit. So I assign them this but I have created my own as well. So create new and let me put my group which I already created before. So VPN group and portal I want to assign them webaxis. There are three web access means only web portal, tunnel only tunnel, client base and full access client base and client base both. Anyway right now we are testing SSL web portal only. So I say okay so all other user will also access web access and my group will also be allowed to access web access portal both I allowed both. You can delete, you can edit and you can send the detailed configuration on your email. Okay they said so this was the setting. So when I apply so setting ourselves successfully. But on the top they are showing me that you are not finished yet. Because you require two policy to create to allow VPN traffic. And as far as I know there is no firewall policy right now because it’s a fresh firewall look at nothing is there and without policy no traffic will be allowed. So let me go to VPN back VPN setting all the thing I change it. Everything is okay now. But the only thing is why not go from here? They will help us allow you to put most of the information automatically rather than to go policy an object and create from the scratch. So click on this one.

So they take you here this VPN interface SSL VPN which already created an interface. So I say SSL VPN two lane they will access my lane because I want to give a remote user to access from home their enterprise network resources. That’s why I need this one. Like nowadays everybody is accessing their office from home. They are using this type of method. So I just give them this name and this the VPN. Incoming interface is VPN and outgoing interface is Lane. They will come to Lane source from where they will come from here. From what is called this is VPN tunnel address. This one either you can say all, it’s up to you, it can be any. But they say you need to mention group as well. Yes we have a group. So click on the second one and click VPN group that any IP. All means.

Any IP. But the user will be VPN group user. No other one and only VPN one and VPN two in this group. And destination will be all. I just give them anything. You can restrict them as well either you can put your Lane, the land segment which I created 192, 168 only to allow these access as well. So you can restrict them. Services you can restrict either. You can create your own group only, http, telnet, whatever you want. But for now I will say all action will be accepted. Inspection mode. We already discussed net will be allowed. No need to check the rule. But anyway in real you have to enable these in all session to record so that we can see okay and enable the policy and okay so now one policy is creating and now the error is gone. Everything is ready here. But for safe side I need to create one more policy. Because this is from VPN to lane. But what about they will come from outside. So I need to create VPN SSL VPN SSL VPN to win. Because SSL will come from when as well. So let me choose SSL VPN they will hit our way. Source will be all but user will be this user only, not anyone else. And destination will be our all. Suppose this vein. So that’s why and services can be anything and that’s it all session and okay that’s it. This was method to enable SSL web based VPN only.

So now my VPN is ready and now it’s a time to test it. So let me go to this window PC okay which is outside any PC from home, from office, from bathroom, from floor, from anywhere a person have an internet. What they will do? They will hit our public IP. But the port will be 4433. So our public IP is this one which is our when IP. So my van IP is 192, 116, 100, dot two, three, four so let me go to this window PC. Okay I’m here in window PC. And what I will do. Here I will. Type https you remember I say they have to type Https otherwise they will need not redirect and type 192 one 6800, two, three, four but port number is 4433 and enter. If everything is okay they will ask you to click advance and proceed because we don’t have a certificate. So click on it and it will open your web VPN. So what was our VPN user? VPN one and password was one two three. Only these two user are allowed. And now I access the VPN. Okay. This SSL VPN portal you remember this name was there. If you want to change this name SSL VPN portal you can give them your name as well. Go to VPN and there is SSL VPN setting. And here it was the name. Was it’s the name? Okay yes here VPN portal web access is the name. So SSL VPN. Suppose if I put smart as well so that you can see there. So this name is there. You can change the color as well. So now it’s blue. You can change them to this one.

So now let’s see if I go back and refresh either I need to log out to see. So now the color has changed. And now I say SSL VPN because I told them to allow download 40 client where I mentioned. No it was because I’m using already predefined template is here and this SSL VPN portal is mentioned. Enable 40 client download that’s why I can see this one. Let me make them minimize this 140 client. But there is no bookmark in history. History is also enabled. If you see there is user bookmark show login history there’s the three already portal which is created. You can create your own and use just click and create. I will show you how to create. But I’m using this one. So the name is webxis which I use here. Okay. And there is tunnel mode or host check. We don’t want to host check otherwise it will check your firewall and everything. You can restrict that. Only this operating system can take SSL VPN. You can restrict them and put window which window you want. Okay. And then enable web mode. So that’s the web mode title which is showing there. And that’s the theme. You can change them to another theme show session information. Show session information means whenever they log out they will see their history as well. And session information as well. So let me sorry VPN VPN one and one, two, three was the user to log in. So now you will see your history when you login.

Look at now is showing my history. That two minutes before you log in. Okay. And also download this one is showing here and also new bookmark and quick connection is also showing because we say show connection launcher. So there is show connection launcher, show session information and also login history showing and user bookmark. But we don’t have a bookmark there. You see new bookmark. I can create my bookmark but already is not there. So suppose if you want to create bookmark for these two web server to access quickly just click here okay. And give them inside SRV for http Because I already enable Http and type the IP 109 216811 is the IP address of this web server and description type inside web server. So I create one bookmark. Let’s create a new bookmark for some other type FTP, RDP a lot of things like a tenant. So let me put inside SRV as a tenant because TenneT is also enabled there and type the IP 192 168 one one if you need a bookmark to easily access. So I created two N. Okay. For this inside server. So anybody log in through VPN, they will access them quickly. So now if I refresh either I need to log out and see. Now I can see. So bookmark inside SRV and inside SRV TenneT just click and you will access that server through TenneT. Reconnect connection close. So I think so TenneT is not enabled there. So let me go there and click on this one. Okay. Enable configure line VTY zero to four transport input all password one, two, three and login and enable password one, two, three and do right. And now I hope so I will access them. So reconnect yeah.

And one, two, three and enable. Now I’m logging. Do you think maybe you are thinking that you are logging but this traffic will be not encrypted? No, it will be encrypted. Look at, I’m logging the server. After that all this connection. Even this is a telenet, but it will be encrypted. Let me show you. Let me capture this packet here. Definitely traffic is coming here. Let me capture here. Okay. I cannot there. So because it’s not wireshark, sorry, it’s not GNS. So I need to definitely click here. Which port is connected this PC zero one and let me go there. Even this is a telnet traffic, but it will be SSL tip traffic. TLS or SSL traffic. Look at its TLS traffic. There is no telenet going. Let me go to window and connect again as a telnet exit reconnect one, two, three using SRT even I’m using telnet, but this is encrypted. Look at, there is no telnet traffic going. No telnet. Yes, this will be telnet. If you capture them after the firewall, the traffic is encrypted through a cell from here up to this point. But after this point, this one, this is not encrypted because this is our organization inside. So if I capture packet here, port two now it will show me telnet because this is inside. So inside is not encrypted. It is only encrypted to up to that point. Let me type telnet here and let’s generate traffic from there again. So let me go to window and exit and reconnect. Now you will see telnet locate but before the firewall there is no telenet traffic. You got my point? So that’s why we are using VPN to encrypt our traffic and send to our organization. But SSL VPN is limited. You are only limited to this browser only.

If you go out from this like this one, it will be not encrypted inside this one, this portal. This one is called SSL VPN and it’s limited only up to this point. You have some bookmark to access quickly as a web server as well. Now you will access to web server admin and one, two, three. Now I will see that router detail things to admin. One, two, three. Okay, so it’s not configured. Let me configure there. And this server, I’m using this as a web server as well. So how to configure them? IP Http server IP http authentication local username admin admin privilege 15 password one, two, three. What is I need that’s it, right? So I made them as a Http as well. And I already bookmark as well for this purpose. So if I go here and admit and one, two, three. Now I will access this router. Yes, inside SRV, which I give them this name inside SRV. But this is the Http traffic. But it will be go encrypted here, let me type Http. There is http Http no, but when it go out of the firewall there will be Http. Now Http, yes, there is Http and you will see the user, whatever user I type if I go to get. So on the first, maybe you will find the user name which we type there. So behind the firewall everything is not encrypted. But up to this point, everything is encrypted. You got my point. This is through SSL from here to up to this point.

But from this point until because this is our inside organization. So this is called SSL based VPN, which we are limited only to the browser only. And whatever we are accessing this, you know, I access this one, one Httpbased. But who encrypted this traffic? This one above there is this one. So inside this packet they send them to encrypt them even though this is unencrypted traffic. So this is web portal and you can go to quick connection. Like if you want to access SSH. I did not configure SSH. Like you want to ping 192, 168 one, which is our inside server launch. You can ping them, so it’s reachable. You can do VNC, you can do RDP. Two RDP. I don’t know there is user or not on the okay, I don’t have a server like VNC. SSH is not configured. There FTP SFTP. So this is quick launcher, quick connection. You can get a new bookmark if you create your own and download what is called for window 40 client. If you want to download 40 client, because this we will use another lab. So this is user one. In the same case you can log in with the other VPN two.

We created VPN two was our another user and one, two, three. But they both will get same everything. You can change them as well that this user has to get something else. So you have to change their portal detail. Let me log in and verify how we know that somebody login. So let’s go to where to go. There is logs and report and there will be VPN where we can see monitor. Where is monitor tab? It’s not showing. I need to check them. Last time we checked from here it’s not showing SSL. No, there is SSL. By the way, the monitor tab is not showing for some reason. Now let me show if I can verify from here so I can just see the source destination 40 session.

Okay, it’s very strange. In the new one they remove the monitor either I cannot see after log and report, there is monitor. You know, monitor for route, monitor for everything. So from there you can verify who is login. But anyway for some reason it’s not showing. So I cannot verify to you that who is login. User and definition if I can see here no, this is the edit WiFi one. But after login report there is nothing shown VPN events if I can see from here. So it’s showing here. By the way, they change in the new version. I just update them to the latest one, the one which is released today. So that’s why some of the things are they change it okay. I thought if there is something so that I can show you. Okay so this is SSL VPN who is login. But by the way they have to show us the user in detail. This the events only. Anyway, for some reason there is no web that want to show you that who is logging. But anyway, this is the way to configure SSL VPN. Okay?

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!