Configure Remote SSL VPN in FortiGate with CLI

Steps to configure Remote SSL VPN in FortiGate with CLI

  1. Create a “ssl.root” interface for SSL VPN Tunnel
config system interface
 edit "ssl.root"
        set vdom "root"
        set type tunnel
        set alias "Remote SSL VPN interface"
end
  1. Create a pool of IP (10.28.28.10 – 20) to be assigned to Remote SSL VPN Users
config firewall address
    edit "SSLVPN_IP_POOL"
        set type iprange
        set associated-interface "ssl.root"
        set start-ip 10.28.28.10
        set end-ip 10.28.28.20
end
  1. Create a user called sslvpn
config user local
edit "sslvpn"
        set type password
        set passwd P@ssw0rd
    end
  1. Create a Group called SSLVPN and assign sslvpn user as member
config user group
 edit "SSLVPN"
        set member "sslvpn"
 end
  1. Enable tunnel mode with ip pool for Full Access Profile
config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
end
  1. Configure SSL VPN Setting with Let’s Encrypt SSL Certificate
config vpn ssl settings
    set servercert "AventisLab.com"
    set tunnel-ip-pools "SSLVPN_IP_POOL"
    set port 443
    set source-interface "wan1"
    set source-address "all"
    set default-portal "full-access"
    set dtls-tunnel enable
end
  1. Create a Firewall Policy to allow member of SSLVPN Group to access from “ssl.root” interface to “Internal” (LAN) with full access
config firewall policy 
edit 20
        set name "SSLVPN_Internal"
        set uuid b4e3d12a-c85e-51e8-e8c4-30306608ec39
        set srcintf "ssl.root"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "LOCAL_LAN"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "SSLVPN"
    next

Users should be able to connect to FortiGate SSL VPN now
FortiVM-SSL-03

Some useful commands to troubleshoot on Remote SSL VPN

  1. Show Active SSL VPN users with execute vpn sslvpn list
FG60E # execute vpn sslvpn list
SSL VPN Login Users:
 Index   User    Auth Type      Timeout         From     HTTP in/out    HTTPS in/out
 0       sslvpn          1(1)            296     14.1.227.206   0/0     0/0

SSL VPN sessions:
 Index   User    Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 0       sslvpn          14.1.227.206    670     24470/35484    10.28.28.10
  1. To disconnect SSL VPN User – Replace the with the correct ID
execute vpn sslvpn del-tunnel <index>
  1. To disconnect all SSL VPN Users
execute vpn ssl del-all tunnel

Leave a Comment