Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 57
78. Lecture-78: Remote Access SSL VPN Web Portal Theory & Lab.
So, last time we discussed about remote access will be in remote access, which means some if some user from home or other premises, and they want to access your enterprise network remotely, as we call them, remote access will be. And they can use their mobile phone, they can use the ABC, they can use their laptop. And there are two way to configure remote access to VPN when its client base VPN. And the other one is client list VPN. Client base VPN means you have to install one application. Okay, so when you install that application, your entire system will be encrypted and they will send the traffic to your enterprise network until and unless you have configure paternally while the other one is just a web based.
So, Web based only requires a web browser to open your resources and their browser, you are limited to encrypt your traffic.
So, these are the two possible way to configure remote access VPN. Now there are two protocol use for remote access VPN. One is a basic which can be used for side to side with Ben-as well and we use them as well, which is open standard. And I told you all the detail about it basically being so you can use IP security in as well for our side to side. You be in and also it can be used for remote access VPN, but you need 40 client for decline is just an application like by law to have their own application global project.
So, they held their own for decline to install on your system. Okay, so that you can encrypt your data and send to your organization and access the resources while another protocol is SSL. We also discussed this one in detail. Secure socket layer either tearless it’s just an Indian, as we call them all together. By the way, these are two different vendor protocol, but are together. We call them as a one SSL place so you can use this as a to access the resources through Wehbe and also to install for decline.
So, you can use this one as well for that purpose. And these are the major difference which we discussed last time. Okay, so we will use such type of topology to configure client based VPN and client lesbian. First we will configure SSL VPN for our web portal only. Okay, so let’s go there.
So, this is the same topology which we use last time. There is. I just connected everything. Nothing is configured.
So, this firewall has bought one which is 100 to 160, 900 range and this started 190 to 160 or 200.
So, this is my inside we are to server configure 190 to 168 one dot one and one two 168 one dot two. Okay, while this side we have Internet access and also we have somewhere in the Internet there is one PC, 100 to 160 or 100 or 200 IP. And somewhere on the web there is a Web server which has 192, 160 or 200 dot, 200 IP. Okay, so first we will access this Fortinet. What is the IP? So, we will accept this one. Admin one, two, three, and sure, system interface, so first interface is always there is enable, so we’ll type this IP in the browser to access it. Okay, advance and proceed admin and one, two, three. I put one, two, three password because I start once I registered this photograph. This way I put the IP, otherwise it’s the same. Nothing is configured. Okay, so this is from where the six one four two which is the latest one last time we upgraded. Okay, and what else.
So, let’s go to network and sorry to go to network. It is interfaces. You will see there are four interfaces. First board is connected to the way. Okay, this one.
So, let’s assign one here. Okay, and this demand will be from the same branch because I’m using this one as a management as well.
So, this way enable all these things as well. And they said, okay, another board is this one for two.
So, let’s go to two and give them some name like Lin support and we decide to assign 190 to 168. One hundred IP twenty four is this subnet mass and just a loud bang for this purpose, this interface. Okay, and okay, so two interfaces are configured now. Second thing we need to configure and the network DNS.
So, let me apply Google DNS and the other DNS one one one. That’s it.
So, two thing is we can configure interfaces and DNS. The third thing we need to configure static out so static the old one ninety two one sixty eight hundred thirty one. This my next hub which is a gateway for us. Okay, and on which interface. Definitely on one interface and ok. Okay, now what I need for a weapon, okay, I need some user to test them so when they login, so for their purposes, we already know and we discuss in detail user and group.
So, go to user and authentication. There is user definition. User definition means to create user here. We already discussed this in detail, local user, remote radius and album. And these two we are already done and also we create local so far local user, I will say local and let me give them suppose we open one and password one, two, three. I will put it next to the medication. I don’t need okay and group because I did not get group so leave it for now.
So, I created VPN one and let’s create a new user just for this purpose. We and two and one, two, three. Next, next. You can give any name by the way so two users are created locally. Now let’s go to user group, create new and let me give them will be in group G or you’ll be suppose and firewall means local. We already done this one. Okay, and member click on the member and add those two users which we just created.
So, VPN group is created locally. Now everything is ready, but before moving to we begin, let’s create one addresses will in the subject. You know, we know about the subject.
So, the subject go to policy and subject. There is Andres’s, you remember we discuss in detail all this, so let’s create a new address, okay, and give them suppos land subnet.
So, Meilin subnet. Give them any color you want. That’s the million subnet 101 68 that one drink. This one, by the way is the correct one. Let me copy this one. This Meilin subnet. Okay, and put Dadeland subnet here and interface. It can be from any interface. I don’t need to it out for this purpose. Baalen segment object has been created so now my everything is ready. I created the user. I create one group for this purpose. I can figure DNS, I configure interfaces which we normally do and I configure right now. I can go to VPN but we need to go to let me put like this one so that you can see on the top.
So, these are weepin. Last time we discussed for SSL VPN there are two things SSL, WiFi and portal and as I said, we would be inserting let’s go to SSL portal by default. When your device is licensed, either you are using or Mardell. I would suggest if you don’t have a license, you swipe a unified vortigern so you will find at least three like last time I did issue because the the new firewall, they don’t have these three option without license, but I make them my license and also they were issuing at least three. But this purpose is better to use all Model Warrigal five.
So, you will see are these just four will be impressed.
So, by default there are three SSL VPN portal already configure. One is fully accessed. It means Dunnill Mode and Webman. We just discussed there are two types of VPN ok for client based and client list VPN.
So, both are enabled which they call them full access. And this is just a name by the way. Another one is terminal. Alexis and Alexis is also not only the mode, but they don’t have a whiteboard. And the third one is is so here they don’t have a ton any more, but they have a Web mod.
So, full access here. Both means if you want to use this one, it’s already predefined template which is created for you and you can utilize these as well. Anyone you can modify if you go to full access and click on Add to this, the name just changed the name, this little Modrich address they will use. These are more all the detail and which group and bookmark and everything is mentioned here, which is already created. But before using one of them either to create our own. Second thing is SSL will be inserting can will be inserting SSL VPN because we want to do SSL based VPN first.
So, this is a inserting an artfully configure. This is not configured to you how to configure them first.
So, you will find like this in the new firewall. Okay, so liveried this one. We will come here later on. First, this listener interface on which interface VPN traffic will come definitely is always coming on when most of the time.
So, I say when they this way give them away board so that I know that Witchboard is my well ok now there’s a lesson on board. Four for three is you know this one I’m using for management is will only be enabled here.
So, because management is also using https means four, four, three and also ssl be is also using SSL is nothing but https.
So, both are using Sampo.
So, they say listen on board, change the board. If you say otherwise it’s a complaint.
So, I say, okay, just give them anything. Suppose, I say four, four, three, three. Now I change it.
So, the conflict is not any more now than they said that EDP to SSL VPN if somebody died by mistake htp I will redirect them to EDP is if you want that just enable that one. Otherwise you have to strictly type steps to work. Then they say restrict access means who going to come on weapon. Allow access from any host. Anybody can. Either you want to limit them, if you know what you they’re going to come so you can put the detail here and you can create addresses as well. But anyway, I said can be anyone from Internet. Then there’s a idealogue out how long if somebody is not using a Web portal.
So, after 300 sekhon, if it is inactive, I will Lagoa that person. If you say no, I don’t like to say unchecked. But anyway, it’s a good idea if somebody is not using Lagoa and you can change the second time as well, which is in secret then photosensitivity. And we already know everything is using a cert. You know, every website you visit for there is a certificate.
So, they say you have a certificate two, you can upload a certificate here. There is a certificate list. But anyway, we will use this self self sign certificate for this purpose is enough for us to use this one. Now there’s this required Atlan certificate. Glines required a certificate that this must unknot.
So, we say no because we want to test and the purpose. Then there is a tunnel multi-client sitting. This is tunnel related. If somebody is using client base right now, we are not using language. But anyway, if they are using so they’re requiring extra IP, extra IP range to assign them. Okay, so this is automatically assigned interest. Either specified custom, you can specify custom.
So, there is already one created for us assistant to do one. This is already by default created and addresses object. If you want to create your own, just create your own and apply. But anyhow, they are already created for you to utilize Iwon. You can modify as well if you don’t like this range.
So, use this object. We just created one object for our land.
So, this is the same object. But this is the range, the one which we use. We use subnet.
So, change the range. If you don’t like the Rangi that it is not the one which you like. But anyway, I say okay, this strange. If somebody is using Tamalpais right now we will not use one, but just to configure them for next clip, then I suppose we should insist they will get the same system. DNS your client either specify whatever the client using DNS, they will get their DNS if you want. No assigned this DNS to their user, put their DNS one and DNS to Wincer where we are normally and when our window we are using Renzler like a PC one PC two Windows Server one. This is Galvin’s, but we are normally not using.
So, if you want you can assign there this is well now is authentication and portal mapping. Which user will get which portal you can assign different portal to different groups and different user as well by the way.
So, they create new either there is already all other user and group which is not said or done. First, let’s take this one for all other user. Assign them WebEx. You remember what I just show you? Three personality and this may only be limit.
So, I signed them this, but I have created my own as well to create new. And let me put my group which I already created before.
So, VPN group and portal, I want to assign them web access. There are three rubiks. This means only Web portal, only ten, the client base and full access client base and client list both. Anyway, right now we are testing SSL web portal only.
So, I say okay, so all other user will also watch this and my group will also, um, will be allowed to access WebEx, this portal. Both I know, both you can believe, you can edit and you can send the detailed configuration on your email. Okay.
So, this was the setting.
So, when I apply okay, so setting ourselves to successfully but under TARP, they’re showing me that you are not finished yet because you are required to policy to create, to allow VPN traffic. And as far as I know, there is no firewall policy right now because it’s a free firewall. Look at nothing is there? And without policy, no traffic will be allowed.
So, let me go to will be back will be insulting all the things I change it. Everything is okay now. But the only thing is, sir, why not go from here. They will help us already to put most of the information automatically rather than to go policy and object and create from the scratch, so click on this one.
So, they take you here. This thing will be an interface SSL, VPN, which are already created in interface.
So, I say it’s a cell VPN tool in the village, just Meilin, because I want to give to a remote user to access from home the Enterprise Network resources. This way I need this one like and nowadays everybody is accessing their office from home. They are using this type of method.
So, I just give them this name and this thing will be an incoming interfaces, VPN and outgoing interfaces. Then they will come to learn source from where they will come from. You’re from from what is called this is an internal address. This one either you can see all. It’s up to you, it can be any, but they say you need to mention group as well. Yes, we have a group, so click on the second one and click VPN group that any IP addresses, any IP, but the user will be VPN group user, No. Other one and only VPN one. And we pianta in this group and destination will be all. I just give them anything. You can restrict them as well. Either you can put you all in the lane segment which I created one hundred and sixty only to allow these accesses so you can restrict them services. You can restrict all. Either you can create your own group only HTTP Robinett, whatever you want. But for now I will say all action will be accepted. Inspection mode we already discussed nerit will be allowed no need to check the rule. But anyway, and really you have to enable these and also to regard so that we can see okay and enable the policy and okay, so now one policy is created and now the error is gone. Everything is already here but for safe.
Sorry, I need to create one more policy because this is from a weapon to learn. But what about they will come from outside.
So, I need to create. We’ve been SSL, we’ve been a weapon two to win because there, it’s just that will come from within as well.
So, let me choose SSL vpn they will hit. Our main source will be all but user will be this user only not anyone else and this transition will be our oldest friend.
So, that’s why. And services can be anything and it set Alsatian and. Okay that’s it. This was a method to enable SSL Web based will be an only.
So, now my weapon is ready and now it’s a time to test it.
So, let me go to this window PC, okay, which is outside NBC. From home, from office, from bathroom, from floor, from anywhere. A person who run internet. What do they will do. They will head our public IP, but the board will be four four three three.
So, our public IP is this one, which is our when IP.
So, my friend IP is 190 to 160 and 200 dot two, three, four.
So, let me go to this window PC. Okay, I’m here in window PC and what I will do here, I will type htp as you remember I said the how to type https otherwise they will not redirect and type one ninety two one sixty eight hundred are two, three four but board number is four four three three and enter. If everything is okay they will ask you to click and once and proceed because we don’t have a certificate so click on it and it will open your weapon.
So, what was our VPN user VPN one and password was one, two, three. Only these two user are allowed and now I accessed the weapon. Okay, this is a European portal. You remember this name was there. If you want to change this name SSL in portal you can give them your name is well go to VPN and there is SSL VPN sitting and here it was. The name was. It’s the name. Okay, yes. Here we are. Portal will accessed this the name.
So, ssl vpn suppose if I put in as well so that you can see clear.
So, this name is there, you can change the color as well.
So, now it’s blue, you can change them to this one.
So, now let’s see if I go back and refresh. Either I need to go to see.
So, now the colors and now as I said, will be in a month because I told them to allow download for the client where I mentioned. No, it was because I’m using already predefined template. It’s here and this is tell me. It’s mentioned enabled for decline download this way. I can see this one. Let me make them minimize this one for decline. But there is no bookmark in history. History is also enable. If you see there is user bookmark. Sure. Log in history. This the three already portal which is created, you can create your own and you just click and create, I will show you how to create, but I’m using this one.
So, the name is Web Access, which I use here. Okay, and there is still more at stake. We don’t want to hauchard, otherwise it will check your firewall and everything. You can restrict it. Only this operating system can take SSL, VPN, you can restrict them and put window. Which one do you want. Okay and then enable rebe more.
So, that’s the web more title which is showing there. And that’s the theme you can change into another theme shows station information for station information means that when of the logo they will see their history as well and session information as well.
So, let me sort of Nubian VPN one and one, two, three was the user to login.
So, now you will see your history when you log in. Look at now issuing my history their two minute before you login, okay, and also download this one is here and also new bookmark and Grilk connection and is also showing because we see show connection Lantier.
So, the official connection launcher. Sure. Sishen information societ and also log in history, Shuey and user bookmark. But we don’t have a bookmark there you see new bookmarks. I can create my bookmark but already it’s not there.
So, suppose if you want to create bookmark for these two web server to exist quickly just click here, ok and give them inside Essawi for HHTTP because I already enable HHTTP and type the IP 190 to 160. Add one. That one is the IP address of this web server and description type inside. Sudworth. And okay, so I create one bookmarklet, create a new book, modifier some other type of FPP, RTP, a lot of things like that in it.
So, let me put inside a Salvy. Is it because the letters also enable the entire VIP 190 to 168 one, not one if you need a bookmark to easily exist.
So, I created two and okay for this inside server.
So, anybody log in through VPN, they will access them quickly.
So, now if I refresh, ok, either I need to log out and see now I can see.
So, bookmark inside the Salvy and inside is are we Telnet just click and you will access that server through Telnet reconnect connection close.
So, I think certainly it is not a terrible idea.
So, let me go there and click on this one. Okay, and they will configure line Whiteway zero two for transport and put all password one, two, three and log in and enable password. One, two, three and do right now I Hosoi relay system.
So, reconnect. Yeah. And one, two, three and enable. Now I’m logging. Do you think maybe you are thinking that you are logging but this traffic will be najin of noise will be encrypted. Look at I’m liking this the server after that, all this connection even this is a minute but it will be encrypted. Let me show you let me capture this packet here. Definitely traffic is coming here. Let me capture here, okay? I cannot hear at so because it’s not Warshak. Oh, sorry, it’s not necessary. I need to definitely click here. Witchboard is going to be zero flash one this zero flash one and let me go there. You want me to tell the traffic but it will be SSL traffic police are SSL traffic. Look at this traffic. There is no internet going. Let me go to window and connect again. Is a minute exit. Reconnect. One, two, three. You think it’s a Iwon. I’m using Telnet but this is encrypted. Look at there is no traffic going north. Yes. This will be if you capture them after the firewall, the traffic is encrypted through SSL from here up to this point. But after this one, this one, this is not encrypted because this is our organization inside.
So, if I capture pictured here a board to now, it will show me it because this is inside.
So, inside is not encrypted. It is only encrypted to up to that point. Let me type the net here and let’s generate traffic from there again.
So, let me go to window and exit and reconnect. Now you will see you cannot look at but before the firewall there is no traffic. You guard my command.
So, that’s why we are using VPN to encrypt our traffic and send to our organization. But is this a weapon is limited. You are only limited to this browser. Only if you walk out from this like this one, it will be not encrypted. Insert this one, this portal this way, SSL, VPN and it’s limited only up to this point. You have some bookmarks which is strictly is a web server. Is it. Now you will access to Ripsaw. What admin and one, two, three. No I will see Daytrotter detail things to admin. One, two, three. Okay, this is not configured. Let me configure the view on this server I’m using. This is a web server as well.
So, how to configure them. IP ftp server IP GTP authentication. Local username admin admin privilege. Fifteen password. One, two, three. What is. I need this ID and the right so I make them is a HTTP as well and I already bookmark as well for this but so if I go here and admin and one, two, three now I will access this router. Yes. Insert Essawi which I give them this name. Insert Asabi. But this is a HTTP traffic, but it will be encrypted here, let me type HTTP there is HTTP HTTP no but when it’s out of the firewall there will be no HDD B Yes, there is HTTP and you will see the user, whatever user I type if I want to get so on the first, maybe you will find the user name which will type there.
So, a behind the firewall. Everything is not encrypted, but up to this point everything is encrypted. You got my point. This is Hewison from here to up to this point. But from this point total because this is our entire organization.
So, this is called SSL based VPN, which we are limited only to the browser only. And whatever we are accessing this, you know, it’s just this one dark one in HTTP base. But who encrypted this stuff like this one above? There is this one.
So, inside this packet they send them to encrypt them, even though this is unencrypted traffic.
So, this is reportable and you can go to quick connection, like if you want to exist as such. I do not configure such like you want to ping 192 168 one dot one, which is our insert for lunch, you can pin them so it’s reachable. You can do anything you can do RTP to already be. I don’t know, there is user are not on the okay, I don’t have a server like VMC SSH is not configured, they are FPP SFP.
So, this is great launcher grid connection. You can get a new bookmark if you create your own and download what is Kalifa window for decline if you want to download for decline because this way we will use in Adelaide.
So, this is a user one and the same case. You can log in with the other VPN to be created within two hours or another user in one, two, three, but they both will get the same everything. You can change them as well that this user. I have to get something else.
So, you have to change their portal to let me log in and verify how we know there’s somebody login.
So, let’s go to home. We had to go. There is logs and report and there will be VPN where we can see monitor where is monitored if it’s not showing. I need to check them. Last time we checked from here, it’s not true. It’s still no, there is. Is this. By the way, this monitor tab is not showing for some reason. And now let me show if I can verify from here so I can this to see the source destination for this section, okay? It’s very strange. In the new one, they remove the monitor right there. I cannot see after a log and report there is monitor, you know, monitor, faroud monitor for everything.
So, from there you can verify who is login. But anyway, for some reason it’s not showing.
So, I cannot verify to you that who is logging user and definition, if I can see here. No, this is the added Wi-Fi one. But after logging report, there is nothing short of gay and lesbian events where you can see from here. Yes, we’re showing here, by the way. They changed it in the new world. And I’ll just update them to the latest one, the one which is released today.
So, that’s why some of the things are they change it. Okay, I thought that there is something so that I can show you. Okay, so this is SSL rippin with login. But by the way, they’re here to show us the user and details the events only anyway. For some reason there is no Web that want to show you that who is logging. But anyway that’s the way to configure SSL. VPN ok.