Mantra Networking Mantra Networking

FortiGate Firewall: Virtual Private Network (VPN)

FortiGate Firewall: Virtual Private Network (VPN)
Created By: Lauren R. Garcia

Table of Contents

  • Overview
  • Common VPN Terminology
  • Supported VPN Types on FortiGate
  • Example VPN Configuration Steps
  • Troubleshooting Checklist
  • Useful FortiGate CLI Commands
  • Conclusion

FortiGate Firewall: Virtual Private Network (VPN) Overview

What Is a FortiGate VPN?

A FortiGate VPN is a secure, encrypted communication tunnel created by FortiGate firewalls, enabling private data exchange over public or untrusted networks. FortiGate, developed by Fortinet, is a widely used network security appliance that offers robust firewall protection along with advanced VPN capabilities. The VPN feature allows organizations to connect remote offices, users, and devices securely, as if they were on the same local network.

Why You Need to Know About FortiGate VPN

  • Secure Remote Access: With more employees working remotely, secure access to internal resources is essential. FortiGate VPNs enable staff to connect safely from anywhere in the world.
  • Branch Office Connectivity: Businesses with multiple locations can use VPNs to securely link branch offices, ensuring seamless communication and data sharing.
  • Data Privacy and Compliance: VPNs encrypt sensitive data in transit, helping organizations meet regulatory requirements and protect against cyber threats.
  • Cost Savings: By leveraging public internet connections instead of dedicated leased lines, VPNs reduce networking costs while maintaining security.
  • Flexible Access: FortiGate supports both site-to-site and remote access VPNs, accommodating a variety of connectivity needs.

How FortiGate VPN Works

FortiGate firewalls establish VPN connections using industry-standard protocols such as IPsec and SSL. Here’s a simplified breakdown of how it works:

  1. Initiation: A VPN connection is initiated by a user (remote access) or another network device (site-to-site).
  2. Authentication: Both ends authenticate each other using pre-shared keys, certificates, or user credentials to ensure only authorized parties connect.
  3. Encryption: Data sent through the VPN tunnel is encrypted, making it unreadable to anyone intercepting the traffic.
  4. Secure Transmission: The encrypted data travels across the public internet or other untrusted networks.
  5. Decryption: At the receiving end, the FortiGate firewall decrypts the data, delivering it securely to its destination.
  6. Access Control: Policies on the FortiGate firewall determine what resources can be accessed through the VPN, further enhancing security.

FortiGate VPNs are highly configurable, supporting different deployment scenarios such as connecting entire networks (site-to-site) or individual users (remote access) using either IPsec or SSL protocols. This flexibility makes them suitable for organizations of all sizes and industries.

Common VPN Terminology

Understanding these key terms will help you navigate FortiGate VPN configurations and documentation:

  • VPN (Virtual Private Network): A secure connection established over a public network, allowing private data to be transmitted as if devices were directly connected.
  • IPsec (Internet Protocol Security): A suite of protocols used to secure IP communications by authenticating and encrypting each IP packet in a communication session.
  • SSL VPN (Secure Sockets Layer VPN): A VPN solution that uses SSL/TLS protocols to provide secure remote access, often via web browsers or dedicated client software.
  • Tunnel Mode: A VPN mode that encrypts the entire IP packet for secure transmission between networks or devices.
  • Split Tunneling: A configuration that allows VPN users to access both the secure VPN network and the public internet simultaneously.
  • Pre-shared Key: A shared secret used for authentication between VPN endpoints during the establishment of secure connections.
  • Authentication: The process of verifying the identity of a user or device before granting access to the VPN.

Supported VPN Types on FortiGate

FortiGate firewalls support multiple VPN types to accommodate different networking needs and security requirements. Here are the main VPN types supported:

  • IPsec VPN:
    • Site-to-site (gateway-to-gateway): Used to securely connect two or more networks over the internet, typically between branch offices and headquarters.
    • Remote access (client-to-gateway): Allows individual users to connect securely to the corporate network from remote locations using VPN client software.
  • SSL VPN:
    • Web mode: Provides secure access to internal web applications and resources via a standard web browser without the need for client software.
    • Tunnel mode: Uses a dedicated client to create a secure tunnel for full network access, supporting a broader range of applications beyond just web-based ones.

Example VPN Configuration Steps

Below are step-by-step examples for configuring both IPsec and SSL VPNs on a FortiGate firewall. These steps are designed to provide a practical guide for common deployment scenarios.

IPsec Site-to-Site VPN (Gateway-to-Gateway)

  1. Access the FortiGate GUI:
    Log in to your FortiGate firewall’s web interface.
  2. Launch the IPsec Wizard:
    Navigate to VPN > IPsec Wizard and choose Site to Site as the VPN type.
  3. Configure Phase 1 Settings:
    • Set the Remote Gateway (the public IP of the remote site).
    • Choose the appropriate Interface (typically your WAN).
    • Set the Authentication Method (Pre-shared Key or Certificate).
    • Configure IKE Version, Encryption, and Authentication parameters.
  4. Configure Phase 2 Selectors:
    • Define Local and Remote Subnets that will communicate over the tunnel.
    • Set Encryption and Authentication algorithms.
  5. Create Firewall Policies:
    Allow traffic between the local and remote networks by creating appropriate firewall policies.
  6. Test and Monitor:
    Check the VPN tunnel status under Monitor > IPsec Monitor and test connectivity between sites.

SSL VPN (Remote Access)

  1. Enable SSL VPN:
    Go to VPN > SSL-VPN Settings and enable SSL VPN on the external interface (e.g., wan1).
  2. Configure Listening Port and Certificates:
    • Set the Listen on Port (default is 443).
    • Select or upload a Server Certificate for SSL encryption.
  3. Define IP Ranges for SSL VPN Clients:
    Specify the IP address pool that will be assigned to connecting VPN clients.
  4. Set Authentication and Portals:
    • Map User Groups to specific Portal Profiles (e.g., full-access or web-only access).
  5. Create Firewall Policies:
    Allow SSL VPN traffic to the internal resources by creating a policy with the SSL VPN interface as the source.
  6. Test User Access:
    Use FortiClient or a web browser to connect to the SSL VPN portal and verify access to permitted resources.

Troubleshooting Checklist

Use this step-by-step checklist to systematically identify and resolve common FortiGate VPN issues:

  1. Verify VPN Configuration:
    • Double-check all VPN settings on both ends, including remote gateway IP, interface, and authentication method (pre-shared key or certificate).
    • Ensure encryption, authentication, and Diffie-Hellman group settings match exactly on both firewalls.
  2. Check Phase 1 (IKE) Status:
    • Use the GUI or CLI command diagnose vpn ike gateway list name <phase1-name> to confirm Phase 1 is established.
    • If Phase 1 is down, look for mismatched pre-shared keys, incorrect remote IP, or proposal mismatches.
  3. Check Phase 2 (IPsec) Status:
    • Confirm Phase 2 is up using diagnose vpn tunnel list name <phase1-name>.
    • Ensure local and remote subnets (selectors) are exact opposites on each firewall.
    • Check that Phase 2 proposals (encryption/authentication) match.
  4. Review Firewall Policies and NAT:
    • Verify firewall rules allow traffic between the correct source and destination networks for the VPN.
    • Check NAT settings; enable NAT traversal if either firewall is behind NAT.
  5. Confirm User Authentication:
    • For SSL VPN, ensure user credentials and group mappings are correct.
    • Test with a known-good user account.
  6. Check Routing and DNS:
    • Ensure routing tables on both the firewall and client devices include the correct VPN subnets.
    • Verify DNS settings to resolve internal resources over the VPN.
  7. Monitor Logs and Debug:
    • Review VPN logs for errors or negotiation failures.
    • Use CLI commands like diagnose debug application ike -1 and diagnose debug enable for deeper troubleshooting.
  8. Test Connectivity:
    • Ping or traceroute between local and remote hosts to confirm tunnel functionality.
    • Check for packet loss or fragmentation (adjust MTU if necessary).
  9. Consult Documentation and Support:
    • Refer to official FortiGate documentation and knowledge base for error codes and advanced troubleshooting.
    • Collect logs and configuration details if escalating to Fortinet support.

Useful FortiGate CLI Commands

These CLI commands help you monitor, troubleshoot, and manage VPNs on your FortiGate firewall. Use them step by step to verify tunnel status, debug issues, and gather essential information:

  1. List All VPN Tunnels and Status:
    diagnose vpn tunnel list
    Displays all configured VPN tunnels and their current status (up/down), including Phase 2 details.
  2. Check VPN Phase 1 (IKE) Status:
    diagnose vpn ike gateway list
    Shows the status of all Phase 1 IKE negotiations.
  3. Monitor SSL VPN User Sessions:
    get vpn ssl monitor
    Lists current SSL VPN user sessions, their IP addresses, and connection status.
  4. Display Phase 1 Configuration:
    show vpn ipsec phase1-interface
    Outputs the configuration for all Phase 1 VPN interfaces.
  5. Enable IKE Debugging (for VPN Troubleshooting):
    diagnose debug application ike -1
    diagnose debug enable
    Enables detailed IKE debugging logs. Use diagnose debug disable to stop debugging when finished.
  6. Filter Debug Output by Remote Gateway:
    diagnose vpn ike log-filter dst-addr4 <remote_IP>
    Filters debug logs to show only messages related to a specific remote gateway IP.

These commands are essential for day-to-day VPN administration and troubleshooting on FortiGate devices. Always remember to disable debugging after use to avoid performance impact.

Conclusion

Throughout this blog post, we explored the essentials of setting up and managing Virtual Private Networks (VPNs) on FortiGate firewalls. We started by clarifying common VPN terminology, ensuring you have a solid foundation for understanding FortiGate’s features. We then reviewed the supported VPN types, including both IPsec and SSL VPNs, and walked step-by-step through example configurations for each.

To help you maintain and troubleshoot your VPNs, we provided a practical checklist for resolving common issues and shared a set of essential FortiGate CLI commands for monitoring and debugging.

Key takeaways:

  • FortiGate firewalls support both IPsec and SSL VPNs for a wide range of secure connectivity needs.
  • Understanding basic VPN terms and concepts is crucial for effective configuration and troubleshooting.
  • Following a structured, step-by-step approach makes VPN setup and management much easier.
  • The right CLI commands can save you significant time when diagnosing VPN issues.

We hope this guide helps you confidently deploy and manage VPNs on your FortiGate firewall. If you have any questions or want to share your experiences, feel free to leave a comment below. Thanks for reading, and happy networking!

Share Share Share Share Share Email