Forked from githubfoam/fortigate - ssl-vpn cheat sheet
Created
April 9, 2023 21:06
-
-
Save cuetotech/2aabc59c3d30d3f8f47ea183fa4c26fd to your computer and use it in GitHub Desktop.
fortigate - ssl-vpn cheat sheet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #==================================================================================================================================== | |
| #Explain SSL-VPN tunnel interface(ssl.root) in fortigate, ChatGPT | |
| Fortinet's FortiGate firewall devices support SSL-VPN (Secure Sockets Layer Virtual Private Network) to provide | |
| secure remote access to network resources. The SSL-VPN tunnel interface (ssl.root) is a virtual interface that is | |
| automatically created by the FortiGate device when SSL-VPN is enabled. | |
| Virtual interface: The SSL-VPN tunnel interface is a virtual interface that can be used to route traffic between the | |
| remote user's device and the corporate network. This allows administrators to apply security policies to SSL-VPN traffic | |
| just like any other network traffic. | |
| #==================================================================================================================================== | |
| #ChatGPT | |
| The correct statements regarding tunnel-mode SSL VPN are: | |
| a) Split tunneling is supported. | |
| b) It requires the installation of a VPN client. | |
| e) An SSL VPN IP address is dynamically assigned to the client by the FortiGate unit. | |
| Explanation: | |
| a) Split tunneling is supported: In tunnel-mode SSL VPN, it is possible to configure split tunneling, which allows only the necessary traffic to go through the VPN tunnel and the rest of the traffic to use the regular Internet connection. | |
| b) It requires the installation of a VPN client: To establish a tunnel-mode SSL VPN connection, a VPN client software must be installed on the user's device. The client software can be downloaded from the FortiGate unit or from the Fortinet support portal. | |
| c) It requires the use of an Internet browser: This statement is not correct. Tunnel-mode SSL VPN does not require the use of an Internet browser, as it relies on a VPN client software. | |
| d) It does not support traffic from third-party network applications: This statement is not correct. Tunnel-mode SSL VPN supports traffic from any network application that runs on the user's device and has access to the Internet. | |
| e) An SSL VPN IP address is dynamically assigned to the client by the FortiGate unit: This statement is correct. In tunnel-mode SSL VPN, the FortiGate unit assigns a virtual IP address to the client, which is used to establish the VPN tunnel and access the internal network resources. The virtual IP address is dynamically assigned from a preconfigured IP address pool. | |
| #===================================================================== | |
| #troubleshoot ssl-vpn tunnel firewall policy | |
| Network > Diagnostics > Debug Flow > Advanced | |
| Source IP -> Public IP (what is my public ip? - web browser) | |
| diagnose debug flow filter saddr IP | |
| diagnose debug flow filter dport 443 | |
| diagnose debug flow show function-name enable | |
| diagnose debug flow show iprope enable | |
| diagnose debug flow trace start 10 | |
| diagnose debug disable | |
| diagnose debug reset | |
| #===================================================================== | |
| #Troubleshoot VPN connections, Forticlient | |
| FW02 # diagnose debug flow filter addr 172.16.7.58 | |
| FW02 # diagnose debug flow filter port 443 | |
| FW02 # diagnose debug flow show function-name enable | |
| FW02 # diagnose debug flow show iprope enable | |
| FW02 # diagnose debug flow trace start 10 | |
| FW02 # diagnose debug enable | |
| #Troubleshoot VPN connections, Forticlient | |
| #CLI | |
| FW02 # diagnose debug flow filter addr 177.166.76.5 | |
| FW02 # diagnose debug flow filter port 443 | |
| FW02 # diagnose debug flow show function-name enable | |
| FW02 # diagnose debug flow show iprope enable | |
| FW02 # diagnose debug flow trace start 10 | |
| FW02 # diagnose debug enable | |
| #GUI | |
| Network > Diagnostics > Advanced (Source IP, Destination IP) | |
| #===================================================================== | |
| #Troubleshoot VPN connections | |
| #https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/993282/troubleshooting-common-issues | |
| # Web | |
| #SSL VPN debug command | |
| diagnose debug application sslvpn -1 # -1 for detailed results. | |
| diagnose debug enable | |
| diagnose debug disable #disable the debug | |
| diagnose debug reset #disable the debug | |
| diagnose test authserver ldap #LDAP authentication test | |
| diagnose debug application fnbamd -1 #diagnose debug application fnbamd -1, Debug LDAP or Radius | |
| diagnose debug reset | |
| diag debug application ike -1 | |
| diagnose vpn ike log-filter clear | |
| diagnose vpn ike log-filter dst-addr 1.2.3.4 | |
| diagnose debug app ike 255 | |
| diagnose debug enable | |
| #IPSEC VPN debug | |
| diagnose vpn ike log filter name diagnose debug app ike -1 | |
| diagnose debug enable | |
| FortiGate-KVM # config vpn ssl settings | |
| FortiGate-KVM (settings) # show | |
| # diag debug disable | |
| # diag debug reset | |
| # diag debug application sslvpn -1 | |
| # diag debug enable | |
| #Execute the following commands in the FortiGate, connect to SSL VPN and observe the logs. | |
| #Reproduce the issue by observing the logs for errors | |
| # diag debug application sslvpn -1dia | |
| diag debug application fnbamd -1 | |
| diag debug enable | |
| diag debug disable | |
| # get vpn ssl monitor #check the tunnel login, check the web portal login | |
| #check the SSL VPN connection using the GUI | |
| Dashboard > Network and expand the SSL-VPN widget to verify the user’s connection. | |
| Log & Report > System Events and select the VPN Events card to view the details of the SSL VPN connection event log. | |
| Log & Report > Forward Traffic to view the details of the SSL VPN traffic. | |
| #===============================================Show info per connection====================== | |
| #FortiOS v7.2.x VPN logs | |
| Log & Report-System Events- VPN Events | |
| #==================================================================================================================================== |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment