Configuring SSL-VPN Access with 2FA via Email on Fortigate with FortiAuthenticator

Preface

In today’s remote-first world, securing access to your network infrastructure is more critical than ever. One popular solution is using SSL-VPN on FortiGate firewalls, which provides encrypted access to internal resources over the internet. However, ensuring that this access remains secure and properly authenticated is key to protecting your environment from unauthorized users.

We will walk through the steps to set up SSL-VPN access on FortiGate using FortiAuthenticator for authentication management. With FortiAuthenticator, you can easily integrate two-factor authentication (2FA) and centralized user management, adding an additional layer of security to your VPN access. Whether you’re new to Fortinet solutions or looking to strengthen your existing setup, this guide will help you implement a robust, secure SSL-VPN solution.

Prerequisite

  • Access to the Fortigate Device/VM;
  • Access to the FortiAuthenticator Device/VM;
  • The following information about the user we about to create:
    • the username;
    • Email address;
    • Where they need access to.

Procedure

Topology

Create the User in FortiAuthenticator

  1. Login to FortiAuthenticator;
  2. Open Authentication User Management Local Users menu;
  3. Select Create New button in upper-left corner;
  4. Fill the Username;
  5. For the password, in Password creation, select specify a password and enter your desired password;
  6. Enable Allow RADIUS authentication;
  7. Disable Force password change on next logon;
  8. For Role, select User;
  9. Check the configuration again, and then click Save.

After the entry is initialized, the page will be reloaded and more options to fill will appear. You can continute the process:

  1. Enable One-Time Password (OTP) authentication, and then:
    1. For Deliver token codes from, select FortiAuthenticator;
    2. For Deliver token code by, select Email.
  2. For User Information part, fill with as much information as you can;
  3. Make sure the Email part is valid, because this will be used for 2FA;
  4. For Password REcovery Options, enable Email recovery;
  5. For RADIUS Attributes, select + Add RADIUS Attributes, and then:
    1. For Vendor, select Fortinet;
    2. For Attribute ID, select Fortinet-Group-Name;
    3. For Value; fill with the group name you need. Note the group name, because this will be used again in the Fortigate.
  6. Check the whole configuration again, and then select Save.

The user is now created, but we still need to change the user password to the randomized one. To do that:

  1. select the user you just ceated from the list of users, and then in Password Authentication select Change Password.
    1. In Password creation, select Set and email a random password.
    2. Click Save.

The user configuration is now done.

Create and Configure User Group in FortiGate

  1. Login to Fortigate;
  2. Open User & Authentication User Group menu;
  3. Select Create New button in upper-left corner;
  4. For Name, fill with the same group name as in the RADIUS attribute in FortiAuthenticator;
  5. For Type, select Firewall;
  6. Keep the Members part empty, because we will take the users from FortiAuthenticator;
  7. In Remote Group part, select the + Add button;
  8. Select the RADIUS server that is pointed towards FortiAuthenticator;
  9. In Groups part, select Specify, and then entry the previous group name again in the form;
  10. Select OK button.

At this point, the group is already setup, but you still need to map the user group into a VPN Portal.

  1. Open VPN -> SSL-VPN Settings menu;
  2. Scroll to the Authentication/Portal Mapping part in the bottom;
  3. Select the appropriate portal, and then in the opened sidebar, in Users/Groups form add the groups you just created;
  4. Select OK.

Create and Configure Policy in Fortigate

  1. Open Policy & Objects Firewall Policy menu;
  2. Select + Create New button in upper left corner;
  3. Configure the new policy:
    1. For Name, create a descriptive name, like VPN GroupA -> ServerA;
    2. For Incoming Interface, select SSL-VPN tunnel interface (ssl.root);
    3. For Outgoing Interface, select the outgoing interface according to the routing table of the destination IP Address;
    4. For Source, in the opened sidebar:
      1. In Address tab, select SSL-VPN user IP Pool;
      2. In User tab, select the User Group you just created.
    5. For Destination, in the opened sidebar, select/create the destination IP address;
    6. For Service, select/create the needed Services/Port. Be as specific as possible;
    7. For Inspection Mode, select Flow-based;
    8. Disable NAT except if you’re configuring outgoing connection to the Internet;
    9. For Security Profiles, select the following:
      1. Enable AntiVirus, select av-block;
      2. Enable Application Control, select block-high-risk;
      3. Enable IPS, select high-security;
      4. For SSL Inspection, select certificate-inspection.
    10. In Logging Options:
      1. Enable Log Allowed Traffic and select All Sessions;
      2. Disable Generate Logs when Session Starts;
      3. Disable Capture Packets;
    11. Add Comments if you want;
    12. Enable Enable this policy.
    13. Click OK.

Conclusion

Setting up SSL-VPN on FortiGate with FortiAuthenticator adds a strong layer of security by using centralized user management and two-factor authentication. This helps ensure that only the right people have access to your network, reducing the risk of unauthorized access.

With FortiAuthenticator, managing and securing VPN access becomes easier and more effective. By following this guide, you can build a secure and reliable VPN setup that protects your network while keeping things simple for users.

Reference