5.2 SSL VPN

Why SSL VPN Matters for NSE 4

Where IPsec connects sites, SSL VPN connects people. It is FortiGate's main client-to-site remote-access technology, letting an employee at home or on the road reach internal applications securely. Because it runs over TLS (Transport Layer Security) on HTTPS (TCP 443 by default), it traverses hotel, airport, and guest networks that block IPsec — almost every network allows outbound HTTPS. On the NSE 4 exam, the reliable test points are web mode vs tunnel mode, the portal, split tunneling, and the firewall policy that makes SSL VPN actually reach internal resources.

Note: Fortinet is progressively phasing SSL VPN tunnel mode out of entry-level FortiGate models in favor of ZTNA and IPsec, but FortiOS 7.6 still fully supports SSL VPN, and it remains in the NSE 4 objectives.

Web Mode vs Tunnel Mode

SSL VPN operates in two modes, and a single portal can offer one or both.

Web Mode (Clientless)

In web mode, the user opens a browser, navigates to the FortiGate's SSL VPN URL, logs in, and lands on the SSL VPN portal — a web page of bookmarks. Each bookmark proxies a specific internal resource (an internal website, an RDP or SSH host, a file share) through the FortiGate. No software is installed, which makes web mode ideal for unmanaged or kiosk devices, but access is limited to the protocols the portal proxies.

Tunnel Mode (FortiClient)

In tunnel mode, the user runs the FortiClient agent. FortiClient builds a full SSL/TLS tunnel and the endpoint receives a virtual IP address from an address range configured on the FortiGate. The device then behaves as though it is physically on the corporate network — it can reach any internal subnet permitted by firewall policy, using any application or protocol, not just what a portal proxies.

Web Mode vs Tunnel Mode Comparison

The SSL VPN Portal

The SSL VPN portal is the per-user-group profile that defines the remote-access experience. A portal specifies:

• Whether web mode, tunnel mode, or both are enabled.
• The list of predefined bookmarks users see, and whether users may add personal bookmarks.
• Whether split tunneling is on, and which routes/subnets it covers.
• The IP address pool handed to tunnel-mode clients.
• Portal appearance (theme, custom landing page).

Different user groups can be mapped to different portals — for example, contractors get a web-only portal with two bookmarks, while IT staff get a full tunnel-mode portal.

Bookmarks

A bookmark is a saved shortcut on the web-mode portal that points to one internal resource. Clicking a bookmark opens that resource proxied through the FortiGate, so the user never needs to know internal IP addresses or have a route to them. Bookmarks come in two kinds:

• Predefined bookmarks — created by the administrator in the portal and shown to every user in the assigned group.
• Personal (user) bookmarks — created by individual users for their own session, only if the portal allows it.

Each bookmark has a type matching the protocol it proxies: HTTP/HTTPS, RDP, SSH, VNC, SFTP/FTP, SMB file share, Telnet, or a Citrix/port-forward type.

Split Tunneling

Split tunneling controls which of a tunnel-mode client's traffic is sent through the SSL VPN:

• Split tunneling enabled — only traffic destined for the defined corporate subnets is routed into the tunnel. Everything else (general web browsing, streaming) goes directly out the user's local internet connection. This reduces load on the FortiGate and its internet link and keeps personal browsing off the corporate path.
• Split tunneling disabled (full tunnel) — all of the client's traffic is forced through the FortiGate, including internet-bound traffic. This lets the corporate firewall inspect and filter everything the remote user does, at the cost of more bandwidth and latency.

The choice is a security-versus-performance trade-off, and it is set per portal.

Authentication and User Groups

SSL VPN access is always tied to authentication — an anonymous SSL VPN is not a valid design. FortiGate can authenticate SSL VPN users against:

• Local users defined on the FortiGate.
• Remote servers — LDAP/Active Directory, RADIUS, or TACACS+.
• Two-factor authentication — FortiToken, email, or SMS one-time passwords layered on top.

Users are placed into firewall user groups. The SSL VPN settings then map each user group to a portal and the firewall policy references those same groups. This group mapping is what allows different users to receive different portals and different levels of internal access from one FortiGate.

FortiClient

FortiClient is Fortinet's endpoint agent. For SSL VPN it provides the tunnel-mode client: it negotiates the TLS tunnel, receives the virtual IP, installs the split-tunnel routes, and presents a connection UI to the user. FortiClient also delivers endpoint protection (antivirus, web filtering) and is the agent used for ZTNA. Web mode needs only a browser; tunnel mode needs FortiClient (or the built-in tunnel client on some platforms).

The Firewall Policy SSL VPN Requires

Enabling SSL VPN settings and a portal still does not grant access to anything. You must create a firewall policy that permits the SSL VPN traffic into the network:

1. Incoming interface: the SSL VPN virtual interface, ssl.root (or ssl.<vdom> in a VDOM).
2. Outgoing interface: the internal/LAN interface holding the resources.
3. Source: the address (often all) and the SSL VPN user groups — adding the group to the source is what enforces authentication.
4. Destination, service, schedule: scoped to what remote users should reach.

In modern FortiOS the SSL VPN configuration includes a firewall address and policy step, but the principle the exam tests is constant: without an ssl.root-to-internal policy referencing the authenticated user groups, an SSL VPN user can log in but reach nothing.