FortiGate

FortiGate

基于Fortinet专有的FortiASIC加速芯片
FortiAp

FortiAp

无线接入点的企业级、控制器管理设备
FortiWeb

FortiWeb

Web应用层防火墙
FortiMail

FortiMail

先进的反垃圾邮件和反病毒过滤功能

FortiGate VM版本下载途径

FortiGatekmliu 发表了文章 • 0 个评论 • 96 次浏览 • 2018-08-07 22:39 • 来自相关话题

VMware Workstation FGT OS 5.4.9下载链接
FGT_VM64-v5-4-build1202-FORTINET.out.vmware.zip
 
VMware ESXi FGT OS 5.4.9 下载链接
FOS_VM64-v5-build1202-FORTINET.out.ovf.zip
 
VM OS都可以在support.fortinet.com网站进行下载,包括主流的VM平台的OS下载,只需要注册一个账号,并且绑定一个拥有正常服务的FortiGate序列号即可拥有下载权限,当然也可以找相应的SE和TAC获取VM版本,每一个VM安装后都有免费15天的许可,可以用于功能测试或学习使用。
  查看全部
VMware Workstation FGT OS 5.4.9下载链接
FGT_VM64-v5-4-build1202-FORTINET.out.vmware.zip
 
VMware ESXi FGT OS 5.4.9 下载链接
FOS_VM64-v5-build1202-FORTINET.out.ovf.zip
 
VM OS都可以在support.fortinet.com网站进行下载,包括主流的VM平台的OS下载,只需要注册一个账号,并且绑定一个拥有正常服务的FortiGate序列号即可拥有下载权限,当然也可以找相应的SE和TAC获取VM版本,每一个VM安装后都有免费15天的许可,可以用于功能测试或学习使用。
 
wen1.png

wen2.png

飞塔ssl vpn 用户双因子认证登录失败

回复

防火墙fanzhengang 发起了问题 • 2 人关注 • 0 个回复 • 57 次浏览 • 2018-08-06 20:08 • 来自相关话题

FortiGate CookBook

系统管理kmliu 发表了文章 • 0 个评论 • 58 次浏览 • 2018-08-01 18:19 • 来自相关话题

可以参考的官方英文技术网站,里面内容比较全面:
FortiGate cookbook
Help.fortinet.com
KB.fortinet.com
Docs.fortinet.com
FortiGate cookbook 下载地址 查看全部
可以参考的官方英文技术网站,里面内容比较全面:
FortiGate cookbook
Help.fortinet.com
KB.fortinet.com
Docs.fortinet.com
FortiGate cookbook 下载地址
cookbook.png

help_fortinet_com.png

苹果手机的forticlient问题

回复

FortiClient恒信致远张亮 发起了问题 • 2 人关注 • 0 个回复 • 79 次浏览 • 2018-07-31 09:43 • 来自相关话题

FortiGate开启dns-database功能

系统管理kmliu 发表了文章 • 0 个评论 • 93 次浏览 • 2018-07-27 18:46 • 来自相关话题

FortiGate启用dns-database功能(有道笔记分享)
 











  查看全部

Windows XP系统SSL VPN连接FortiGate新版本的注意事项

VPNkmliu 发表了文章 • 0 个评论 • 354 次浏览 • 2018-07-09 15:59 • 来自相关话题

XP 连接FOS 5.4/5.6/6.0版本的SSL VPN必失败,必须在XP和FGT分别进行相应的参数修改。
 
理论上来说官方新版本已经不再支持XP系统连接SSL VPN,V5.6以后的官方版本已经彻底去掉了SSL v3协议,因此如果FGT使用默认SSL VPN的配置,XP系统是没办法连接到SSL VPN的,但是如果由于业务原因一定要使用XP系统连接SSL VPN,那么需要从两方面修改设置才可以让XP成功连接到SSL VPN:
 XP方面的修改:
1.安装IE8-WindowsXP-x86-CHS.exe 浏览器 
IE8下载地址




 2.在浏览器“Internet选项”中开启TLS1.0协议




 FGT SSL VPN方面配置修改:
1.ssl vpn 下面开启TLS1.0协议(5.4.X中还可以开启SSL V3),并降低加密强度
2.在SSL VPN setting里面的config authentication-rule 将加密算法的长度调整为any长度,默认为大于等于168位
config vpn ssl settings
    set sslv3 enable             //默认disable,FOS 5.6之后彻底删除掉了ssl v3
    set tlsv1-0 enable       //默认disable
    set algorithm medium 或 set algorithm low // 默认为 HIGH,XP系统的加密强度最弱无法满足要求    config authentication-rule
        edit 1
            set groups "Guest-group"
            set portal "full-access"
            set cipher any       //默认为HIGH
        next
    end
end
 
 
 ---------------------------------------------------------------
----------------------------------------------------------------
完整的配置举例说明:
 
1.定义user和user-group,ssl vpn用户 资源的定义







2.新建内网网段IP地址对象,用于后续的SSL VPN隧道分割和策略调用




 
3.使用自带的full-access模板即可,开启隧道分割,选择内网网段IP地址对象,这就是内网资源的定义







 
4.配置SSL VPN的端口,关联ssl  vpn user-group资源和full-access内网资源







 
5.配置SSL  VPN的策略,注意源IP里面需要调用user-group,目的IP需要调用隧道分割网段,做一个用户组和资源组的相互关联



 
FortiGate的SSL VPN配置完毕,默认状态应该就是这样,这个时候会发现 WIN7 WIN10等下系统连接SSL VPN没有任何问题,但是XP系统则怎么样都无法连接上SSL VPN,具体有两种报错:
 
XP SSL VPN Client下载:
https://fortinet.egnyte.com/dl/sUFezSusMD 
 
FortiClient以及小SSL  VPN Client的 更多下载可以参考:
http://support.fortinet.com.cn/index.php?m=content&c=index&a=show&catid=65&id=448









 
报错1:  40%的时候报错




 
FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 19 minutes.

FG100E4Q16003872 # diagnose debug  enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24423:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24423:root:f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:f]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24423:root:f]SSL_accept failed, 5:(null)
[24423:root:f]Destroy sconn 0x35d6db00, connSize=0. (root)
[24424:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:fatal protocol version (192.168.91.126)  // ssl 协议不匹配
[24424:root:f]SSL state:error:(null)(192.168.91.126)
[24424:root:f]SSL_accept failed, 1:unsupported protocol  //不支持的ssl 协议
 
不支持的ssl协议
 
FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 disable //默认TLS1.0 disable,XP的IE8只有TLS1.0,因此TLS1.0必须打开
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm high   //  XP没有太强的加密算法 DES-CBC3-SHA ,需要修改为medium 或 low
 
修改SSLVPN的配置:
FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 enable
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm medium
 
报错2:48%的时候报错"没有权限-455"




 
FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 12 minutes.

FG100E4Q16003872 # diagnose debug  enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24422:root:1b]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1b]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24422:root:1b]SSL_accept failed, 5:(null)
[24422:root:1b]Destroy sconn 0x35ce4b00, connSize=0. (root)
[24423:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1b]req: /remote/info
[24424:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1b]req: /remote/login
[24424:root:1b]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1b]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24422:root:1c]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1c]req: /remote/logincheck
[24422:root:1c]rmt_web_auth_info_parser_common:439 no session id in auth info
[24422:root:1c]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24422:root:1c]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24422:root:1c]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24422:root:1c]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24422:root:1c]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm (). //报错authentication rules 1错误
[24422:root:1c]sslvpn_validate_user_group_list:1484 checking rule 1 cipher. //cipher不匹配
[24422:root:1c]sslvpn_validate_user_group_list:1702 got user (0), group (0:0).
[24422:root:1c]no valid user or group candidate found.
[24423:root:1c]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1c]req: /FortiClientSslvpnClearCacheUrl/for/Wini
[24423:root:1c]def: (nil) /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t
 
修改SSL VPN的配置:
FG100E4Q16003872 # config vpn  ssl settings
FG100E4Q16003872 (settings) # config authentication-rule
FG100E4Q16003872 (authentication-rule) # edit 1
FG100E4Q16003872 (1) # show
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
    next
end
FG100E4Q16003872 (1) # show full-configuration
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
        set realm ''
        set client-cert disable
        set cipher high   //默认为HIGH 需要168位及以上的加密算法,但是XP的加密算法不符合要求
        set auth any
    next
end
FG100E4Q16003872 (1) # set cipher
any       Any cipher strength.
high      High cipher strength (>= 168 bits).
medium    Medium cipher strength (>= 128 bits).
FG100E4Q16003872 (1) # set cipher any   //修改为any,接收DES等低位数加密算法
FG100E4Q16003872 (1) # end
FG100E4Q16003872 (settings) # end
 
总结修改的配置:
 FG100E4Q16003872 # config vpn ssl settings
FG100E4Q16003872 (settings) # show
config vpn ssl settings
    set tlsv1-0 enable
    set servercert "Fortinet_Factory"
    set algorithm medium
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set port 4443
    set source-interface "wan1"
    set source-address "all"
    set default-portal "full-access"
    config authentication-rule
        edit 1
            set groups "SSL_VPN_User_Group"
            set portal "full-access"
            set cipher any
        next
    end
end
 然后XP拨号就可以了:








FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 1 minutes.
FG100E4Q16003872 # diagnose debug  enable
[24423:root:1d]req: /remote/login
[24423:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24423:root:1d]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24424:root:1d]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1d]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1d]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1d]req: /remote/logincheck
[24424:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1d]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24424:root:1d]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24424:root:1d]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24424:root:1d]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm ().
[24424:root:1d]sslvpn_validate_user_group_list:1484 checking rule 1 cipher.
[24424:root:1d]sslvpn_validate_user_group_list:1492 checking rule 1 realm.
[24424:root:1d]sslvpn_validate_user_group_list:1503 checking rule 1 source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1542 checking rule 1 vd source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1614 rule 1 done, got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1702 got user (0), group (1:0).
[24424:root:1d]two factor check for user1: off
[24424:root:1d]sslvpn_authenticate_user:167 authenticate user: [user1]
[24424:root:1d]sslvpn_authenticate_user:174 create fam state
[24424:root:1d]fam_auth_send_req:577 with server blacklist:
[24424:root:1d]fam_auth_send_req_internal:449 fnbam_auth return: 0
[24424:root:1d]fam_auth_send_req_internal:455 authentication OK
[24424:root:1d]fam_do_cb:479 fnbamd return auth success.
[24424:root:1d]SSL VPN login matched rule (1).
[24424:root:1d]rmt_web_session_create:709 create web session, idx[0]
[24424:root:1d]login_succeeded:383 redirect to hostcheck
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1e]allocSSLConn:280 sconn 0x35ce4e00 (0:root)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1e]req: /
[24422:root:1e]mza: 0x12b74d4 /rmt_index.html
[24422:root:1e]def: 0x12b74d4 /rmt_index.html
[24423:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1e]req: /remote/index
[24423:root:1e]def: (nil) /remote/index
[24424:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1e]req: /remote/fortisslvpn
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]allocSSLConn:280 sconn 0x35ce5100 (0:root)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1f]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1f]req: /remote/fortisslvpn_xml
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]sslvpn_reserve_dynip:1143 tunnel vd[root] ip[10.212.134.200] app session idx[0]
[24423:root:1f]allocSSLConn:280 sconn 0x35d28100 (0:root)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write session ticket (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1f]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[24423:root:1f]req: /remote/fortisslvpn_xml
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]allocSSLConn:280 sconn 0x35c77800 (0:root)
[24424:root:1f]DTLS established: DTLSv1 ECDHE-RSA-AES256-SHA from 192.168.91.126
[24424:root:1f]sslvpn_dtls_handle_client_data:651 got type clthello
[24424:root:1f]sslvpn_dtls_handle_client_data:661 got cookie: 7MShUOJ6QDpGmm0IpT18T2O7EaSKOhHN7ECzQEeVIwNnw/zbuRD1NTNqAmEQntupD1moCW9RXRJpb7AHHj7nMnOyT5P23kG3A6z5bkOqXlCy+JbqRqfH51rRLJNJO/ZDFilf47fXID95ELzjlfcXF+hCtPuWs80YmrzRvvyBXDCKa1PddCC8JNwnUyrZ9U1DLTI5lD8xxQw5gtnYlL4PiWSvpvEpsZZFXD1d1SFItu4hLasg26KLKzffLcHp4iQV
[24424:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]sconn 0x35c77800 (0:root) vfid=0 local=[202.100.1.25] remote=[192.168.91.126] dynamicip=[10.212.134.200]
[24424:root:1f]Prepare to launch ppp service ...
[24424:root:1f]tun: ppp 0x35e3f000 dev (ssl.root) opened fd 32
[24424:root:1f]Will add auth policy for policy 16 for user user1:SSL_VPN_User_Group
[24424:root:1f]Add auth logon for user user1:SSL_VPN_User_Group, matched group number 1
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: svrhello ok 192.168.91.126
[24423:root:1f]sslvpn_read_request_common,674, ret=-1 error=-1, sconn=0x35d28100.
[24423:root:1f]Destroy sconn 0x35d28100, connSize=2. (root)
[24424:root:0]RCV: LCP Configure_Request id(0) len(45) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU] [Multilink_Endpoint_Descriminator]
[24424:root:0]SND: LCP Configure_Request id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]lcp_reqci: returning CONFREJ.
[24424:root:0]SND: LCP Configure_Reject id(0) len(12) [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU]
[24424:root:0]RCV: LCP Configure_Ack id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]RCV: LCP Configure_Request id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_reqci: returning CONFACK.
[24424:root:0]SND: LCP Configure_Ack id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_up: with mtu 1354
[24424:root:0]SND: IPCP Configure_Request id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: CCP Configure_Request id(2) [Microsoft_PPC]
[24424:root:0]SND: LCP Protocol_Reject id(2) len(18)
[24424:root:0]RCV: IPCP Configure_Request id(3) [IP_Address 0.0.0.0] [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-REJ
[24424:root:0]SND: IPCP Configure_Reject id(3) [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]RCV: IPCP Configure_Ack id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: IPCP Configure_Request id(4) [IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-NAK
[24424:root:0]SND: IPCP Configure_Nak id(4) [IP_Address 10.212.134.200]
[24424:root:0]RCV: IPCP Configure_Request id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: returning Configure-ACK
[24424:root:0]SND: IPCP Configure_Ack id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: up ppp:0x35e3f000 caller:0x35c77800 tun:32
[24424:root:0]Cannot determine ethernet address for proxy ARP
[24424:root:0]local  IP address 202.100.1.25
[24424:root:0]remote IP address 10.212.134.200
[24424:root:1f]sslvpn_ppp_associate_fd_to_ipaddr:279 associate 10.212.134.200 to tun (ssl.root:32)
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: heartbeat  192.168.91.126
[24424:root:1d]Timeout for connection 0x35d27b00.
[24424:root:1d]Destroy sconn 0x35d27b00, connSize=2. (root)
[24424:root:1e]Timeout for connection 0x35d27e00.
<---完---> 查看全部
XP 连接FOS 5.4/5.6/6.0版本的SSL VPN必失败,必须在XP和FGT分别进行相应的参数修改。
 
理论上来说官方新版本已经不再支持XP系统连接SSL VPN,V5.6以后的官方版本已经彻底去掉了SSL v3协议,因此如果FGT使用默认SSL VPN的配置,XP系统是没办法连接到SSL VPN的,但是如果由于业务原因一定要使用XP系统连接SSL VPN,那么需要从两方面修改设置才可以让XP成功连接到SSL VPN:
 XP方面的修改:
1.安装IE8-WindowsXP-x86-CHS.exe 浏览器 
IE8下载地址
XP1.png

 2.在浏览器“Internet选项”中开启TLS1.0协议
SSL_VPN_15.png

 FGT SSL VPN方面配置修改:
1.ssl vpn 下面开启TLS1.0协议(5.4.X中还可以开启SSL V3),并降低加密强度
2.在SSL VPN setting里面的config authentication-rule 将加密算法的长度调整为any长度,默认为大于等于168位
config vpn ssl settings
    set sslv3 enable             //默认disable,FOS 5.6之后彻底删除掉了ssl v3
    set tlsv1-0 enable       //默认disable
    set algorithm medium 或 set algorithm low // 默认为 HIGH,XP系统的加密强度最弱无法满足要求    config authentication-rule
        edit 1
            set groups "Guest-group"
            set portal "full-access"
            set cipher any       //默认为HIGH
        next
    end
end
 
 
 ---------------------------------------------------------------
----------------------------------------------------------------
完整的配置举例说明:
 
1.定义user和user-group,ssl vpn用户 资源的定义
SSL_VPN_11.png

SSL_VPN_22.png

2.新建内网网段IP地址对象,用于后续的SSL VPN隧道分割和策略调用
SSL_VPN_6.png

 
3.使用自带的full-access模板即可,开启隧道分割,选择内网网段IP地址对象,这就是内网资源的定义
SSL_VPN_1.png

SSL_VPN_2.png

 
4.配置SSL VPN的端口,关联ssl  vpn user-group资源和full-access内网资源
SSL_VPN_3.png

SSL_VPN_4.png

 
5.配置SSL  VPN的策略,注意源IP里面需要调用user-group,目的IP需要调用隧道分割网段,做一个用户组和资源组的相互关联
SSL_VPN_5.png

 
FortiGate的SSL VPN配置完毕,默认状态应该就是这样,这个时候会发现 WIN7 WIN10等下系统连接SSL VPN没有任何问题,但是XP系统则怎么样都无法连接上SSL VPN,具体有两种报错:
 
XP SSL VPN Client下载:
https://fortinet.egnyte.com/dl/sUFezSusMD 
 
FortiClient以及小SSL  VPN Client的 更多下载可以参考:
http://support.fortinet.com.cn/index.php?m=content&c=index&a=show&catid=65&id=448
SSL_VPN_7.png

SSL_VPN_8.png


 
报错1:  40%的时候报错
SSL_VPN_9.png

 
FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 19 minutes.

FG100E4Q16003872 # diagnose debug  enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24423:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24423:root:f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:f]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24423:root:f]SSL_accept failed, 5:(null)
[24423:root:f]Destroy sconn 0x35d6db00, connSize=0. (root)
[24424:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:fatal protocol version (192.168.91.126)  // ssl 协议不匹配
[24424:root:f]SSL state:error:(null)(192.168.91.126)
[24424:root:f]SSL_accept failed, 1:unsupported protocol  //不支持的ssl 协议
 
不支持的ssl协议
 
FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 disable //默认TLS1.0 disable,XP的IE8只有TLS1.0,因此TLS1.0必须打开
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm high   //  XP没有太强的加密算法 DES-CBC3-SHA ,需要修改为medium 或 low
 
修改SSLVPN的配置:
FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 enable
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm medium
 
报错2:48%的时候报错"没有权限-455"
SSL_VPN_10.png

 
FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 12 minutes.

FG100E4Q16003872 # diagnose debug  enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24422:root:1b]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1b]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24422:root:1b]SSL_accept failed, 5:(null)
[24422:root:1b]Destroy sconn 0x35ce4b00, connSize=0. (root)
[24423:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1b]req: /remote/info
[24424:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1b]req: /remote/login
[24424:root:1b]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1b]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24422:root:1c]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1c]req: /remote/logincheck
[24422:root:1c]rmt_web_auth_info_parser_common:439 no session id in auth info
[24422:root:1c]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24422:root:1c]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24422:root:1c]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24422:root:1c]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24422:root:1c]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm (). //报错authentication rules 1错误
[24422:root:1c]sslvpn_validate_user_group_list:1484 checking rule 1 cipher. //cipher不匹配
[24422:root:1c]sslvpn_validate_user_group_list:1702 got user (0), group (0:0).
[24422:root:1c]no valid user or group candidate found.
[24423:root:1c]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1c]req: /FortiClientSslvpnClearCacheUrl/for/Wini
[24423:root:1c]def: (nil) /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t
 
修改SSL VPN的配置:
FG100E4Q16003872 # config vpn  ssl settings
FG100E4Q16003872 (settings) # config authentication-rule
FG100E4Q16003872 (authentication-rule) # edit 1
FG100E4Q16003872 (1) # show
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
    next
end
FG100E4Q16003872 (1) # show full-configuration
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
        set realm ''
        set client-cert disable
        set cipher high   //默认为HIGH 需要168位及以上的加密算法,但是XP的加密算法不符合要求
        set auth any
    next
end
FG100E4Q16003872 (1) # set cipher
any       Any cipher strength.
high      High cipher strength (>= 168 bits).
medium    Medium cipher strength (>= 128 bits).
FG100E4Q16003872 (1) # set cipher any   //修改为any,接收DES等低位数加密算法
FG100E4Q16003872 (1) # end
FG100E4Q16003872 (settings) # end
 
总结修改的配置:
 FG100E4Q16003872 # config vpn ssl settings
FG100E4Q16003872 (settings) # show
config vpn ssl settings
    set tlsv1-0 enable
    set servercert "Fortinet_Factory"
    set algorithm medium
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set port 4443
    set source-interface "wan1"
    set source-address "all"
    set default-portal "full-access"
    config authentication-rule
        edit 1
            set groups "SSL_VPN_User_Group"
            set portal "full-access"
            set cipher any
        next
    end
end
 然后XP拨号就可以了:
SSL_VPN_13.png

SSL_VPN_14.png

FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 1 minutes.
FG100E4Q16003872 # diagnose debug  enable
[24423:root:1d]req: /remote/login
[24423:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24423:root:1d]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24424:root:1d]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1d]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1d]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1d]req: /remote/logincheck
[24424:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1d]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24424:root:1d]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24424:root:1d]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24424:root:1d]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm ().
[24424:root:1d]sslvpn_validate_user_group_list:1484 checking rule 1 cipher.
[24424:root:1d]sslvpn_validate_user_group_list:1492 checking rule 1 realm.
[24424:root:1d]sslvpn_validate_user_group_list:1503 checking rule 1 source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1542 checking rule 1 vd source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1614 rule 1 done, got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1702 got user (0), group (1:0).
[24424:root:1d]two factor check for user1: off
[24424:root:1d]sslvpn_authenticate_user:167 authenticate user: [user1]

[24424:root:1d]sslvpn_authenticate_user:174 create fam state
[24424:root:1d]fam_auth_send_req:577 with server blacklist:
[24424:root:1d]fam_auth_send_req_internal:449 fnbam_auth return: 0
[24424:root:1d]fam_auth_send_req_internal:455 authentication OK
[24424:root:1d]fam_do_cb:479 fnbamd return auth success.
[24424:root:1d]SSL VPN login matched rule (1).
[24424:root:1d]rmt_web_session_create:709 create web session, idx[0]
[24424:root:1d]login_succeeded:383 redirect to hostcheck
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1e]allocSSLConn:280 sconn 0x35ce4e00 (0:root)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1e]req: /
[24422:root:1e]mza: 0x12b74d4 /rmt_index.html
[24422:root:1e]def: 0x12b74d4 /rmt_index.html
[24423:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1e]req: /remote/index
[24423:root:1e]def: (nil) /remote/index
[24424:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1e]req: /remote/fortisslvpn
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]allocSSLConn:280 sconn 0x35ce5100 (0:root)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1f]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1f]req: /remote/fortisslvpn_xml
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]sslvpn_reserve_dynip:1143 tunnel vd[root] ip[10.212.134.200] app session idx[0]
[24423:root:1f]allocSSLConn:280 sconn 0x35d28100 (0:root)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write session ticket (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1f]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[24423:root:1f]req: /remote/fortisslvpn_xml
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]allocSSLConn:280 sconn 0x35c77800 (0:root)
[24424:root:1f]DTLS established: DTLSv1 ECDHE-RSA-AES256-SHA from 192.168.91.126
[24424:root:1f]sslvpn_dtls_handle_client_data:651 got type clthello
[24424:root:1f]sslvpn_dtls_handle_client_data:661 got cookie: 7MShUOJ6QDpGmm0IpT18T2O7EaSKOhHN7ECzQEeVIwNnw/zbuRD1NTNqAmEQntupD1moCW9RXRJpb7AHHj7nMnOyT5P23kG3A6z5bkOqXlCy+JbqRqfH51rRLJNJO/ZDFilf47fXID95ELzjlfcXF+hCtPuWs80YmrzRvvyBXDCKa1PddCC8JNwnUyrZ9U1DLTI5lD8xxQw5gtnYlL4PiWSvpvEpsZZFXD1d1SFItu4hLasg26KLKzffLcHp4iQV
[24424:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]sconn 0x35c77800 (0:root) vfid=0 local=[202.100.1.25] remote=[192.168.91.126] dynamicip=[10.212.134.200]
[24424:root:1f]Prepare to launch ppp service ...
[24424:root:1f]tun: ppp 0x35e3f000 dev (ssl.root) opened fd 32

[24424:root:1f]Will add auth policy for policy 16 for user user1:SSL_VPN_User_Group
[24424:root:1f]Add auth logon for user user1:SSL_VPN_User_Group, matched group number 1
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: svrhello ok 192.168.91.126
[24423:root:1f]sslvpn_read_request_common,674, ret=-1 error=-1, sconn=0x35d28100.
[24423:root:1f]Destroy sconn 0x35d28100, connSize=2. (root)
[24424:root:0]RCV: LCP Configure_Request id(0) len(45) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU] [Multilink_Endpoint_Descriminator]
[24424:root:0]SND: LCP Configure_Request id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]lcp_reqci: returning CONFREJ.
[24424:root:0]SND: LCP Configure_Reject id(0) len(12) [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU]
[24424:root:0]RCV: LCP Configure_Ack id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]RCV: LCP Configure_Request id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_reqci: returning CONFACK.
[24424:root:0]SND: LCP Configure_Ack id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_up: with mtu 1354
[24424:root:0]SND: IPCP Configure_Request id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: CCP Configure_Request id(2) [Microsoft_PPC]
[24424:root:0]SND: LCP Protocol_Reject id(2) len(18)
[24424:root:0]RCV: IPCP Configure_Request id(3) [IP_Address 0.0.0.0] [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-REJ
[24424:root:0]SND: IPCP Configure_Reject id(3) [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]RCV: IPCP Configure_Ack id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: IPCP Configure_Request id(4) [IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-NAK
[24424:root:0]SND: IPCP Configure_Nak id(4) [IP_Address 10.212.134.200]
[24424:root:0]RCV: IPCP Configure_Request id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: returning Configure-ACK
[24424:root:0]SND: IPCP Configure_Ack id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: up ppp:0x35e3f000 caller:0x35c77800 tun:32
[24424:root:0]Cannot determine ethernet address for proxy ARP
[24424:root:0]local  IP address 202.100.1.25
[24424:root:0]remote IP address 10.212.134.200

[24424:root:1f]sslvpn_ppp_associate_fd_to_ipaddr:279 associate 10.212.134.200 to tun (ssl.root:32)
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: heartbeat  192.168.91.126
[24424:root:1d]Timeout for connection 0x35d27b00.
[24424:root:1d]Destroy sconn 0x35d27b00, connSize=2. (root)
[24424:root:1e]Timeout for connection 0x35d27e00.
<---完--->

FOS动态VLAN介绍

FortiAPkmliu 发表了文章 • 0 个评论 • 93 次浏览 • 2018-07-04 12:44 • 来自相关话题

       在通用的有线无线网络部署中,我们会遇到用户动态VLAN的部署需求,即用户通过radius 认证动态下发用户vlan属性,本文介绍了FOS的三种动态vlan下发方式, 即无线用户动态vlan下发, 交换机有线用户vlan动态下发和FortiGate接口vlan动态下发。









  查看全部
       在通用的有线无线网络部署中,我们会遇到用户动态VLAN的部署需求,即用户通过radius 认证动态下发用户vlan属性,本文介绍了FOS的三种动态vlan下发方式, 即无线用户动态vlan下发, 交换机有线用户vlan动态下发和FortiGate接口vlan动态下发。

A1.png

A2.png

 

飞塔客户端苹果手机哪里下载软件了

回复

系统管理太太乐 发起了问题 • 1 人关注 • 0 个回复 • 85 次浏览 • 2018-06-26 16:52 • 来自相关话题

FGSP配置指导

FortiGatekmliu 发表了文章 • 0 个评论 • 116 次浏览 • 2018-06-19 09:58 • 来自相关话题

从FortiOS 5.0支持FortiGate Session Life Support Protocol (FGSP),在异步流量负载分担的场景中实现单机配置同步,会话同步。
 
另外FGSP+VRRP、FGSP+OSPF、FGSP+透明模式也可以实现类似主备HA的效果。流量是否对称由VRRP、OSPF Cost、上下游设备决定,而FGSP都可以适应于流量对称或不对称场景中。当然如果是对称的流量我们建议使用普通的HA即可,而FGSP通常用于非对称流量的场景中。 查看全部
从FortiOS 5.0支持FortiGate Session Life Support Protocol (FGSP),在异步流量负载分担的场景中实现单机配置同步,会话同步。
 
另外FGSP+VRRP、FGSP+OSPF、FGSP+透明模式也可以实现类似主备HA的效果。流量是否对称由VRRP、OSPF Cost、上下游设备决定,而FGSP都可以适应于流量对称或不对称场景中。当然如果是对称的流量我们建议使用普通的HA即可,而FGSP通常用于非对称流量的场景中。

在xp系统卸载FortiClient4.2的客户端

回复

防火墙xytf78682 发起了问题 • 1 人关注 • 0 个回复 • 204 次浏览 • 2018-05-04 17:45 • 来自相关话题