beautypg.com

Specifying the cipher suite for ssl negotiations, Setting the idle timeout setting, Enabling strong – Fortinet FORTIOS V3.0 MR7 User Manual

Page 37: Authentication through security certificates, Specifying the cipher suite, For ssl negotiations, Setting the idle timeout, Setting

background image

Configuring a FortiGate SSL VPN

Configuring SSL VPN settings

FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718

37

To reserve a range of IP addresses for tunnel-mode clients

1

Go to VPN > SSL > Config.

2

In the Tunnel IP Range fields, type the starting and ending IP addresses (for
example, 10.254.254.80 to 10.254.254.100).

3

Select Apply.

Enabling strong authentication through security certificates

The FortiGate unit supports strong (two-factor) authentication through X.509
security certificates (version 1 or 3). Strong authentication can be configured for
SSL VPN user groups by selecting the Server Certificate and Require Client
Certificate options on the VPN > SSL > Config page. However, you must first
ensure that the required certificates have been installed.

To generate certificate requests, install signed certificates, import CA root
certificates and certificate revocation lists, and back up and/or restore installed
certificates and private keys, refer to the

FortiGate Certificate Management User

Guide

.

Specifying the cipher suite for SSL negotiations

The FortiGate unit supports a range of cryptographic cipher suites to match the
capabilities of various web browsers. The web browser and the FortiGate unit
negotiate a cipher suite before any information (for example, a user name and
password) is transmitted over the SSL link.

1

Go to VPN > SSL > Config.

2

In Encryption Key Algorithm, select one of the following options:

If the web browser on the remote client is capable of matching a 128-bit or
greater cipher suite, select Default - RC4(128 bits) and higher.

If the web browser on the remote client is capable of matching a high level of
SSL encryption, select High - AES(128/256 bits) and 3DES. This option
enables cipher suites that use more than 128 bits to encrypt data.

If you are not sure which level of SSL encryption the remote client web
browser supports, select Low - RC4(64 bits), DES and higher. The web
browser must at least support a 64-bit cipher length.

3

Select Apply.

Setting the idle timeout setting

The idle timeout setting controls how long the connection can remain idle before
the system forces the remote user to log in again. To improve security, keep the
default value of 300 seconds.

1

Go to VPN > SSL > Config.

2

In the Idle Timeout field, type an integer value. The valid range is from 10 to
28800 seconds.

3

Select Apply.

See also other documents in the category Fortinet Hardware: