Helpful ReplyHot!Disable SSLVPN webportal page

Author
Ron_Uss
New Member
  • Total Posts : 16
  • Scores: 2
  • Reward points: 0
  • Joined: 2014/04/28 01:43:24
  • Status: offline
2015/02/17 01:38:05 (permalink)
0

Disable SSLVPN webportal page

Hello
After pentests we have issue about showing SSLVPN webpage. I need use SSLVPN only in tunnel mode (this is not problem), but without showing any page in browser. I looked on cli and gui and can`t still found any solution, how disable web page, but still have actvite tunnel mode.
Do you have any idea?
Thank you
#1
vjoshi_FTNT
Gold Member
  • Total Posts : 135
  • Scores: 6
  • Reward points: 0
  • Joined: 2015/02/02 21:28:20
  • Status: offline
Re: Disable SSLVPN webportal page 2015/02/17 04:24:53 (permalink)
0
Hello,
 
I am positive that there is no such option to disable the access to the Web GUI(ssl-vpn) alone.
However, you can remove all the widgets removed from the portal, again, I don't think this will solve your problem.
 
You can try the below:
 
config vpn ssl settings
set url-obscuration enable
end
 
This field is available when sslvpn-enable(under same vpn ssl settings) is set to enable. Enable to encrypt the host name of the url in the display (web address) of the browser for web mode only. This is a requirement for ICSA ssl vpn certification. Also, if enabled, bookmark details are not visible (field is blank.).


Cheers!
#2
bertimestwo
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/09/17 03:36:09
  • Status: offline
Re: Disable SSLVPN webportal page 2018/09/17 03:38:16 (permalink)
0
You can disable "Web Mode" in SSL-VPN Portals.
#3
CrazyCatMan
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: Disable SSLVPN webportal page 2019/05/09 01:08:23 (permalink)
0
I found that even disabling web-mode on all portals still presented a login page on the outside interface.
I left all portals with everything disabled that I could and then in order for this to go away - I had to delete the SSL security policy in policy & objects > IPv4 policy that permitted it and it no longer works.
This is as close as I could find to disabling SSL.
I'm running 6.0.4
#4
Pacolo
Bronze Member
  • Total Posts : 15
  • Scores: 6
  • Reward points: 0
  • Joined: 2014/10/21 09:48:43
  • Status: offline
Re: Disable SSLVPN webportal page 2019/07/16 04:11:18 (permalink) ☄ Helpfulby * 2020/03/17 21:48:53
5 (2)
Hey guys,
 
I searched info about disabling SSL-VPN and found this.
 
What I have done is unsetting the options configured through CLI, for example:
 
config vpn ssl settings
unset port
unset source-interface "wan1"


Regards!
#5
Matt2019
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/20 12:08:13
  • Status: offline
Re: Disable SSLVPN webportal page 2019/12/27 06:25:55 (permalink)
0
Hi Ron_Uss,
  Have you found a solution to this? I would also like to disable the login page and just use tunnel mode.
 
matt
#6
Che
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/02 09:42:40
  • Status: offline
Re: Disable SSLVPN webportal page 2020/01/02 09:44:55 (permalink)
0
On the SSL-VPN Settings page, you can remove the WAN interfaces from the "Listen On Interface(s)" config. The firewall requires at least one interface in this field but you can add DMZ or some other unused interface to prevent it from responding on the internet.
 
Update:  This disables the SSL VPN completely which is what I do when using the IPSec based Forticlient VPN config instead.
post edited by Che - 2020/01/02 11:37:03
#7
leo
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/09/03 22:13:07
  • Status: offline
Re: Disable SSLVPN webportal page 2021/02/25 19:38:04 (permalink)
0
There is no option to disable Web GUI access for SSL VPN 
But you can edit the replacement Message for SSL-VPN login page. 
SYSTEM> Replacement Message > SSL-VPN login page.
 
You can Deleted the Body of HTML. then when you try to access your web portal(SSL-VPN) the login page will not show.
#8
nbutt
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/03/13 08:55:36
  • Status: offline
Re: Disable SSLVPN webportal page 2021/06/11 02:04:56 (permalink)
0
Leo,
 
If you delete the body of the HMTL that will break the ability to sign on to tunnel mode SSL VPN via FortiClient.
 
I am also trying to find a work around for hiding the HTML page but keep the SSL VPN tunnel mode working for my FortiClient users.
 
I will let you all know if I find something.
 
Nick
#9
nbutt
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/03/13 08:55:36
  • Status: offline
Re: Disable SSLVPN webportal page 2021/06/11 02:37:17 (permalink)
0
I have a fix guys!!!!
 
Do the following and your SSL-VPN login HTML page will be blank and the FortiClient will still be able to sign in to the SSL VPN! even with FortiToken.
 
 
====
At the top of the HTML add the lines:
<style>
      .prompt {
        display: none;
      }
     
    </style>
 
 
=====
At the top of the HTML remove the single line:
 
<link href="/css/main-blue.css" rel="stylesheet" type="text/css">
 
 
 
=======
Example snippet from the top of the HTML including both fixes above.
 
 
 
<!DOCTYPE html>
<html lang="en" class="main-app">
 
  <head>
   
    <style>
      .prompt {
        display: none;
      }
     
    </style>
   
    <meta charset="UTF-8">
   
    <meta http-equiv="X-UA-Compatible" content="IE=8; IE=EDGE">
   
    <meta name="viewport" content="width=device-width, initial-scale=1">
   
    <meta name="apple-itunes-app" content="app-id=1475674905">
 
    <link href="/css/main-blue.css" rel="stylesheet" type="text/css">
  
    <title>
      Please Login
    </title>
#10
emnoc
Expert Member
  • Total Posts : 6137
  • Scores: 422
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Disable SSLVPN webportal page 2021/06/11 06:33:28 (permalink)
0
That does not disable the page fwiw just making a page blank is just that "blank" but the page is still present but here's what you can do to improve the pentest. Just deployed client-side certificates and added bonus of MFA and explain that.
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#11
nbutt
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/03/13 08:55:36
  • Status: offline
Re: Disable SSLVPN webportal page 2021/06/11 07:36:24 (permalink)
0
Hi emonc,
 
Thanks for that info, yes I know the page is technically in place and accessible but its better than seeing a logon page :)
 
We have MFA via FortiToken already but I want to also have certificate's.
 
How did you deploy your cert's and what type of cert did you use? More interested on the Fortigate side of the config as I played with certs before and it was not simple.
 
Regards
Nick
 
#12
emnoc
Expert Member
  • Total Posts : 6137
  • Scores: 422
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Disable SSLVPN webportal page 2021/06/11 12:42:41 (permalink)
0
certs are easy as 1-2-3 if you have Microsoft your almost at 3 ;)
 
Just issue certificates to each users and the domain root CERt should already been in winOS computers.
 
import the caRoot into the fortigate and certificate for the sslvpn
 
enable require cert for ssl vpn settting and auth rule with a peer-group that expects that rootCA. You can refer to this recently added blog entry
 
http://socpuppet.blogspot.com/2020/04/sslvpn-fortigate-with-certificates.html
 
 
Nothing you will do that will stop the webage port if you need to enforce something just change the sslvpn certificate and set the fail-login timeout to some ridiculous value.
 
e.g in ssl-vpn settings
 
    set login-block-time 86400
  
 
 
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#13
Jump to:
© 2021 APG vNext Commercial Version 5.5