FortiGate VPN
FortiGate VPN enables secure communications across various endpoints on the internet. This document contains the best practices required in FortiGate VPN and Netskope Client to ensure smooth interoperability.
Environments
FortiGate Server version: FortiOS v7.2.0-b1157
FortiGate Client version: 7.0.5.0238
Netskope Client version: 94.1.1.960, 95.1.0.969
Specific configurations in FortiGate VPN and Netskope tenant web UI ensure processes or traffic from either of the applications are not blocked or directed to the Netskope Cloud.
Configurations In FortiGate VPN
Create SSL VPN Full tunnel Mode
Before you begin, go to Network > Interfaces to:
Verify whether the IP address on WAN(External port) and internal port is assigned with the IP address.
Else, edit the WAN and Internal interface and set the IP and subnet mask based on the Subnets(Public and Private) created in AWS VPC.
To configure user and user group:
Go to User > Authentication > User Definition to create a local user.
Go to User > Authentication > User Groups to create a group along with the local user.
To configure SSL VPN web portal:
Go to VPN > SSL-VPN Portals > Edit SSL-VPN Portal and select Disabled to disable Split tunneling.
Enter the IP pool range from the AWS Public subnet pool (For example, 10.20.2.181-10.20.2.191) in the Source IP Pools.
To configure SSL VPN settings:
Go to VPN > SSL-VPN Settings and enter the following:
Listen on Interface(s): Select wan1(or Port1 as per the AWS Deployment).
Listen on Port: Enter 10443.
Server Certificate: Choose a certificate for Server Certificate. The default is Fortinet_Factory.
Authentication/Portal Mapping: Set the Portal to full access in Authentication/Portal Mapping All Other Users/Groups.
Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access
Configurations In Netskope Client
When installing Netskope Client along with a VPN client, configure exceptions in steering configurations to bypass traffic from the VPN client. To learn more about adding exceptions for third-party VPN apps, view Exceptions.
Create a Network Location
To add the VPN gateway server URL in Netskope Policy :
Go to Policies > Profiles > Network Location > New Network Location and select either Single Object or Multiple Objects.
To add a Single Object, provide an IP address, IP address range, or a CIDR netmask, When finished, click the adjacent + button, and then click Next. Enter a name for the network location, and then click Save Network Location.
To add Multiple Objects, upload a CSV file with multiple IP addresses or ranges. Enter a name for the network locations, and then click Save Network Location.
When finished, click Apply Changes.
Create Destination Location Exception
To add a Destination Location exception, go to Steering Configuration and select a configuration.
In the EXCEPTIONS tab, click the NEW EXCEPTION drop down list and select Destination Location.
In the New Exception pop-up window, enter select the Network Location profile from the list.
Click ADD to complete the process.
Netskope Client Functions
Refer to the list of validated use cases that you can use to verify Client operations.
FortiGate VPN Validation
Ensure that the traffic is going through the VPN.