FortiOS v6.x - disable SSL VPN?

VPN
1

What are the steps to disable SSL VPN on FortiOS v6.x? I opened a case with support and they weren’t helpful ( see below ). Any time I try to clear any interfaces or values, I get errors saying they are required.

Ravi Muppa(10:31:25):
config vpn ssl settings unset source-interface end

Customer(10:32:12):
let me try it.

Customer(10:33:13):
i get an error after typing “end”

Customer(10:33:14):
Please set source-interface in vpn.ssl.settings as some of the authentication rules do not have source-interface. object check operator error, -2007, discard the setting Command fail. Return code -2007

Ravi Muppa(10:33:50):
oh its not letting form CLI as well

Ravi Muppa(10:34:12):
did you removed all the ssl policies and address objects linked to ssl.root interface

2

Remove the interface binding from “config vpn ssl setting”, and you’re done. There isn’t any literal “set enable|disable” for it, it just turns on as soon as you add an inteface for it and create a firewall policy.

There might be additional dependencies on top of it, so you might need to do some further wiping, if it refuses. (e.g.SSL-VPN firewall policies, group-to-portal mappings, etc.)

3

What about setting an unused interface?

4

Yeah in the GUI if you have a listening interface in SSL settings you cant then remove it. But in the cli you can, just unset the interface that’s set. If you go back to the GUI afterwards you will see the interface is blank.

5

I know this is old but for reference:

- On a FortiGate without VDOMs:

# config system interface

edit ssl.root

    set status down

end

- On a FortiGate with VDOMs:

# config vdom

edit <vdom name>

config system interface

    edit ssl.<vdom name>  


        set status down

end

6

It doesn’t disable it though… it is still available through the web interface. I want it totally shut down and I am not seeing an option to do that.

7

That is what support told me to try, but it fails as it wants a value

8

Is that the “proper” way to do it?

9

You can’t remove the listening interface as it is a “required” field… both through the GUI and the CLI

10

And have you tried removing other stuff from there like I suggested?
Alternatively give us a dump from “show vpn ssl setting” and the exact firmware version, and I can try to find out what’s blocking it.

Or to spell it out more explicitly: Delete all portal mapping rules from the config.

11

Not sure, I never had to turn it off. Also with no policy for sslvpn it won’t do anything. So if the firewall won’t let you turn it off, then just cripple it.

12

You can remove it. I just tested it on 6.4.3.

FGVM # config vpn ssl settings

FGVM (settings) # unset source-interface

FGVM (settings) # end
Warning: You are using one of the factory default certificates.
For better security, please use a proper signed certificate.

13

You can, and I have.

I’ll do it again…

Sorry about the editing…

HOME-FG60E (settings) # show
config vpn ssl settings
set ssl-min-proto-ver tls1-1
set servercert “Fortinet_Factory”
set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1”
set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1”
set port 443
set source-interface “wan1”
set source-address “all”
set source-address6 “all”
set default-portal “full-access”
end

HOME-FG60E (settings) # unset source-interface

HOME-FG60E (settings) # show
config vpn ssl settings
set ssl-min-proto-ver tls1-1
set servercert “Fortinet_Factory”
set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1”
set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1”
set port 443
end

14

sorry… “it” refers to the IPv4 Policy… I will dig into the local-in-policy option, but sure seems like there should be an easier way to just disable it