Awesome video and super helpful. You can actually use external threat feeds with local-in policies. They can be used with a negate source option like any other address object.
Hey Matt, aren't the security profiles on the vip policy useless? I mean the traffic is not inspected bei virtual server and is completely encrypted anyway, isn't it?
Hey Osman, not necessarily. This is to mitigate against known SSL VPN attacks, it also allows you to specify more inspection types vs. local in policy.
there's something we aint seeing here. this configuration doesnt work as the SSL Loopback interface is unreachable even after doing the VIPs and fw policies. i went thru the community forum and folks pointed out this video too but ultimately is missing a few configurations
Hey Matt, I've had a go at setting this up... It's working and I'm getting lots of hit on the FW policy. But no logs are showing up when I look for matching logs? Any ideas?
Yes - check under the local traffic logs instead of forward traffic logs. Despite the policy being for "forwarded traffic" FGT is smart enough to know this traffic will actually terminate on it.
Cheers Matt, any cpu performance concerns when using the virtual interface, does offloading still happen for loopbacks, sslvpn isnt offloadad afaik but in general like ipsec on a loopback?
No, due to SSL VPN sessions not being offloaded, it makes very little difference. Fast Path requirements don’t state that you need a physical interface to originate the traffic for Fast Path to take place: docs.fortinet.com/document/fortigate/7.0.9/hardware-acceleration/149012/np6-session-fast-path-requirements
Great question! You can pin the SSL vpn instance to a loopback. Allowing you to use threat feeds and other handy features. Thats explained here: ruclips.net/video/T_l-do_oci8/видео.htmlsi=eskibN__w7Wsp1zx
@@mattsherif9141 Thanks. I think its the same video but I just heard you saying that you can use ISDB but not much explanation. Sorry if I have missed it. "You can pin the SSL vpn instance to a loopback": can you explain this more? I have followed your instruction and SSL VPN works on Loopback interface but If I try to use ISDB of malicious IP addresses and put a Deny that it doesn't work.
@@capricornnnn You don't want the ISDB in this case, you want to either come up with your own threat feed and use that a source and deny anything coming from that. You could also use GEO IP adddress objects and block those as well. ISDB doesn't apply in this scenario.
@@mattsherif9141 So what you are saying is that its not possible to use ISDB with SSL VPN terminating to loopback interface? I am testing because what my understanding is that in order to use ISDB then I have to use Loopback interface and its not possible to use ISDB with local in policy. Threat feed can be used with local in policy. If Threat feed is the only way then I am thinking to stick with my current setup and use threat feed using local in policy. Do you have some doc or youtube video how to setup external threat feed. I heard that Talos is free but not sure how to use it.
@@capricornnnn I am not saying that, I am saying your best bet is a threat feed. Here's the doc on configuring a threat feed docs.fortinet.com/document/fortigate/7.2.6/administration-guide/379433/configuring-a-threat-feed
FYI - at 10:46, your Public IP is visible at the bottom of the "Your connections is not private" page
I have followed the process where but it is not working. Connecting stuck at 10% with vpn unreachable gateway
Top tier as always! Thank you for the enlightening video!
Thank you for watching! I hope you have a Happy New Year!
Thanks Matt, love your videos, learning from you a lot!🙏
Awesome video and super helpful. You can actually use external threat feeds with local-in policies. They can be used with a negate source option like any other address object.
any implementation doc with some example?
Hey Matt, aren't the security profiles on the vip policy useless? I mean the traffic is not inspected bei virtual server and is completely encrypted anyway, isn't it?
Hey Osman, not necessarily. This is to mitigate against known SSL VPN attacks, it also allows you to specify more inspection types vs. local in policy.
FYI, ya forgot to censor your public IP one time.
there's something we aint seeing here. this configuration doesnt work as the SSL Loopback interface is unreachable even after doing the VIPs and fw policies. i went thru the community forum and folks pointed out this video too but ultimately is missing a few configurations
I can assure you that’s not the case. Where are you getting stuck?
Hi @randada1 did you manage to find your answer?
Hey Matt, I've had a go at setting this up... It's working and I'm getting lots of hit on the FW policy. But no logs are showing up when I look for matching logs? Any ideas?
Yes - check under the local traffic logs instead of forward traffic logs. Despite the policy being for "forwarded traffic" FGT is smart enough to know this traffic will actually terminate on it.
Cheers Matt, any cpu performance concerns when using the virtual interface, does offloading still happen for loopbacks, sslvpn isnt offloadad afaik but in general like ipsec on a loopback?
No, due to SSL VPN sessions not being offloaded, it makes very little difference. Fast Path requirements don’t state that you need a physical interface to originate the traffic for Fast Path to take place:
docs.fortinet.com/document/fortigate/7.0.9/hardware-acceleration/149012/np6-session-fast-path-requirements
@@mattsherif9141 Thanks and happy new year, looking forward to more of your great content in 2023!
@@oinkersable Happy New Year to you too! Thank you for watching! If there’s anything you want to see, let me know.
Thanks. How do you deny the bad IP addresses from reaching to SSL VPN?
Great question! You can pin the SSL vpn instance to a loopback. Allowing you to use threat feeds and other handy features. Thats explained here:
ruclips.net/video/T_l-do_oci8/видео.htmlsi=eskibN__w7Wsp1zx
@@mattsherif9141 Thanks. I think its the same video but I just heard you saying that you can use ISDB but not much explanation. Sorry if I have missed it. "You can pin the SSL vpn instance to a loopback": can you explain this more? I have followed your instruction and SSL VPN works on Loopback interface but If I try to use ISDB of malicious IP addresses and put a Deny that it doesn't work.
@@capricornnnn You don't want the ISDB in this case, you want to either come up with your own threat feed and use that a source and deny anything coming from that. You could also use GEO IP adddress objects and block those as well. ISDB doesn't apply in this scenario.
@@mattsherif9141 So what you are saying is that its not possible to use ISDB with SSL VPN terminating to loopback interface? I am testing because what my understanding is that in order to use ISDB then I have to use Loopback interface and its not possible to use ISDB with local in policy.
Threat feed can be used with local in policy. If Threat feed is the only way then I am thinking to stick with my current setup and use threat feed using
local in policy. Do you have some doc or youtube video how to setup external threat feed. I heard that Talos is free but not sure how to use it.
@@capricornnnn I am not saying that, I am saying your best bet is a threat feed. Here's the doc on configuring a threat feed docs.fortinet.com/document/fortigate/7.2.6/administration-guide/379433/configuring-a-threat-feed