Hi
In order to protect the sslvpn of the fortigate I was thinking of adding an IPS profile on the rule that manage the sslvpn access. Which profile would you use for that? BTW is it a good idea?
-
First, to inspect ssl vpn traffic, you must configure the ssl vpn to listen on loopback interface or any internal interface and use Vip (dnat) ,its allowing you to control ssl vpn access via firewall policy and then you can apply security profile on the firewall policy ( if you have multiple vdoms and you have “external” and “internal” vdoms, use the internal vdom as ssl vpn server so you can add access policy on the external vdom and add the IPS profile to that policy)
-
you must inspect the traffic that is coming to the ssl vpn interface to achieve that ,configure inboud SSL inspection profile (protecting SSL Server ) ,and use the ssl vpn certificate to perform SSL inspection ,without Deep ins the IPS is useless
-
There are several options to set up a suitable profile, i recommended creating a profile with that filters
-
Target: Server
-
Severity : medium or above.
-
Protocol Http and https
-
Os : All and other
This profile "catch " more signatures that are not relevant only for fortinet products, so you can tune it more to save memory and cpu resources
Instead, you can just only add specific signatures for sslvpn by adding all the matching signatures when you search Fortios or fortinet ,but you must maintain that list because it’s a static list and not updated automatically
Note: Using deep ssl inspection on ssl vpn related traffic will “break” certificate authentication (Mtls) ,so if you enforce client certificate verification or limit the access to ztna allowed clients only the users will not able to connect to ssl vpn ,Additionally ssl and ips on ssl vpn traffic may be cause performance degradation or slow vpn speed ,depending on your amount of ssl vpn traffic and your fortigate model, so use it carefully
Starting from FOS 7.4, you have the ability to apply virtual pattching ( from Fortinet’s perspective, its mean “kind of” IPS)
on the local in traffic via local in policy ,the fortigate downloads the relevant vulnerability list for the running version and applies the signatures
I haven’t tested it yet ,so you can try and tell us if it’s works 
And remember, patching your firmware to up-to-date version it’s the best protection for your firewall, better than any IPS system
Do not do SSLVPN on a loopback - SSL inspection will not work. I’ve tested this in-depth. For best results - do SSL VPN in a separate VDOM. I wrote a guide for this. I can send it to you if you want.
Thanks for the complete explanation !
Elaborate on this? What exactly are you trying to inspect?
Yes that would help thanks
If you don’t believe me, try it yourself. Configure a SSL mirror in the policy for ‘outside’ → ‘loopback’ and analyze the mirrored traffic. You will see encrypted traffic.
Move SSL VPN to a dedicated VDOM, update the policy, and you will see decrypted traffic in the SSL mirror.
Also try to run an exploit or a custom IPS signature before/after and observe the results.
Virtual-patching is a good solution but you can’t use customize the IPS signatures.
Inbound SSL inspection of traffic destined to the SSL VPN interface - not the user traffic itself. SSL inspection doesn’t work when it’s listening on a loopback. Tested this on 7.0, 7.2 and 7.4.