Table of Contents
- Introduction
- Change the default SSL VPN port 10443/443 to anything else
- Do not use local users for authentication, and if using – keep passwords elsewhere or/and enable MFA
- Enable Multi-Factor Authentication for VPN users
- Limit access to VPN SSL portal to specific IP addresses
- Move VPN SSL listening interface to a Loopback interface
- (Less preferred than above) Limit access to SSL VPN portal in Local-in Policy
- Limit access to portal by GeoIP location
- Block access to/from Tor Exit Nodes and Relays to anything
- Install trusted CA-issued certificate, but don’t issue Let’s Encrypt certificates directly on the Fortigate
- Configure email alert on each successful VPN SSL connection
- Prevent re-using the same user account to connect in parallel
- In security rules, allow access only to specific destinations and…
Source link
Author: Yuri Slobodyanyuk
Article used for cyber security disclosure.