By Manny Fernandez

May 18, 2020

FortiClient CLI for Linux using Realms

Last year I wrote an article about installing FortiClient on a Linux machine.  There were two options; CLI and GUI.  Today had a customer told me he was unable to connect to an SSL VPN I had set up that had multiple realms.  His connection was failing.  I had tested on my MacBook, a WinDoze 10, and on my iPhone with much success, but he was unable to.  I did a Zoom meeting with him and realized that he was ssh ‘ng to a Linux VM and running from there.  Here is a quick article showing the proper syntax for the CLI when using realms.

FortiClient command line syntax

./forticlientsslvpn_cli --server vpn.myinfoseclab.com:4443/contractor --vpnuser tstark

FortiGate Realm Configuration

On the FortiGate you would have a configuration similar to this:

Realm

Note:  You will need to enable SSL-VPN Realms by choosing System then Feature Visibility then enable SSL-VPN Realms

2020-05-18_16-48-31.png

Next, go to VPN then SSL-VPN Realms then Create New

2020-05-18_16-40-05.png

Portal

Now will need to create a VPN Profile to be used by Contractors.  This will allow you to define a different VPN pool of addresses, split or non-split tunneling, etc.

2020-05-18_16-42-46.png

I have already created a VPN tunnel for a previous portal named BananaSplit

Authentication Portal Mapping

2020-05-18_16-44-06.png

You will then need to match the User/Group with the specific realm (contractors) with the portal (BananaSplit).

Policy

Now we need to have a policy that contains the Contractor-Group.

2020-05-18_16-46-14.png

 

Hope this helps

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • OSPF (Open Shortest Path First) is a link-state IGP... Full Story

  • 1. The two features people keep confusing FortiOS ships... Full Story

  • 1. High-Level Overview The FortiGate Wireless Intrusion Detection System... Full Story