FortiWizard

1.2.2.0

Public/Write-SSLVPNConfig.ps1

                                Function Write-SSLVPNConfig {

    <#

    .Link

    https://github.com/TheTaylorLee/FortiWizard/tree/main/docs

    #>

    [CmdletBinding()]

    Param (

        [Parameter(Mandatory = $true)]$CommaSeperatedDNSSuffixes,

        [Parameter(Mandatory = $true)]$DNofParentOU,

        [Parameter(Mandatory = $true)][ValidatePattern('^[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}$')]$DNSServerIP,

        [Parameter(Mandatory = $true)][ValidateScript( {

                if ($_ -match '^[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}$') {

                    $true

                }

                else {

                    throw "$_ is an invalid pattern. You must provide a subnet mask and not a prefix."

                }

            })]$InternalLanSubnetMask,

        [Parameter(Mandatory = $true)][ValidatePattern('^[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}$')]$InternalLanIP,

        [Parameter(Mandatory = $true)]$LanInterfaceName,

        [Parameter(Mandatory = $true)]$LDAPServerFriendlyName,

        [Parameter(Mandatory = $true)]$ServiceAccountPassword,

        [Parameter(Mandatory = $true)]$ServiceAccountsAMAccountName,

        [Parameter(Mandatory = $true)]$WanInterfaceName

    )

    Write-Output "

#initial setup for enabling the Forticlient VPN Config

config user ldap

    edit ""$LDAPSERVERFriendlyName""

        set server $DNSServerIP

        set cnid sAMAccountName

        set dn ""$DNofParentOU""

        set type regular

        set username ""$ServiceAccountsAMAccountName""

        set password $ServiceAccountPassword

    next

end

config user group

    edit SSLVPNUsers

        set member ""$LDAPSERVERFriendlyName""

    next

end

config firewall address

    edit SSLVPN_TUNNEL_ADDR1

        set type iprange

        set associated-interface ssl.root

        set start-ip 10.212.134.1

        set end-ip 10.212.134.254

    next

end

config firewall address

    edit SSLVPN_InternalLan

        set visibility disable

        set subnet $InternalLanIP $InternalLanSubnetMask

    next

end

config vpn ssl web portal

    delete full-access

    delete web-access

    edit tunnel-access

        set tunnel-mode enable

        set ip-pools SSLVPN_TUNNEL_ADDR1

        set ipv6-tunnel-mode disable

        config split-dns

        edit 1

            set domains ""$CommaSeperatedDNSSuffixes""

            set dns-server1 $DNSServerIP

        next

        end

    next

    edit no-access

        set forticlient-download disable

    next

end

config vpn ssl settings

    set ssl-min-proto-ver tls1-0

    set idle-timeout 43200

    set auth-timeout 43200

    set tunnel-ip-pools SSLVPN_TUNNEL_ADDR1

    set dns-server1 $DNSServerIP

    set source-interface ""$WanInterfaceName""

    set source-address all

    set source-address6 all

    set default-portal no-access

    set port 10443

    config authentication-rule

        edit 1

            set groups SSLVPNUsers

            set portal tunnel-access

        next

    end

end

config firewall policy

    edit 0

        set name SSLVPN

        set srcintf ssl.root

        set dstintf ""$LanInterfaceName""

        set srcaddr all

        set dstaddr SSLVPN_InternalLan

        set action accept

        set schedule always

        set service ALL

        set utm-status enable

        set ssl-ssh-profile 'Block Malicious'

        set ips-sensor default

        set nat enable

        set groups SSLVPNUsers

    next

end"

}