How to disable Web Portal in SSL VPN - FortiGate

The SSL VPN is very common and have a large usage on many firewalls to allow remote users to access internal services securely on internet.

One of the features provided of that kind of VPN is the Web Mode. That kind of access offer to remote user the option to not use Forti Client software to access the services behind the firewall, like Intranet, SSH or RDP by a Web Portal where the user need to put the credentials to access.

So, what's the problem?

The Web Mode even when it's disabled in SSL-VPN-Portals profiles, still being displayed for external users offering the form fields to authenticate. Then, when is used integration with LDAP or Radius you could have problems with attackers trying brute force to explore users credentials. An example is, the legitimate user "administrator" could have a trigger to block then after 03 wrong consecutive attempts and create a big mess to IT team. With automation pentest tools all that the attacker needs is that kind of vulnerable surface to explore and do an attack.

The Fortinet recommends that you disable that feature for a security improvement.

Let's fix it!

To avoid that attack surface, we need to edit the HTML for the Portal. Hence, Go to the menu "System" and go to "Replacement Messages". Once on that mentioned option, select SSL-VPN and edit the option "SSL-VPN Login Page"

On that option we have the HTML code and to stop to offer the form fields to authentication we need to remove the entire HTML code from tag <body> until %%SSL_HIDDEN%% and save. That change and all others customizations to "Replacement Messages" HTML in FortiGate are reversible.

Conclusion

After that change, the web form field on browser to authentication is unavailable, and the access could be done only by Forti Client.