Tag Archives: FortiGate Firewall

FortiGate Next Generation Firewall leverages dedicated security processors and threat intelligence security services from FortiGuard.

Issue using FortiClient on Windows 11

FortiClient on Windows 11 shows the Warning: Credential or SSLVPN configuration is wrong. (-7200)

Credential or SSLVPN configuration is wrong. (-7200)

FortiClient SSL-VPN connects successfully on Windows 10 but not on Windows 11. An article by the staff was posted in the fortinet community they describes a potential cause for why SSL-VPN connections may fail on Windows 11 yet work correctly on Windows 10.

  SSL-VPN tunnel-mode connections via FortiClient fail at 48% on Windows 11, it shows the warning: Credential or SSLVPN configuration is wrong (-7200). We remember, tunnel-mode connections was working fine on Windows 10.

Users are unable to authenticate if they are in a User Group that is configured in an SSL-VPN Authentication/Portal Mapping (known as authentication-rule in the CLI), but they can successfully authenticate when using the All Other Users/Groups catch-all authentication rule.

Windows 11 is uses TLS 1.3 by default for outbound TLS connections, whereas Windows 10 appears to use TLS 1.2 by default.

The cipher setting is set to high by default. This setting specifically designates the acceptable key-strength of the encryption cipher being used to ≥ 168 bits.

If TLS-AES-256-GCM-SHA384 is removed from the list, Windows 11/FortiClient will still be able to establish a TLS 1.3 connection using one of the alternative TLS Cipher Suites available.

Windows 11 may be unable to connect to the SSL-VPN if the ciphersuite setting on the FortiGate has been modified to remove TLS-AES-256-GCM-SHA384, and an SSL-VPN authentication-rule has been created for a given User Group that has the cipher setting set to high (which it is by default).

The solution can be determined as follows by running the command in the FortiGate CLI to solve the issue. First of all, show the current SSL-VPN settings used on the FortiGate appliance:

show vpn ssl settings

Then use unset to make the cipher suite according to windows 11:

config vpn ssl settings
  unset ciphersuite

Or set the cipher suite with the append command:

config vpn ssl settings
  append ciphersuite TLS-AES-256-GCM-SHA384

Note see Microsoft learn about TLS Cipher Suites in Windows 11

Using FortiGate as a DNS Server

How to use a FortiGate as a recursive DNS server

This tutorial describes how to create an unauthoritative primary recursive DNS server using FortiGate for the local network. The interface mode is recursive so that, if the request cannot be fulfilled, the external DNS forwarders will be queried.

Note. FortiGate as a DNS server also supports TLS and HTTPS connections to a DNS client.

To enable DNS server options in the GUI

  • Go to System > Feature Visibility.
  • Enable DNS Database in the Additional Features section.
  • Click Apply.

To configure FortiGate as a primary DNS server

  • Go to Network > DNS Servers.
  • In the DNS Database table, click Create New.
  • Set Type to Primary.
  • Set View to Shadow.
    If Shadow is selected, only internal users can use it.
  • Enter a DNS Zone.
  • Enter the Domain Name of the zone.
  • Enter the Hostname of the DNS server.
  • Enter the Contact Email Address for the administrator.
  • Disable Authoritative.

Create new DNS entries

  • In the DNS Entries table, click Create New.
  • Choose Type Address (A).
  • Enter the Hostname.
  • Enter the IP Address.
  • Set TTL to Use Zone TTL
  • Enable Status
  • Click OK.

Enable DNS services on an interface

FortiGate recursive DNS server

  • In the DNS Service on Interface table, click Create New.
  • Select the Interface for the DNS server, such as LAN.
  • Set the Mode to Recursive.
  • Click OK.

a few words about Fortinet FortiGate

Fortinet FortiGate provides users with next-generation firewall solutions that provide proven protection with unmatched performance across the network, from internal segments to data centers to cloud environments. You can protect every part of your network without exception.

FortiGate is an innovative line of firewalls that aim to protect organizations from all types of web-based network threats. They come in a wide variety of product types. FortiGate’s solutions are available in a large range of sizes and form factors and are key components of the Fortinet Security Fabric, which enables immediate, intelligent defense against known and new threats throughout the entire network.