TTechclick All lessons
Fortinet · FortiGate · IPsec + SSL VPN🔥 ~90% · #2 in frequency · CVE-2024-21762 eraInteractive · L1 / L2 / L3

FortiGate VPNs — IPsec Phase 1+2, SSL VPN, and the CVE-2024-21762 Hardening Every L2 Must Know

~90% of Fortinet interviews open the second round with "walk me through Phase 1 and Phase 2". Most candidates stop at "DH exchange". Recruiters at the enterprise, an Indian IT services firm, an Indian IT services firm, an Indian MSP and an Indian security firm want the next six lines — IKEv1 vs IKEv2, NAT-T, DPD, why your tunnel won't come up, and what you did about CVE-2024-21762 and the symlink persistence trick. This blog gets you there.

📅 2026-05-26 · ⏱ 11 min · 5 SVG infographics · 2 packet visualizers · 🏷 10-Q Bloom-tiered assessment + AI Tutor

Pick your path — jump to your weak spot

1

IPsec Phase 1 + 2 basics

IKEv1 vs IKEv2, DH groups, PSK vs cert, lifetimes, the visa analogy.

 2

SSL VPN portal vs tunnel

When DTLS beats TLS, FortiClient flow, FortiToken 2FA, split-tunnel rules.

 3

CVE-2024-21762 + symlink trick

Why patched ≠ clean. Audit symlinks even after FortiOS upgrade.

 4

Debug a dead tunnel

`diag vpn ike gateway list` + IKE debug — settle Phase 1/2 in 90 seconds.

Why this matters — the visa interview analogy

Picture a visa interview at the Indian consulate in Frankfurt. Phase 1 is the identity check — the officer verifies your passport, fingerprints, and that you are who you claim. Phase 1 is not about the visa; it is about trust. Phase 2 is the actual visa stamp negotiation — which countries, how many entries, how long. Phase 2 only happens after Phase 1 succeeds. Fail the identity check, and the visa conversation never starts.

FortiGate's IPsec works exactly the same. IKE Phase 1 authenticates the two peers and builds a secure control channel. IKE Phase 2 then negotiates the actual data SAs that will encrypt your user packets via ESP. Phase 2 cannot start until Phase 1 finishes. Get this single mental model right and the next 10 minutes of the interview belong to you.

Scenario · Suhail — L2 network engineer at a Pune banking enterprise

Suhail (L2 network engineer, 4 years in) gets a project: stand up a site-to-site IPsec tunnel from the Pune branch FortiGate-60F (10.20.10.1 internal, public 203.0.113.45) to the Bangalore HQ FortiGate-100F (10.10.0.1 internal, public 203.0.113.10). Subnets 10.20.10.0/2410.10.0.0/16. He also has to roll out FortiClient SSL VPN to 200 work-from-home users in two weeks.

Suhail's first instinct: pick IKEv1 because "everyone knows it". Wrong call. IKEv2 has been the default for new deployments since FortiOS 7.0 — fewer messages, built-in NAT-T, MOBIKE for roaming, and better DPD. He flips the proposal to IKEv2 before he writes a single config line. We will see why at the end.

IPsec stack — control plane vs data plane Layered diagram of the IPsec stack from bottom to top: ESP data-plane carrying encrypted user payload, IKE Phase 2 negotiating ESP SAs, IKE Phase 1 authenticating peers via Diffie-Hellman, and UDP 500/4500 with NAT-T encapsulation as transport. Annotations show DH groups, PFS toggle, lifetime defaults, and auth modes including PSK, certificate and SAML. IPsec on FortiGate — what sits on top of what User application — the enterprise Confluence at 10.10.5.20 ESP (data plane) — encrypted payload, IP protocol 50 IKE Phase 2 / Quick Mode — negotiate ESP SAs IKE Phase 1 — auth peers + Diffie-Hellman UDP 500 (IKE) · UDP 4500 (NAT-T) IP / Ethernet — the public Internet L7 user traffic AES-GCM-256 typical Lifetime ≈ 1800 s Lifetime ≈ 28800 s UDP 4500 when behind NAT No MTU magic needed PFS toggle here New DH per rekey Auth: PSK · cert · SAML DH 14 / 19 / 20 Phase 1 builds the trust channel. Phase 2 carries the keys for ESP. ESP wraps every user packet.
Figure 1. The IPsec stack. Phase 1 builds the secure control channel via Diffie-Hellman. Phase 2 negotiates the ESP SAs that encrypt user packets. ESP rides UDP 4500 when either peer is behind NAT — NAT-T is automatic in IKEv2.

Two phases every interviewer will test

PSK auth in Phase 1 is fastest to set up — two FortiGates, one shared secret, done. Certificate auth scales further: each peer uses an X.509 cert signed by your internal CA. The trade-off is operational: PSK = one secret to rotate per tunnel; cert = a PKI to run. DH group 14 is the floor everyone should hit in 2026; 19 or 20 (ECDH P-256/P-384) for fresh deployments. PFS on Phase 2 is non-negotiable in 2026.

🔐
IKE Phase 1
tap to flip

Authenticates the two peers and creates the IKE SA via Diffie-Hellman. Output: a secure control channel. No data flows yet. Lifetime ≈ 28800 s.

🚪
IKE Phase 2
tap to flip

Negotiates the ESP SAs that carry real user data. Selectors (subnets/protocols/ports) must match exactly on both peers. Lifetime ≈ 1800 s.

🚢
NAT-T
tap to flip

Wraps IKE and ESP inside UDP 4500 when a peer sits behind NAT. FortiGate auto-detects and switches from UDP 500 to 4500 mid-Phase-1.

💓
DPD
tap to flip

Dead Peer Detection — heartbeat over IKE. Default 20-second interval. If 3 misses, FortiGate tears the SA and re-negotiates. Catches dead far-ends fast.

🌐
SSL VPN tunnel
tap to flip

Full IP-layer VPN over DTLS/TLS to FortiClient. Pushes split-tunnel routes and a virtual IP. Portal mode = web bookmarks only, no routing.

📱
FortiToken
tap to flip

TOTP 2FA for SSL VPN and admin login. Soft token on phone (free with FortiClient) or hardware fob. Bound to the user, not the device.

IKE negotiation — see the 6-step handshake

The first time Suhail's the Pune branch FortiGate talks to Bangalore HQ, six discrete messages fly over UDP. Get the order right and you can debug any "tunnel won't come up" in under 90 seconds.

IPsec site-to-site negotiation timeline — the Pune branch to the Bangalore HQ Horizontal 6-stage timeline showing the IKEv2 negotiation between Pune branch FortiGate at 203.0.113.45 and Bangalore HQ FortiGate at 203.0.113.10. Stages: IKE_SA_INIT with Diffie-Hellman and SPI, IKE_AUTH with PSK verification and peer ID exchange, CHILD_SA created for Phase 2, tunnel up with ESP SAs installed, encrypted user packet flowing over ESP, and DPD heartbeat every 20 seconds keeping tunnel alive. IKEv2 site-to-site negotiation — the Pune branch ↔ Bangalore HQ Pune branch FG-60F · 203.0.113.45 Bangalore HQ FG-100F · 203.0.113.10 ① IKE_SA_INIT — DH group 14, SPI, nonce → ← ② IKE_AUTH — verify PSK, exchange peer-IDs ③ CHILD_SA — Phase 2 selectors, ESP SAs → ④ Tunnel UP · ESP SAs installed both directions ⑤ Encrypted user packet (10.20.10.50 → 10.10.5.20) over ESP → ⑥ DPD R-U-THERE every 20s — keeps tunnel alive IKEv2 = 4 messages (2 exchanges). IKEv1 main mode = 9 messages. That alone is why IKEv2 wins.
Figure 2. The full IKEv2 negotiation timeline. IKE_SA_INIT does the DH exchange and SPI assignment. IKE_AUTH proves identity. CHILD_SA negotiates Phase 2. Once the tunnel is up, DPD heartbeat detects a dead far-end inside 60 seconds.
Pro tip — always use IKEv2 unless the far-end literally cannot

IKEv2 negotiates the whole tunnel in 4 messages (2 round-trips); IKEv1 main mode takes 9 messages and 3 round-trips. IKEv2 has built-in NAT-T, MOBIKE for roaming, native rekey without dropping the SA, and stronger anti-replay. The only reason to stay on IKEv1 is a legacy peer (old Cisco ASA pre-9.8 or a vendor box that never got an IKEv2 firmware). FortiGate also defaults Phase 1 lifetime to 86400 s — drop it to 28800 s to match the IKEv2 RFC recommendation and rotate keys more often.

Quick check · Q1 of 10

Suhail's Phase 1 keeps failing in the FortiGate console with no SA proposal chosen. He flipped IKEv2 on his side; the partner team at the HQ swears their side is "the same". What does this error usually mean?

Correct: b. no SA proposal chosen is FortiOS's way of saying "your transform sets don't intersect". Wrong PSK shows as authentication failed; UDP 500 block shows as silent timeout; missing NAT-T shows as Phase 1 up but ESP not flowing. Verify with diag debug application ike -1; diag debug enable and align the proposals.

Real config — IKEv2 site-to-site, both sides

Here is the minimum viable config for Suhail's tunnel. Both FortiGates need a Phase 1 (peer + auth + DH), a Phase 2 (selectors), and a static route pointing the partner subnet at the tunnel interface.

CLI — Pune branch FG-60F 
config vpn ipsec phase1-interface
    edit "the enterprise-BLR-HQ"
        set interface "wan1"
        set ike-version 2
        set peertype any
        set proposal aes256gcm-prfsha256
        set dhgrp 14
        set remote-gw 203.0.113.10
        set psksecret "Hcl@Br@nch2HQ#2026"
        set dpd on-idle
        set dpd-retryinterval 20
    next
end

config vpn ipsec phase2-interface
    edit "the enterprise-BLR-HQ-P2"
        set phase1name "the enterprise-BLR-HQ"
        set proposal aes256gcm
        set pfs enable
        set dhgrp 14
        set keylifeseconds 1800
        set src-subnet 10.20.10.0 255.255.255.0
        set dst-subnet 10.10.0.0 255.255.0.0
    next
end

config router static
    edit 0
        set dst 10.10.0.0 255.255.0.0
        set device "the enterprise-BLR-HQ"
    next
end
Expected output — `get vpn ipsec tunnel summary` 
name           peer            status  uptime    p1/p2
the enterprise-BLR-HQ     203.0.113.10    up      00:00:17  1/1
Decision tree — which Fortinet VPN to deploy Branching decision tree starting from whether both endpoints are static and controlled, leading to IPsec site-to-site with IKEv2 preferred and IKEv1 only for legacy peers and aggressive mode only for dial-up dynamic-IP scenarios. The other branch covers roaming users on laptops or phones, leading to SSL VPN with tunnel mode for full IP and portal mode for web bookmarks, with ZTNA preferred for new builds. A red warning callout flags the behind-NAT gotcha requiring NAT-T enabled and policy NAT disabled on the IPsec route. Which Fortinet VPN do I deploy? Are both endpoints static IPs and under your control? YES → IPsec site-to-site (IKEv2) IKEv2 default · use this IKEv1 main only for legacy peer Aggressive dial-up dynamic IP only NO → Roaming users? → SSL VPN Tunnel mode full IP, DTLS/TLS Portal mode web bookmarks only ZTNA new builds prefer ⚠ Behind-NAT gotcha If one peer sits behind NAT, enable NAT-T (auto in IKEv2). But DO NOT enable a policy-NAT toggle on the IPsec firewall policy itself — it double-translates the source IP and silently breaks Phase 2 selector match. Default mental model: static-to-static → IPsec IKEv2 · users → SSL VPN tunnel mode + FortiToken Aggressive mode and IKEv1 are exceptions, not defaults. Document them when you use them.
Figure 3. The decision tree for picking a Fortinet VPN. Static endpoints both controlled → IPsec IKEv2. Roaming users → SSL VPN tunnel mode (or ZTNA for new builds). Aggressive mode is dial-up only. NAT in the middle? Let NAT-T do its job — never policy-NAT the IPsec packet itself.
Pause & Predict #1

Before you scroll — Suhail's HQ partner enables aggressive mode "for performance". The branch FortiGate sits on a static public IP 203.0.113.45. What's the security trade-off he just made?

He just made the PSK crackable offline. Aggressive mode sends the peer-ID and the PSK-hashed payload in fewer messages but in cleartext-identifiable form. An attacker who sniffs the IKE exchange can mount an offline brute force on the PSK. Aggressive mode exists for one legitimate use case — dial-up VPNs where the client's IP is dynamic and the client cannot be matched by IP. For a static-to-static tunnel like Suhail's, aggressive mode is pure downside. Stay on main mode (IKEv1) or use IKEv2.

▶ Watch the Phase 1 + Phase 2 drama — IKEv2 site-to-site

Suhail's Pune branch FortiGate negotiates with Bangalore HQ. Step through all 7 stages.

① IKE_SA_INITPune FG (203.0.113.45)HQ FG (203.0.113.10) · DH-14 proposal + SPI + nonce
② IKE_SA_INIT (resp)HQ picks DH-14 proposal, sends its SPI + nonce. Shared secret derived both sides.
③ IKE_AUTHBoth peers prove identity with PSK. Peer-IDs exchanged. Phase 1 UP.
④ CHILD_SA / Phase 2Selectors: 10.20.10.0/24 ↔ 10.10.0.0/16. Proposals match. PFS DH-14 fresh exchange.
⑤ TUNNEL UPESP SAs installed both directions. Static route via tunnel intf live.
⑥ USER PACKET10.20.10.50:4821110.10.5.20:443 wrapped in ESP → 203.0.113.45 → 203.0.113.10
⑦ DPDEvery 20 s, R-U-THERE over IKE. 3 misses = SA torn down → renegotiate.
Press Play to walk the IKE Phase 1 + Phase 2 negotiation step-by-step.
Quick check · Q2 of 10

Suhail's tunnel reads "Phase 1 UP, Phase 2 DOWN" in the GUI for 5 minutes. He runs diag debug application ike -1; diag debug enable and sees negotiation result NOT NEGOTIATABLE on the P2 exchange. What is the most likely cause?

Correct: d. The phrase "Phase 1 up, Phase 2 down" almost always means the proxy-IDs (selectors) don't match. PSK mismatch would block Phase 1. NPU offload doesn't affect negotiation. License has nothing to do with IPsec. Run diag vpn ike gateway list on both sides and compare the src/dst subnet lines char-for-char.

SSL VPN — tunnel vs portal, and why DTLS matters

Suhail's second project — 200 work-from-home users on FortiClient. SSL VPN has two flavours, and confusing them in an interview is an instant fail.

Tunnel mode gives the user a real Layer-3 VPN. FortiClient on the laptop creates a virtual adapter, gets a virtual IP from the SSL VPN pool, and the FortiGate pushes split-tunnel routes (e.g. 10.10.0.0/16 via tunnel). Every corporate-bound packet rides DTLS (UDP 443 by default for speed) or TLS (TCP 443 fallback). Browser-only apps, RDP, SSH, file shares — all of it works.

Portal mode is clientless — the user opens a browser, logs into the FortiGate's SSL VPN portal page, and clicks bookmarks: pre-defined RDP, SSH, HTTP/HTTPS shortcuts that the FortiGate proxies on the user's behalf. No virtual IP. No real routing. Useful for unmanaged BYOD laptops where you do not want to install FortiClient. Limited because anything not bookmarked is unreachable.

DTLS matters because tunnel-mode SSL VPN over TLS (TCP) suffers from "TCP-over-TCP" — when a user's RDP session inside the tunnel hits packet loss, both the inner TCP and the outer TCP retransmit, killing throughput. DTLS rides UDP so only the inner stream retransmits. FortiGate prefers DTLS on UDP 443; falls back to TLS on TCP 443 if UDP is blocked (think hotel WiFi, corporate proxies).

CVE timeline — FortiGate SSL VPN attack chain 2024-2025 Horizontal timeline showing CVE-2024-21762 disclosed February 2024 as an SSL VPN daemon out-of-bounds write with CVSS 9.8 exploited weeks before disclosure as a zero-day, followed by exploitation footprint, then CVE-2024-55591 disclosed January 2025 as an authentication bypass via Node.js websocket exploited from November 2024 enabling super-admin account creation, and the FG-IR-24-015 symlink persistence trick where attackers chmod a symlink in the SSL VPN user web mount that survives FortiOS patching and continues to expose device config. End-state shows attacker retaining read access even after the org thinks it has patched. FortiGate SSL VPN attack chain — 2024-2025 Jan 2024 Feb 2024 Nov 2024 Jan 2025 Apr 2025 CVE-2024-21762 sslvpnd OOB write CVSS 9.8 · RCE Exploited as 0-day weeks before disclosure Exploitation footprint 100k+ devices found vulnerable on Shodan CISA emergency directive CVE-2024-55591 jsconsole auth bypass CVSS 9.6 · admin RCE Super-admin account created via crafted call Symlink persistence FG-IR-24-015 SSL VPN user-mount survives firmware upgrade End-state: patched ≠ clean. Symlink persistence keeps attacker config-read access.
Figure 4. The 2024-2025 FortiGate SSL VPN attack chain. CVE-2024-21762 (RCE, exploited as 0-day weeks before Fortinet's Feb 2024 PSIRT advisory) → CVE-2024-55591 (auth bypass exploited since Nov 2024) → symlink persistence in the SSL VPN user web-mount (Fortinet PSIRT FG-IR-24-015, Apr 2025) that survives FortiOS upgrade. Orgs that patched but did not audit symlinks are still leaking config.
Scenario continued · Suhail rolls SSL VPN to 200 work-from-home users

Suhail builds the SSL VPN portal on the Bangalore HQ FortiGate-100F (public 203.0.113.10:443). Tunnel mode, DTLS preferred. Split-tunnel: 10.10.0.0/16 via VPN, everything else direct. FortiClient pushed via Intune. Users log in with AD credentials + FortiToken Mobile TOTP (free with the FortiClient EMS license). Day-one rollout is smooth.

Day three, Suhail's manager forwards an alert from FortiGuard: CVE-2024-55591 IoC pattern detected on a sister FortiGate at the enterprise Chennai. Suhail's job pivots — every FortiGate in the org needs the symlink audit even though they all show "patched" in the dashboard.

The CVE-2024-21762 era — patched is not clean

2024 changed how every L2 thinks about FortiGate SSL VPN. Three incidents you must be able to talk through in any interview after Feb 2024.

CVE-2024-21762 — sslvpnd out-of-bounds write (Feb 2024)

A buffer-handling bug in the SSL VPN daemon (sslvpnd) on FortiOS 7.x and earlier allowed an unauthenticated remote attacker to write outside an allocated buffer and execute arbitrary code as root on the FortiGate. CVSS 9.8. Fortinet disclosed via PSIRT on 2024-02-08; the advisory explicitly noted "potentially being exploited in the wild" — i.e. it was a zero-day for weeks before the patch landed. CISA issued an emergency directive within 24 hours. Tens of thousands of devices were still vulnerable on Shodan weeks later.

Defensive lesson: patch to FortiOS 7.4.3 / 7.2.7 / 7.0.14 / 6.4.15 at minimum. If you cannot patch, disable SSL VPN (config vpn ssl settings → set status disable) or restrict source IPs via local-in policy until you can.

Symlink persistence — patched ≠ clean (Fortinet PSIRT FG-IR-24-015, Apr 2025)

This is the trick every interviewer is testing for in 2026. Attackers who exploited CVE-2024-21762 (or earlier SSL VPN bugs going back to 2023) on un-patched FortiGates chmod'd a symlink inside the SSL VPN user web-mount pointing to the device's config tree. The symlink survives a FortiOS firmware upgrade because the SSL VPN user filesystem is preserved across patching. Orgs that patched to 7.4.3 and breathed easy continued to leak full config read access to the attacker.

The audit: diagnose sys ssl-vpn web-mode list-files and look for any symlink the attacker dropped. Fortinet's April 2025 PSIRT bulletin (FG-IR-24-015) ships a one-shot cleanup script — run it on every SSL-VPN-enabled FortiGate that was ever on a vulnerable build, not just the ones that fired IoC.

CVE-2024-55591 — jsconsole authentication bypass (disclosed Jan 2025, exploited since Nov 2024)

An authentication bypass via the Node.js websocket on the FortiGate's jsconsole management interface. Attackers crafted a CSF (Cluster Synchronization Framework) API call that the websocket accepted without auth, and used it to create a super-admin account on the device. Arctic Wolf and Fortinet correlated activity from at least November 2024 — two months before public disclosure.

IoCs to grep for: unexpected admin accounts (show system admin), new SSL VPN portal bookmarks created by an unknown user, abnormal jsconsole connections in execute log filter category event output, sudden config pushes timestamped outside business hours.

Quick check · Q3 of 10

Suhail patches the the enterprise Chennai FortiGate to FortiOS 7.4.3 (post-CVE-2024-21762 fix). His CISO asks: "Are we definitely clean now?" What is the only correct answer?

Correct: c. The whole point of the FG-IR-24-015 advisory is that patching closes the bug but does not undo prior exploitation artifacts. Symlink persistence is exactly the type of thing patch-only thinking misses. Every Fortinet interviewer asking about CVE-2024-21762 in 2026 is fishing for this answer.

▶ SSL VPN user flow — Suhail's WFH laptop

Suhail testing the rollout from his home WiFi (192.168.1.105, behind home NAT) into Bangalore HQ.

① OPEN FORTICLIENTUser clicks "Connect" on FortiClient · target 203.0.113.10:443
② TLS HANDSHAKETLS 1.3 to FortiGate portal · cert validated · DTLS upgrade offered on UDP 443
③ AUTHSuhail enters AD username + password · FortiGate verifies via LDAP to AD
④ 2FAFortiGate prompts for FortiToken TOTP · Suhail reads 6-digit code from FortiToken Mobile
⑤ DTLS UPDTLS tunnel established on UDP 443 · virtual IP 10.212.134.5 assigned
⑥ SPLIT-TUNNEL ROUTESFortiGate pushes 10.10.0.0/16 via tunnel · everything else direct to home gateway
⑦ CONFLUENCE LOADSSuhail opens https://10.10.5.20 · packet rides DTLS · Confluence renders
Press Play to watch the full FortiClient SSL VPN connect sequence.

Debug a dead tunnel — settle Phase 1/2 in 90 seconds

Rishabh, an L3 at an Indian security firm Bangalore, does not argue about tunnels. He runs three commands.

CLI — IPsec verify (run on both peers) 
diagnose vpn ike gateway list name the enterprise-BLR-HQ
diagnose vpn tunnel list name the enterprise-BLR-HQ
get vpn ipsec tunnel summary
Expected output of `diag vpn ike gateway list` (good case) 
vd: root/0
name: the enterprise-BLR-HQ
version: 2
interface: wan1 9
addr: 203.0.113.45:500 -> 203.0.113.10:500
created: 17s ago
IKE SA: created 1/1  established 1/1  time 17ms
auth: psk
DH group: 14
encryption: aes-256-gcm
state: established
Verify the fix worked

After any IPsec change, run on the branch FortiGate:

diagnose vpn ike gateway list name the enterprise-BLR-HQ — expect state: established, peer 203.0.113.10, DH group 14.

Then for Phase 2: diagnose vpn tunnel list name the enterprise-BLR-HQ — expect both src/dst subnet lines to match the HQ side exactly, and SA: created N established N.

FortiGate VPN debug CLI cheat-sheet A 3-column grid of nine mini-tiles each showing one FortiOS diagnostic CLI command and its one-line use case for debugging Phase 1, Phase 2, SSL VPN sessions, and IKE-level decryption. VPN debug cheat-sheet — nine commands every L3 keeps in muscle memory ① P1 SA STATE diag vpn ike gateway list See all Phase 1 SAs + state ② TUNNEL SUMMARY get vpn ipsec tunnel summary P1/P2 uptime per tunnel ③ IKE DEBUG ON diag debug application ike -1 Decode every IKE message ④ DEBUG ENABLE diag debug enable Stream debug to console ⑤ P2 SA LIST diag vpn tunnel list name <t> Phase 2 selector + bytes ⑥ SSL VPN MONITOR get vpn ssl monitor Live SSL VPN users + IPs ⑦ SSL VPN DEBUG diag debug application sslvpn -1 Per-user TLS/DTLS trace ⑧ IKE LOG FILTER diag vpn ike log filter name <t> Limit IKE log to one tunnel ⑨ P1 CONFIG VIEW config vpn ipsec phase1-interface Compare proposals side-by-side Print this page. These 9 commands handle ~85% of VPN incidents on FortiOS 7.4 / 7.6. Always remember to `diag debug disable` after debugging — leaving it on burns CPU.
Figure 5. CLI cheat-sheet. 9 commands handle ~85% of IPsec + SSL VPN incidents in the field. Bookmark this page or screenshot for your lab bench. Disable debug after every session — IKE-debug stays expensive even on a 100F.
Pause & Predict #2

Suhail's branch FortiGate sits behind an ISP modem doing NAT (CG-NAT is no, but the modem hands out 100.64.0.7 to the WAN1 interface). Phase 1 won't even start. What's the single setting most likely missing?

NAT-T detection on Phase 1. On IKEv2 this is on by default, but on IKEv1 you need set nattraversal enable on the phase1-interface. Also confirm the modem is forwarding UDP 500 and UDP 4500 to the FortiGate WAN1 — most consumer modems block 4500 by default. The wrong fix is to enable policy-NAT on the IPsec firewall policy — that double-translates the source IP, breaks Phase 2 selectors, and gets you stuck in negotiation loops.
Pause & Predict #3

Suhail's CISO emails: "We are exposed to CVE-2024-55591 — is our SSL VPN safe?". Suhail's instinct is "yes, we patched". Why is that incomplete?

Three reasons. (1) CVE-2024-55591 is a management-plane auth bypass via jsconsole — different vector from the SSL VPN data-plane CVE-2024-21762; he must confirm management access is restricted to a trusted-host list, not "any". (2) The Arctic Wolf timeline shows exploitation since November 2024 — two months before the public CVE — so the right question is "what is the IoC posture on every FortiGate we own?" not "are we patched today?". (3) Symlink persistence (FG-IR-24-015) means a patched FortiGate that was exploited in 2024 still leaks config until the symlink is removed. Suhail's reply should be: patched + trusted-host restricted + admin accounts re-baselined + symlink cleanup script run + monitoring on for IoC.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer. Tuned on FortiOS 7.4 / 7.6 docs + Fortinet PSIRT advisories.

Pre-curated answers grounded in FortiOS 7.4 / 7.6 admin docs + Fortinet PSIRT FG-IR-24-015. For complex prod issues, paste your diag vpn ike gateway list + diag vpn tunnel list output into chat.techclick.in.

📝 Final round — seven more

You've already answered 3 inline. Seven more. 70% (7 of 10) total marks this lesson complete on your Techclick profile. Tap Submit all answers at the end.

Q4 · Remember

Neha at an Indian IT services firm Bangalore is asked: "On a FortiGate, what is the main difference between IKEv1 and IKEv2 for a site-to-site IPsec tunnel?"

Correct: a. IKEv2 is the modern default. IKE itself rides UDP 500/4500, not TCP. IKEv2 supports both PSK and cert. IKEv2 still negotiates Phase 2 (called CHILD_SA). The 4-message vs 9-message round-trip count + built-in NAT-T is the textbook L1/L2 answer.
Q5 · Apply

Aditya at an Indian IT services firm Bangalore configures a dial-up VPN: many remote sites with dynamic public IPs (small retail branches on broadband) terminating on a central FortiGate-200F. Which Phase 1 mode is the only correct choice here?

Correct: b. Main mode picks the phase1-interface by source IP — impossible when the peer IP is dynamic. Aggressive mode (the legitimate use case) or IKEv2 sends peer-ID early, so FortiOS can map to the right config. SSL VPN is for users, not site-to-site. Option d sounds clever but main mode still cannot select the right config from "all peers".
Q6 · Apply

Karthik at an Indian IT services firm Pune rolls out SSL VPN to 300 users. Compliance demands 2FA. He chooses FortiToken Mobile. Which statement is correct?

Correct: c. FortiToken Mobile is a TOTP soft token (RFC 6238) — bound to the user identity, not the device, so a stolen phone with a fresh provision link doesn't bypass auth. Free with FortiClient EMS subscription; paid standalone seats also exist. Option a confuses it with SMS OTP. Hardware FortiToken-200 fobs are a separate SKU.
Q7 · Analyze

Suhail's branch ↔ HQ tunnel comes up cleanly in the GUI, P1 and P2 both green. But traffic from 10.20.10.50 to HQ Confluence at 10.10.5.20 times out. diag sniffer packet any 'host 10.20.10.50' 4 0 l on the branch FG shows the user's TCP SYN, but it never reaches HQ. What is the most likely cause?

Correct: a. The classic "tunnel green, traffic dead" sign is a routing problem, not an IPsec problem. The phase2 selectors install kernel SAs but you still need a route pointing the destination subnet at the tunnel interface. Confirm with get router info routing-table all | grep 10.10 — the next-hop should be the tunnel interface, not WAN1.
Q8 · Analyze

Suhail audits the the enterprise Chennai FortiGate for CVE-2024-55591 IoCs. Which combination below is the strongest indicator that the device was actually compromised, not just exposed?

Correct: b. The Arctic Wolf + Fortinet PSIRT bulletins for CVE-2024-55591 list super-admin creation + new SSL VPN bookmarks + abnormal jsconsole as the IoC triad. Each on its own is weak; all three correlated is definitive. CPU spikes and failed logins are noise. The lesson: IoCs are about correlation, not single signals.
Q9 · Evaluate

An architect at the enterprise proposes: "For our 200-site branch tunnel mesh, let's use IKEv2 with PSK auth and DH-5 (MODP-1536) to keep CPU low on the small FG-30E boxes." Is this proposal sound?

Correct: c. NIST and most compliance frameworks treat DH-5 as deprecated. DH-14 (2048-bit MODP) is today's floor; ECDH groups 19 and 20 are preferred when both peers support them. IKE version and cipher choice are independent of DH group strength. The "low CPU" argument is a 2010-era myth — modern FortiASIC NP6/NP7 SoCs offload DH at multi-Gbps.
Q10 · Evaluate

Pune branch has a single, simple subnet (10.20.10.0/24) talking to Bangalore HQ's larger network (10.10.0.0/16). The interviewer asks Suhail: "Why use a static route + a phase2 selector instead of just one of them?" Pick the best framing.

Correct: d. This is THE classic L3 question and Suhail's interviewer is checking if he understands the separation of routing-plane vs IPsec policy-plane. Route-based VPN on FortiGate still needs both: a route to steer the packet at the tunnel interface, and a phase2 selector so the kernel encapsulates with the right SA. Option a inverts the truth; option b confuses route-based with policy-based VPN.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the section that tripped you up and tap "Try again".

Self-explanation prompt

In 2-3 sentences, explain to a hypothetical batchmate: "Why does patching FortiOS 7.4.3 for CVE-2024-21762 not automatically make my FortiGate clean?" Writing it out cements the symlink-persistence idea faster than re-reading.

📤 Teach a friend on WhatsApp: Share

📖 Mini-glossary — terms used in this blog

IPsec
IETF protocol suite for encrypted, authenticated tunnels.
IKE
Internet Key Exchange — the control-plane protocol that builds IPsec SAs.
Phase 1
Authenticates peers and creates the IKE SA via Diffie-Hellman.
Phase 2
Negotiates the ESP SAs (selectors) that carry real user data.
ESP
Encapsulating Security Payload — IP proto 50, the data plane of IPsec.
DH group
Diffie-Hellman modulus size. DH-14 (MODP-2048) is the 2026 floor.
PSK
Pre-shared key — simple peer auth, painful at scale.
PFS
Perfect Forward Secrecy — fresh DH per rekey. Always enable.
NAT-T
NAT Traversal — wraps IKE/ESP in UDP 4500 when behind NAT.
DPD
Dead Peer Detection — heartbeat on the IKE channel.
SSL VPN
VPN over TLS/DTLS to a FortiClient or browser portal.
DTLS
TLS over UDP — avoids TCP-over-TCP meltdown for tunnel-mode.
Tunnel mode
Full IP-layer SSL VPN with virtual IP and split-tunnel routes.
Portal mode
Clientless SSL VPN — bookmarks only, no routing.
FortiToken
TOTP 2FA — soft on phone or hardware fob.
FortiClient
The Fortinet endpoint agent that establishes the SSL VPN.
Dial-up VPN
Many remote peers with dynamic public IPs into one central FG.
Aggressive mode
IKEv1 mode for dial-up; sends peer-ID early but is offline-crackable.
Where this gets asked: This is the second technical filter at the enterprise, an Indian IT services firm, an Indian IT services firm, an Indian MSP and an Indian security firm's interviews — and post-2024 every CISO wants to know if you understand the symlink persistence trick. Get Phase 1 vs Phase 2, IKEv1 vs IKEv2, NAT-T, DPD, and the CVE-2024-21762 hardening right and you are past the screen. L3 rounds add the diag debug application ike -1 debug + an FG-IR-24-015 audit story.

What's next?

Blog 3 opens FortiGate HA — Active-Passive vs Active-Active, FGCP heartbeat, session sync, the override gotcha that flips your primary unit at the wrong moment.

Blog 3 · FortiGate HA (FGCP) → ← All Fortinet lessons

📚 Sources

  1. Fortinet PSIRT — FG-IR-24-015 — Out-of-bounds Write in sslvpnd (CVE-2024-21762). fortiguard.fortinet.com/psirt/FG-IR-24-015
  2. Tenable Research Blog — CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bounds Write Vulnerability. tenable.com/blog/cve-2024-21762-critical-fortinet-fortios-out-of-bounds-write-vulnerability
  3. The Hacker News — Fortinet Warns of New CVE-2024-21762 SSL VPN Zero-Day Exploited in the Wild. thehackernews.com
  4. Help Net Security — CVE-2024-55591: Critical FortiOS Auth Bypass Exploited Since November. helpnetsecurity.com
  5. Arctic Wolf Labs — CVE-2024-55591 FortiGate Auth Bypass Threat Activity Timeline. arcticwolf.com/resources/blog
  6. Rapid7 — Fortinet FortiOS CVE-2024-21762 Exploitation Detection Logic. rapid7.com/blog
  7. Fortinet Docs — IPsec VPN — Phase 1 + Phase 2 Configuration (FortiOS 7.4 / 7.6 Administration Guide). docs.fortinet.com
  8. Fortinet Docs — SSL VPN tunnel mode + portal mode + DTLS. docs.fortinet.com
  9. Fortinet Community — Troubleshooting Tip: IPsec Phase 1 + Phase 2 debug recipe. community.fortinet.com