Configuring a FortiGate SSL VPN
Configuring firewall policies
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718
47
3
From the Type list, select Subnet/IP Range.
4
In the Subnet/IP Range field, type the corresponding IP address and subnet mask
(for example,
172.16.10.0/24
). If the remote client’s IP address is unknown,
the Subnet/IP Range should be “all”, with 0.0.0.0/0.0.0.0 as the address used.
5
In the Interface field, select the interface to the internal (private) network.
6
Select OK.
To specify the destination IP address
1
Go to
Firewall > Address
and select Create New.
2
In the Address Name field, type a name that represents the local network,
server(s), or host(s) to which IP packets may be delivered (for example,
Subnet_2
).
3
In the Subnet/IP Range field, type the corresponding IP address (for example,
192.168.22.0/24
for a subnet, or
192.168.22.2/32
for a server or host), or
IP address range (
192.168.22.[10-25]
).
4
In the Interface field, select the interface to the external (public) network.
5
Select OK.
To define the firewall policy for tunnel-mode operations
1
Go to
Firewall > Policy
and select Create New.
2
Enter these settings:
Note:
To provide access to a single host or server, you would type an IP address like
172.16.10.2/32
. To provide access to two servers having contiguous IP addresses, you
would type an IP address range like
172.16.10.[4-5]
.
Source
Interface/Zone
Select the FortiGate interface that accepts connections from
remote users (for example,
external
).
Address Name
Select the name that corresponds to the IP address of the remote
user.
Destination
Interface/Zone
Select the FortiGate interface to the local private network (for
example,
internal
).
Address Name
Select the IP destination address that you defined previously for
the host(s), server(s), or network behind the FortiGate unit (for
example,
Subnet_2
).
Service
Select ANY.
Action
Select SSL-VPN.
SSL Client Certificate
Restrictive
Select to allow traffic generated by holders of a (shared) group
certificate, for example, a user group containing PKI peers/users.
The holders of the group certificate must be members of an SSL
VPN user group, and the name of that user group must be present
in the Allowed field.
Summary of Contents for FORTIOS V3.0 MR7
Page 1: ...www fortinet com FortiOS v3 0 MR7 SSL VPN User Guide U S E R G U I D E...
Page 6: ...FortiOS v3 0 MR7 SSL VPN User Guide 6 01 30007 0348 20080718 Contents...
Page 88: ...FortiOS v3 0 MR7 SSL VPN User Guide 88 01 30007 0348 20080718 Index...
Page 89: ...www fortinet com...
Page 90: ...www fortinet com...