Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

FortiGate SSL VPN configurations

Configure SSL VPN portals and settings for Finance and Sales users to have remote network access. Firewall policies also need to be put into place for access control.

To configure SSL VPN portals for Finance and Sales users:
  1. Go to VPN > SSL-VPN Portals and click Create New.
  2. To create a profile named Finance-portal:
    1. In Name, enter Finance-portal.
    2. Enable Tunnel Mode with split tunneling set to Enabled Based on Policy Destination.
    3. Set Source IP Pools to a desired pool.
    4. Enable Web Mode and in Portal Message, enter Finance SSL-VPN Portal.
    5. In Predefined Bookmarks, select Create New to create a new bookmark called Finance Server. In our example, a Finance server is available on https://10.88.0.5:9443.
    6. Click OK.

  3. To create a profile named Sales-portal:
    1. In Name, enter Sales-portal.
    2. Enable Tunnel Mode with split tunneling set to Enabled Based on Policy Destination.
    3. Set Source IP Pools to a desired pool.
    4. Enable Web Mode and in Portal Message, enter Sales SSL-VPN Portal.
    5. In Pre-defined Bookmarks, create a new bookmark called Sales Server. In our example, a Sales server is available on https://10.88.0.3:9443.
    6. Click OK.

To configure SSL VPN settings:
  1. Go to VPN > SSL-VPN Settings and enable SSL-VPN.
  2. Set Listen on Interface(s) to WAN (port3).
  3. Set Listen on Port to 10443.
  4. Set the Server Certificate to FGT-SSLVPN.
  5. In Authentication/Portal Mapping, configure user groups to portal mappings.
    1. Select Create New and create a new Finance mapping:
      1. Set Users/Groups to Finance.
      2. Set Portal to Finance-portal.
      3. Click OK.
    2. Select Create New and create a new Sales mapping:
      1. Set Users/Groups to Sales.
      2. Set Portal to Sales-portal.
      3. Click OK.
    3. Select Create New and create a new placeholder mapping:
      1. Set Users/Groups to sslvpn_group.
      2. Set Portal to no-access.
      3. Click OK.
    4. For All other Users/Groups, set Portal to no-access.
To configure firewall policies for access control:
  1. Go to Policy & Objects > Firewall Policy and click Create New.
  2. Create a policy named SSLVPN-Finance.
    1. Set Incoming Interface to SSL-VPN tunnel interface (ssl.root).
    2. Set Outgoing Interface to port2.
    3. Set Source to all and User to Finance.
    4. Set Destination to the Finance address object. If needed, create this object with the IP address 10.88.0.5/32.
    5. Set Service to ALL.
    6. Configure other settings as needed.
    7. Click OK.

  3. Create a policy named SSLVPN-Sales.
    1. Set Incoming Interface to SSL-VPN tunnel interface (ssl.root).
    2. Set Outgoing Interface to port2.
    3. Set Source to all and User to Sales.
    4. Set Destination to the Webserver1 address object. If needed, create this object with the IP address of 10.88.0.3/32.
    5. Set Service to ALL.
    6. Configure other settings as needed.
    7. Click OK.

  4. Create a placeholder policy named SSLVPN-placeholder.
    1. Set Incoming Interface to SSL-VPN tunnel interface (ssl.root).
    2. b. Set Outgoing Interface to port1.

    3. Set Source to all and User to sslvpn_group.
    4. Set Destination to none.
    5. Set Service to ALL_ICMP.
    6. Click OK.

FortiGate SSL VPN configurations

Configure SSL VPN portals and settings for Finance and Sales users to have remote network access. Firewall policies also need to be put into place for access control.

To configure SSL VPN portals for Finance and Sales users:
  1. Go to VPN > SSL-VPN Portals and click Create New.
  2. To create a profile named Finance-portal:
    1. In Name, enter Finance-portal.
    2. Enable Tunnel Mode with split tunneling set to Enabled Based on Policy Destination.
    3. Set Source IP Pools to a desired pool.
    4. Enable Web Mode and in Portal Message, enter Finance SSL-VPN Portal.
    5. In Predefined Bookmarks, select Create New to create a new bookmark called Finance Server. In our example, a Finance server is available on https://10.88.0.5:9443.
    6. Click OK.

  3. To create a profile named Sales-portal:
    1. In Name, enter Sales-portal.
    2. Enable Tunnel Mode with split tunneling set to Enabled Based on Policy Destination.
    3. Set Source IP Pools to a desired pool.
    4. Enable Web Mode and in Portal Message, enter Sales SSL-VPN Portal.
    5. In Pre-defined Bookmarks, create a new bookmark called Sales Server. In our example, a Sales server is available on https://10.88.0.3:9443.
    6. Click OK.

To configure SSL VPN settings:
  1. Go to VPN > SSL-VPN Settings and enable SSL-VPN.
  2. Set Listen on Interface(s) to WAN (port3).
  3. Set Listen on Port to 10443.
  4. Set the Server Certificate to FGT-SSLVPN.
  5. In Authentication/Portal Mapping, configure user groups to portal mappings.
    1. Select Create New and create a new Finance mapping:
      1. Set Users/Groups to Finance.
      2. Set Portal to Finance-portal.
      3. Click OK.
    2. Select Create New and create a new Sales mapping:
      1. Set Users/Groups to Sales.
      2. Set Portal to Sales-portal.
      3. Click OK.
    3. Select Create New and create a new placeholder mapping:
      1. Set Users/Groups to sslvpn_group.
      2. Set Portal to no-access.
      3. Click OK.
    4. For All other Users/Groups, set Portal to no-access.
To configure firewall policies for access control:
  1. Go to Policy & Objects > Firewall Policy and click Create New.
  2. Create a policy named SSLVPN-Finance.
    1. Set Incoming Interface to SSL-VPN tunnel interface (ssl.root).
    2. Set Outgoing Interface to port2.
    3. Set Source to all and User to Finance.
    4. Set Destination to the Finance address object. If needed, create this object with the IP address 10.88.0.5/32.
    5. Set Service to ALL.
    6. Configure other settings as needed.
    7. Click OK.

  3. Create a policy named SSLVPN-Sales.
    1. Set Incoming Interface to SSL-VPN tunnel interface (ssl.root).
    2. Set Outgoing Interface to port2.
    3. Set Source to all and User to Sales.
    4. Set Destination to the Webserver1 address object. If needed, create this object with the IP address of 10.88.0.3/32.
    5. Set Service to ALL.
    6. Configure other settings as needed.
    7. Click OK.

  4. Create a placeholder policy named SSLVPN-placeholder.
    1. Set Incoming Interface to SSL-VPN tunnel interface (ssl.root).
    2. b. Set Outgoing Interface to port1.

    3. Set Source to all and User to sslvpn_group.
    4. Set Destination to none.
    5. Set Service to ALL_ICMP.
    6. Click OK.