Fortinet black logo

Handbook

Configuring security policies

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:350451
Download PDF

Configuring security policies

You will need at least one SSL VPN security policy. This is an identity-based policy that authenticates users and enables them to access the SSL VPN web portal. The SSL VPN user groups named in the policy determine who can authenticate and which web portal they will use. From the web portal, users can access protected resources or download the SSL VPN tunnel client application.

This section contains the procedures needed to configure security policies for web-only mode operation and tunnel-mode operation. These procedures assume that you have already completed the procedures outlined in Configuring security policies.

If you will provide tunnel mode access, you will need a second security policy—an ACCEPT tunnel mode policy to permit traffic to flow between the SSL VPN tunnel and the protected networks.

Firewall addresses

Before you can create security policies, you need to define the firewall addresses you will use in those policies. For both web-only and tunnel mode operation, you need to create firewall addresses for all of the destination networks and servers to which the SSL VPN client will be able to connect.

For tunnel mode, you will already have defined firewall addresses for the IP address ranges that the FortiGate unit will assign to SSL VPN clients.

The source address for your SSL VPN security policies will be the predefined “all” address. Both the address and the netmask are 0.0.0.0. The “all” address is used because VPN clients will be connecting from various addresses, not just one or two known networks. For improved security, if clients will be connecting from one or two known locations you should configure firewall addresses for those locations, instead of using the “all” address.

To create a firewall address, in the GUI, go to Policy & Objects > Addresses, and select Create New.

Create an SSL VPN security policy

At minimum, you need one SSL VPN security policy to authenticate users and provide access to the protected networks. You will need additional security policies only if you have multiple web portals that provide access to different resources. You can use one policy for multiple groups, or multiple policies to handle differences between the groups such as access to different services, or different schedules.

The SSL VPN security policy specifies:

  • The incoming interface that corresponds to the ssl.root interface.
  • The SSL VPN user groups that can use the security policy.
  • The times (schedule) and types of services that users can access.
  • The UTM features and logging that are applied to the connection.

note icon

Do not use ALL as the destination address. If you do, you will see the “Destination address of Split Tunneling policy is invalid” error when you enable Split Tunneling.

To create an SSL-VPN security policy - GUI:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information:

    Incoming Interface

    Select the virtual SSL VPN interface, such as ssl.root.

    Outgoing Interface

    Select the FortiGate network interface that connects to the protected network.

    Source

    Select to allow access only to holders of a (shared) group certificate. The holders of the group certificate must be members of an SSL VPN user group, and the name of that user group must be present in the Allowed field. See Configuring security policies.

    Source User Group

    SSL VPN

    Destination Address

    Select the firewall address you created that represents the networks and servers to which the SSL VPN clients will connect.

    If you want to associate multiple firewall addresses or address groups with the Destination Interface/Zone, from Destination Address, select the plus symbol. In the dialog box, move the firewall addresses or address groups from the Available Addresses section to the Members section, then select OK.

    Schedule

    Select always.

    Service

    Select services in the left list and use the right arrow button to move them to the right list. Select the ALL service to allow the user group access to all services.

    Action

    Select Accept.

Your identity-based policies are listed in the security policy table. The FortiGate unit searches the table from the top down to find a policy to match the client’s user group. Using the move icon in each row, you can change the order of the policies in the table to ensure the best policy will be matched first. You can also use the icons to edit or delete policies. Furthermore, you can drag and drop policies in the policy list to rearrange their order.

To create an SSL VPN security policy - CLI:

Create the SSL VPN security policy by entering the following CLI commands.

config firewall policy

edit <id>

set srcintf ssl.root(sslvpn tunnel interface)

set dstintf port2

set srcaddr all

set dstaddr OfficeLAN

set nat enable

set groups <name>

end

Create a tunnel mode security policy

If your SSL VPN will provide tunnel mode operation, you need to create a security policy to enable traffic to pass between the SSL VPN virtual interface and the protected networks. This is in addition to the SSL VPN security policy that you created in the preceding section.

The SSL VPN virtual interface is the FortiGate unit end of the SSL tunnel that connects to the remote client. It is named ssl.<vdom_name>. In the root VDOM, for example, it is named ssl.root. If VDOMs are not enabled on your FortiGate unit, the SSL VPN virtual interface is also named ssl.root.

To configure the tunnel mode security policy - GUI:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK.

    Incoming Interface

    Select the virtual SSL VPN interface, such as ssl.root.

    Outgoing Interface

    Select the FortiGate network interface that connects to the protected network.

    Source Address

    Select the firewall address you created that represents the IP address range assigned to SSL VPN clients, such as SSL_VPN_tunnel_users.

    Source User(s)

    Select to allow access only to holders of a (shared) group certificate. The holders of the group certificate must be members of an SSL VPN user group, and the name of that user group must be present in the Allowed field. See Configuring security policies.

    Destination Address

    Select the firewall address that represents the networks and servers to which the SSL VPN clients will connect.

    To select multiple firewall addresses or address groups, select the plus sign next to the drop-down list.

    Schedule

    Select always.

    Service

    Select services in the left list and use the right arrow button to move them to the right list. Select the ALL service to allow the user group access to all services.

    Action

    Select Accept.

    NAT

    Enable NAT. (Optional)

To configure the tunnel mode security policy - CLI:

config firewall policy

edit <id>

set srcintf ssl.root(sslvpn tunnel interface)

set dstintf <dst_interface_name>

set srcaddr <tunnel_ip_address>

set dstaddr <protected_network_address_name>

set schedule always

set service ALL

set nat enable

set groups <name>

end

This policy enables the SSL VPN client to initiate communication with hosts on the protected network. If you want to enable hosts on the protected network to initiate communication with the SSL VPN client, you should create another Accept policy like the preceding one but with the source and destination settings reversed.

You must also add a static route for tunnel mode operation.

Routing for tunnel mode

If your SSL VPN operates in tunnel mode, you must add a static route so that replies from the protected network can reach the remote SSL VPN client.

To add the tunnel mode route - GUI:
  1. Go to Network > Static Routes and select Create New.
    For low-end FortiGate units, go to System > Network > Routing and select Create New.
  2. Enter the Destination IP/Mask of the tunnel IP address that you assigned to the users of the web portal.
  3. Select the SSL VPN virtual interface for the Device.
  4. Select OK.
To add the tunnel mode route - CLI:

If you assigned 10.11.254.0/24 as the tunnel IP range, then enter:

config router static

edit <id>

set device ssl.root

set dst 10.11.254.0/24

end

Split tunnel Internet browsing policy

With split tunneling disabled, all of the SSL VPN client’s requests are sent through the SSL VPN tunnel. But the tunnel mode security policy provides access only to the protected networks behind the FortiGate unit. Clients will receive no response if they attempt to access Internet resources. You can enable clients to connect to the Internet through the FortiGate unit using a split tunnel Internet browsing policy.

To add an Internet browsing policy:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK.

    Incoming Interface

    Select the virtual SSL VPN interface (ssl.root, for example).

    Outgoing Interface

    Select the FortiGate network interface that connects to the Internet.

    Source

    Select the firewall address you created that represents the IP address range assigned to SSL VPN clients.

    Source User Group

    SSL VPN

    Destination Address

    Select All.

    Action

    Select Accept.

    NAT

    Enable NAT.

To configure the Internet browsing security policy - CLI:

To enable browsing the Internet through port1, then enter:

config firewall policy

edit 0

set srcintf ssl.root

set dstintf port1

set srcaddr SSL_tunnel_users

set dstaddr all

set schedule always

set service ALL

set nat enable

set groups <name>

end

Enabling a connection to an IPsec VPN

You might want to provide your SSL VPN clients access to another network, such as a branch office, that is connected by an IPsec VPN. To do this, you need only to add the appropriate security policy.

Route-based connection

To configure interconnection with a route-based IPsec VPN - GUI:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK.

    Incoming Interface

    Select the virtual SSL VPN interface (ssl.root, for example).

    Outgoing Interface

    Select the virtual IPsec interface for your IPsec VPN.

    Source

    Select the firewall address that represents the IP address range assigned to SSL VPN clients.

    Source User Group

    SSL VPN

    Destination Address

    Select the address of the IPsec VPN remote protected subnet.

    Action

    Select ACCEPT.

    Enable NAT

    Enable.

To configure interconnection with a route-based IPsec VPN - CLI:

If you want to enable SSL VPN users to connect to the private network (address name OfficeAnet) through the toOfficeA IPsec VPN, then enter:

config firewall policy

edit 0

set srcintf ssl.root

set dstintf toOfficeA

set srcaddr SSL_tunnel_users

set dstaddr OfficeAnet

set action accept

set nat enable

set schedule always

set service ALL

set groups <name>

end

Policy-based connection

To configure interconnection with a policy-based IPsec VPN - GUI:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK.

    Incoming Interface

    Select the virtual SSL VPN interface (ssl.root, for example).

    Outgoing Interface

    Select the FortiGate network interface that connects to the Internet.

    Source

    Select the firewall address that represents the IP address range assigned to SSL VPN clients.

    Source User Group

    SSL VPN

    Destination Address

    Select the address of the IPsec VPN remote protected subnet.

  3. Configure inbound NAT from the CLI:

    config firewall policy

    edit 0

    set natinbound enable

    set groups <name>

    end

To configure interconnection with a policy-based IPsec VPN - CLI:

If you want to enable SSL VPN users to connect to the private network (address name OfficeAnet) through the OfficeA IPsec VPN, then enter:

config firewall policy

edit 0

set srcintf ssl.root

set dstintf port1

set srcaddr SSL_tunnel_users

set dstaddr OfficeAnet

set action ipsec

set schedule always

set service ALL

set inbound enable

set outbound enable

set natinbound enable

set vpntunnel OfficeA

set groups <name>

end

In this example, port1 is connected to the Internet.

Configuring security policies

You will need at least one SSL VPN security policy. This is an identity-based policy that authenticates users and enables them to access the SSL VPN web portal. The SSL VPN user groups named in the policy determine who can authenticate and which web portal they will use. From the web portal, users can access protected resources or download the SSL VPN tunnel client application.

This section contains the procedures needed to configure security policies for web-only mode operation and tunnel-mode operation. These procedures assume that you have already completed the procedures outlined in Configuring security policies.

If you will provide tunnel mode access, you will need a second security policy—an ACCEPT tunnel mode policy to permit traffic to flow between the SSL VPN tunnel and the protected networks.

Firewall addresses

Before you can create security policies, you need to define the firewall addresses you will use in those policies. For both web-only and tunnel mode operation, you need to create firewall addresses for all of the destination networks and servers to which the SSL VPN client will be able to connect.

For tunnel mode, you will already have defined firewall addresses for the IP address ranges that the FortiGate unit will assign to SSL VPN clients.

The source address for your SSL VPN security policies will be the predefined “all” address. Both the address and the netmask are 0.0.0.0. The “all” address is used because VPN clients will be connecting from various addresses, not just one or two known networks. For improved security, if clients will be connecting from one or two known locations you should configure firewall addresses for those locations, instead of using the “all” address.

To create a firewall address, in the GUI, go to Policy & Objects > Addresses, and select Create New.

Create an SSL VPN security policy

At minimum, you need one SSL VPN security policy to authenticate users and provide access to the protected networks. You will need additional security policies only if you have multiple web portals that provide access to different resources. You can use one policy for multiple groups, or multiple policies to handle differences between the groups such as access to different services, or different schedules.

The SSL VPN security policy specifies:

  • The incoming interface that corresponds to the ssl.root interface.
  • The SSL VPN user groups that can use the security policy.
  • The times (schedule) and types of services that users can access.
  • The UTM features and logging that are applied to the connection.

note icon

Do not use ALL as the destination address. If you do, you will see the “Destination address of Split Tunneling policy is invalid” error when you enable Split Tunneling.

To create an SSL-VPN security policy - GUI:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information:

    Incoming Interface

    Select the virtual SSL VPN interface, such as ssl.root.

    Outgoing Interface

    Select the FortiGate network interface that connects to the protected network.

    Source

    Select to allow access only to holders of a (shared) group certificate. The holders of the group certificate must be members of an SSL VPN user group, and the name of that user group must be present in the Allowed field. See Configuring security policies.

    Source User Group

    SSL VPN

    Destination Address

    Select the firewall address you created that represents the networks and servers to which the SSL VPN clients will connect.

    If you want to associate multiple firewall addresses or address groups with the Destination Interface/Zone, from Destination Address, select the plus symbol. In the dialog box, move the firewall addresses or address groups from the Available Addresses section to the Members section, then select OK.

    Schedule

    Select always.

    Service

    Select services in the left list and use the right arrow button to move them to the right list. Select the ALL service to allow the user group access to all services.

    Action

    Select Accept.

Your identity-based policies are listed in the security policy table. The FortiGate unit searches the table from the top down to find a policy to match the client’s user group. Using the move icon in each row, you can change the order of the policies in the table to ensure the best policy will be matched first. You can also use the icons to edit or delete policies. Furthermore, you can drag and drop policies in the policy list to rearrange their order.

To create an SSL VPN security policy - CLI:

Create the SSL VPN security policy by entering the following CLI commands.

config firewall policy

edit <id>

set srcintf ssl.root(sslvpn tunnel interface)

set dstintf port2

set srcaddr all

set dstaddr OfficeLAN

set nat enable

set groups <name>

end

Create a tunnel mode security policy

If your SSL VPN will provide tunnel mode operation, you need to create a security policy to enable traffic to pass between the SSL VPN virtual interface and the protected networks. This is in addition to the SSL VPN security policy that you created in the preceding section.

The SSL VPN virtual interface is the FortiGate unit end of the SSL tunnel that connects to the remote client. It is named ssl.<vdom_name>. In the root VDOM, for example, it is named ssl.root. If VDOMs are not enabled on your FortiGate unit, the SSL VPN virtual interface is also named ssl.root.

To configure the tunnel mode security policy - GUI:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK.

    Incoming Interface

    Select the virtual SSL VPN interface, such as ssl.root.

    Outgoing Interface

    Select the FortiGate network interface that connects to the protected network.

    Source Address

    Select the firewall address you created that represents the IP address range assigned to SSL VPN clients, such as SSL_VPN_tunnel_users.

    Source User(s)

    Select to allow access only to holders of a (shared) group certificate. The holders of the group certificate must be members of an SSL VPN user group, and the name of that user group must be present in the Allowed field. See Configuring security policies.

    Destination Address

    Select the firewall address that represents the networks and servers to which the SSL VPN clients will connect.

    To select multiple firewall addresses or address groups, select the plus sign next to the drop-down list.

    Schedule

    Select always.

    Service

    Select services in the left list and use the right arrow button to move them to the right list. Select the ALL service to allow the user group access to all services.

    Action

    Select Accept.

    NAT

    Enable NAT. (Optional)

To configure the tunnel mode security policy - CLI:

config firewall policy

edit <id>

set srcintf ssl.root(sslvpn tunnel interface)

set dstintf <dst_interface_name>

set srcaddr <tunnel_ip_address>

set dstaddr <protected_network_address_name>

set schedule always

set service ALL

set nat enable

set groups <name>

end

This policy enables the SSL VPN client to initiate communication with hosts on the protected network. If you want to enable hosts on the protected network to initiate communication with the SSL VPN client, you should create another Accept policy like the preceding one but with the source and destination settings reversed.

You must also add a static route for tunnel mode operation.

Routing for tunnel mode

If your SSL VPN operates in tunnel mode, you must add a static route so that replies from the protected network can reach the remote SSL VPN client.

To add the tunnel mode route - GUI:
  1. Go to Network > Static Routes and select Create New.
    For low-end FortiGate units, go to System > Network > Routing and select Create New.
  2. Enter the Destination IP/Mask of the tunnel IP address that you assigned to the users of the web portal.
  3. Select the SSL VPN virtual interface for the Device.
  4. Select OK.
To add the tunnel mode route - CLI:

If you assigned 10.11.254.0/24 as the tunnel IP range, then enter:

config router static

edit <id>

set device ssl.root

set dst 10.11.254.0/24

end

Split tunnel Internet browsing policy

With split tunneling disabled, all of the SSL VPN client’s requests are sent through the SSL VPN tunnel. But the tunnel mode security policy provides access only to the protected networks behind the FortiGate unit. Clients will receive no response if they attempt to access Internet resources. You can enable clients to connect to the Internet through the FortiGate unit using a split tunnel Internet browsing policy.

To add an Internet browsing policy:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK.

    Incoming Interface

    Select the virtual SSL VPN interface (ssl.root, for example).

    Outgoing Interface

    Select the FortiGate network interface that connects to the Internet.

    Source

    Select the firewall address you created that represents the IP address range assigned to SSL VPN clients.

    Source User Group

    SSL VPN

    Destination Address

    Select All.

    Action

    Select Accept.

    NAT

    Enable NAT.

To configure the Internet browsing security policy - CLI:

To enable browsing the Internet through port1, then enter:

config firewall policy

edit 0

set srcintf ssl.root

set dstintf port1

set srcaddr SSL_tunnel_users

set dstaddr all

set schedule always

set service ALL

set nat enable

set groups <name>

end

Enabling a connection to an IPsec VPN

You might want to provide your SSL VPN clients access to another network, such as a branch office, that is connected by an IPsec VPN. To do this, you need only to add the appropriate security policy.

Route-based connection

To configure interconnection with a route-based IPsec VPN - GUI:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK.

    Incoming Interface

    Select the virtual SSL VPN interface (ssl.root, for example).

    Outgoing Interface

    Select the virtual IPsec interface for your IPsec VPN.

    Source

    Select the firewall address that represents the IP address range assigned to SSL VPN clients.

    Source User Group

    SSL VPN

    Destination Address

    Select the address of the IPsec VPN remote protected subnet.

    Action

    Select ACCEPT.

    Enable NAT

    Enable.

To configure interconnection with a route-based IPsec VPN - CLI:

If you want to enable SSL VPN users to connect to the private network (address name OfficeAnet) through the toOfficeA IPsec VPN, then enter:

config firewall policy

edit 0

set srcintf ssl.root

set dstintf toOfficeA

set srcaddr SSL_tunnel_users

set dstaddr OfficeAnet

set action accept

set nat enable

set schedule always

set service ALL

set groups <name>

end

Policy-based connection

To configure interconnection with a policy-based IPsec VPN - GUI:
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK.

    Incoming Interface

    Select the virtual SSL VPN interface (ssl.root, for example).

    Outgoing Interface

    Select the FortiGate network interface that connects to the Internet.

    Source

    Select the firewall address that represents the IP address range assigned to SSL VPN clients.

    Source User Group

    SSL VPN

    Destination Address

    Select the address of the IPsec VPN remote protected subnet.

  3. Configure inbound NAT from the CLI:

    config firewall policy

    edit 0

    set natinbound enable

    set groups <name>

    end

To configure interconnection with a policy-based IPsec VPN - CLI:

If you want to enable SSL VPN users to connect to the private network (address name OfficeAnet) through the OfficeA IPsec VPN, then enter:

config firewall policy

edit 0

set srcintf ssl.root

set dstintf port1

set srcaddr SSL_tunnel_users

set dstaddr OfficeAnet

set action ipsec

set schedule always

set service ALL

set inbound enable

set outbound enable

set natinbound enable

set vpntunnel OfficeA

set groups <name>

end

In this example, port1 is connected to the Internet.