Fortinet black logo

Handbook

Secure Internet browsing

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:674508
Download PDF

Secure Internet browsing

This example sets up an SSL VPN tunnel that provides remote users the ability to access the Internet while traveling, and ensures that they are not subject to malware and other dangers, by using the corporate firewall to filter all of their Internet traffic. Essentially, the remote user will connect to the corporate FortiGate unit to surf the Internet.

Using SSL VPN and FortiClient SSL VPN software, you create a means to use the corporate FortiGate to browse the Internet safely.

Creating an SSL VPN IP pool and SSL VPN web portal

  1. Go to VPN > SSL-VPN Portals and select tunnel-access.
  2. Disable Split Tunneling.
  3. For Source IP Pools select SSLVPN_TUNNEL_ADDR1.
  4. Select OK.

Creating the SSL VPN user and user group

  1. Create the SSL VPN user and add the user to a user group configured for SSL VPN use.
  2. Go to User & Device > User Definition and select Create New to add the user:
  3. User Name

    twhite

    Password

    password

  4. Select OK.
  5. Go to User & Device > User Groups and select Create New to add twhite to a group called SSL VPN:
  6. Name

    SSL VPN

    Type

    Firewall

  7. Move twhite to the Members list.
  8. Select OK.

Creating a static route for the remote SSL VPN user

Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.

  1. Go to Network > Static Routes and select Create New to add the static route.
  2. Destination IP/Mask

    10.212.134.0/255.255.255.0

    Device

    ssl.root

    note icon

    The Destination IP/Mask matches the network address of the remote SSL VPN user.
  3. Select OK.

Creating security policies

Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Add an SSL VPN security policy as below, and click OK.
  3. Incoming Interface

    ssl.root

    Outgoing Interface

    internal

    Source Address

    all

    Source User Group

    SSL VPN

    Destination

    all

  4. Select OK.

Configuring authentication rules

  1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
  2. Add an authentication rule for the remote user:
  3. Users/Groups

    Tunnel

    Portal

    tunnel-access

  4. Select OK and Apply.

Results

Using the FortiClient SSLVPN application, access the VPN using the address https://172.20.120.136:443/ and log in as twhite. Once connected, you can browse the Internet.

From the FortiGate GUI, go to Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects to the Internet.

Secure Internet browsing

This example sets up an SSL VPN tunnel that provides remote users the ability to access the Internet while traveling, and ensures that they are not subject to malware and other dangers, by using the corporate firewall to filter all of their Internet traffic. Essentially, the remote user will connect to the corporate FortiGate unit to surf the Internet.

Using SSL VPN and FortiClient SSL VPN software, you create a means to use the corporate FortiGate to browse the Internet safely.

Creating an SSL VPN IP pool and SSL VPN web portal

  1. Go to VPN > SSL-VPN Portals and select tunnel-access.
  2. Disable Split Tunneling.
  3. For Source IP Pools select SSLVPN_TUNNEL_ADDR1.
  4. Select OK.

Creating the SSL VPN user and user group

  1. Create the SSL VPN user and add the user to a user group configured for SSL VPN use.
  2. Go to User & Device > User Definition and select Create New to add the user:
  3. User Name

    twhite

    Password

    password

  4. Select OK.
  5. Go to User & Device > User Groups and select Create New to add twhite to a group called SSL VPN:
  6. Name

    SSL VPN

    Type

    Firewall

  7. Move twhite to the Members list.
  8. Select OK.

Creating a static route for the remote SSL VPN user

Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.

  1. Go to Network > Static Routes and select Create New to add the static route.
  2. Destination IP/Mask

    10.212.134.0/255.255.255.0

    Device

    ssl.root

    note icon

    The Destination IP/Mask matches the network address of the remote SSL VPN user.
  3. Select OK.

Creating security policies

Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Add an SSL VPN security policy as below, and click OK.
  3. Incoming Interface

    ssl.root

    Outgoing Interface

    internal

    Source Address

    all

    Source User Group

    SSL VPN

    Destination

    all

  4. Select OK.

Configuring authentication rules

  1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
  2. Add an authentication rule for the remote user:
  3. Users/Groups

    Tunnel

    Portal

    tunnel-access

  4. Select OK and Apply.

Results

Using the FortiClient SSLVPN application, access the VPN using the address https://172.20.120.136:443/ and log in as twhite. Once connected, you can browse the Internet.

From the FortiGate GUI, go to Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects to the Internet.