Use SSL VPN interfaces in zones
SSL VPN interfaces can be used in zones, simplifying firewall policy configuration in some scenarios.
Example
In this example, a zone is created that includes a physical interface (port4) and an SSL VPN interface. The zone is used as the source interface in a firewall policy. PC1 is used for regular access with a firewall policy, and PC2 uses the SSL VPN for access.
To create a zone that includes the port4 and ssl.root interfaces in the GUI:
-
Go to Network > Interfaces and click Create New > Zone.
-
Set the name of the zone, such as zone_sslvpn_and_port4.
-
Add port4 and ssl.root to the Interface members.
-
Click OK.
To configure SSL VPN settings in the GUI:
-
Go to VPN > SSL-VPN Settings.
-
Set Listen on Interface(s) to port2.
-
Set Listen on Port to 1443.
-
Configure the remaining settings as required.
-
Click Apply.
To configure a firewall policy with the zone as the source interface in the GUI:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
Set the policy name, such as policy_to_sslvpn_tunnel.
-
Set Incoming Interface to zone_sslvpn_and_port4.
-
Set Outgoing Interface to port1.
-
Configure the remaining settings as required.
-
Click OK.
To configure the zone, SSL VPN, and policy in the CLI:
-
Create a zone that includes the port4 and ssl.root interfaces:
config system zone edit "zone_sslvpn_and_port4" set interface "port4" "ssl.root" next end
-
Configure SSL VPN settings with port2 as the source interface:
config vpn ssl settings set servercert "fgt_gui_automation" set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set dns-server1 8.8.8.8 set dns-server2 8.8.4.4 set port 1443 set source-interface "port2" set source-address "all" set source-address6 "all" set default-portal "web-access" end
-
Configure a firewall policy with the zone as the source interface:
config firewall policy edit 2 set name "policy_to_sslvpn_tunnel" set srcintf "zone_sslvpn_and_port4" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all set nat enable set users "u1" next end
To test the configuration:
-
On PC1, open a browser and try to access the server at 172.16.200.44.
You are redirected to the authentication page.
-
Enter the Username and Password, then click Continue.
You are redirected back to the server.
-
On PC2, access the SSL VPN web portal.
-
Enter the Username and Password, then click Login.
-
Access the server using the bookmark.