Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 8.0.0 Administration Guide
    8.0.0
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Geography-based tunneled internet browsing New

    Geography-based tunneled internet browsing New

    A FortiGate VPN gateway can be configured to route egress traffic to the Internet through a specific interface (port2 or port3) based on the originating geolocation of the ingress client traffic (Canada or US). This can be achieved using FortiClient Secure Internet Access (SIA) configuration together with a policy route to route traffic to the proper egress interface.

    Previously, using the supported configuration of Matching IPsec tunnel gateway based on address parameters, IPsec clients with public source IP addresses originating from a specific geolocation (country/region) were matched by specifying the source geography within the IPsec tunnel configuration itself, namely, in the Phase 1 configuration. This meant that for every geolocation to be matched, a new IPsec tunnel, consisting of Phase 1 and Phase 2 settings, needed to be configured.

    FortiOS has added support for specifying source geography addresses in firewall policies and policy routes on a FortiGate configured for dial-up IPsec remote access. With this enhancement, a single IPsec tunnel can be used while matching client source IP addresses based on geolocation can be achieved by configuring source geography addresses in the firewall policies and policy routes.

    Example

    In this example, the client PC1 behind FGTA with NAT enabled is located in Canada. FGTD is configured as the VPN Gateway with:

    • Firewall source address (geo-CA) configured with CA country

    • VPN IPsec tunnel

    • Firewall policy with geo-CA selected as the source address

    This example shows how a firewall policy and policy route involving a dialup IPsec tunnel can both be matched based on the source IP geolocation of incoming dialup clients. FortiOS internally keeps track of the original geolocation of incoming dialup traffic and integrates with firewall policies and with policy routing.

    To configure FGTD:

    1. On FGTD, configure a firewall address with a geolocation country/region:

      config firewall address
    edit "geo-CA"
        set uuid 3c2d2398-9d91-51f0-4c8d-58f43ee65c8a
        set type geography
        set country "CA"
    next
end

    2. Configure an IPsec VPN tunnel: 

      config vpn ipsec phase1-interface
    edit "Dialup"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set dhgrp 20 21
        set wizard-type dialup-fortigate
        set transport auto
        set psksecret ENC *
    next
end
config vpn ipsec phase2-interface
    edit "Dialup"
        set phase1name "Dialup"
        set proposal aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set dhgrp 20 21
    next
end

    3. Configure a firewall policy and select geo-CA as the source address: 

      config firewall policy
    edit 1
        set name "vpn_Dialup_local"
        set uuid 9378cc0e-9d8e-51f0-4e0d-a90274db10fb
        set srcintf "port1"
        set dstintf "Dialup"
        set action accept
        set srcaddr "Dialup_local"
        set dstaddr "Dialup_remote"
        set schedule "always"
        set service "ALL"
        set comments "VPN: Dialup -- Created by VPN wizard"
    next
    edit 2
        set name "vpn_Dialup_remote"
        set uuid 937abc9e-9d8e-51f0-c288-04ad4bb6f72f
        set srcintf "Dialup"
        set dstintf "port1"
        set action accept
        set srcaddr "geo-CA"
        set dstaddr "192.168.5.0"
        set schedule "always"
        set service "ALL"
        set comments "VPN: Dialup -- Created by VPN wizard"
    next
end

    4. Configure a policy route to ensure client traffic from Canada is routed out of port2: 

      config router policy
    edit 1
        set input-device "Dialup"
        set srcaddr "geo-CA"
        set dstaddr "all"
        set gateway 198.51.100.2
        set output-device "port2"
    next
end

    5. Verify using the VPN IKE gateway list and the VPN tunnel list:

      • VPN IKE gateway list:

        # diagnose vpn ike gateway list 

vd: root/0
name: Dialup_0
version: 2
interface: port13 19
addr: 198.51.100.1:500 -> 192.0.2.1:500
tun_id: 192.0.2.1/::10.0.0.7
remote_location: 0.0.0.0
network-id: 0
transport: UDP
created: 263s ago
peer-id: 192.0.2.1
peer-id-auth: no
pending-queue: 0
PPK: no
IKE SA: created 1/1  established 1/1  time 10/10/10 ms
IPsec SA: created 1/2  established 1/2  time 0/0/0 ms

  id/spi: 5 7608e6dac7750e94/564ba227bdbd6dee
  direction: responder
  status: established 263-263s ago = 10ms
  proposal: aes128-sha256
  child: no
  SK_ei: 933120ad1055a39a-1c27f7ed4dfb258a
  SK_er: 32520d03666c4cbe-b79c65eff6b69c12
  SK_ai: 37da2c44ddb06cef-ab93d092d0c3ef7b-a182b40e35c98c60-2a6937a90a089707
  SK_ar: 4afc71586c84b9bd-e7e6a247bde21748-072dbdeb992b005c-c8466694bd177444
  PPK: no
  message-id sent/recv: 0/11
  QKD: no
  PQC-KEM (IKE): no
  PQC-KEM (all IPsec): no
  lifetime/rekey: 86400/85866
  DPD sent/recv: 00000000/00000000
  peer-id: 192.0.2.1

      • VPN tunnel list:

        # diagnose vpn tunnel list 
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Dialup_0 ver=2 serial=7 198.51.100.1:0->192.0.2.1:0 nexthop=198.51.100.2 tun_id=192.0.2.1 tun_id6=::10.0.0.7 status=up dst_mtu=1500 weight=1 country=CA
bound_if=19 real_if=19 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none options[0x22a8]=npu rgwy-chg frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0

parent=Dialup index=0
proxyid_num=1 child_num=0 refcnt=5 ilast=105 olast=106 ad=/0
stat: rxp=159 txp=4 rxb=24588 txb=336
dpd: mode=on-demand on=1 status=ok idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0 
proxyid=Dialup proto=0 sa=1 ref=2 serial=2 add-route
  src: 0:192.168.5.0-192.168.5.255:0
  dst: 0:10.1.100.0-10.1.100.255:0
  SA:  ref=6 options=6a6 type=00 soft=0 mtu=1438 expire=43075/0B replaywin=2048
       seqno=405 esn=0 replaywin_lastseq=00000013 qat=0 rekey=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=43186/43200
  dec: spi=9dc42e9e esp=aes key=16 e3c82f72ce497d27736b120cda74f23a
       ah=sha256 key=32 b9702181e33b8b4986b4d3b847bfe0307231ee423dc8651085dcfe58d88771c8
  enc: spi=c8e99d60 esp=aes key=16 c40474714b560d0855653089b4cea604
       ah=sha256 key=32 45bf85337226f86b9a7774657170b206db1df5b40a9eb31a3ec2bb79949c9b32
  dec:pkts/bytes=2/168, enc:pkts/bytes=4/624
  npu_flag=03 npu_rgwy=192.0.2.1:0 npu_lgwy=198.51.100.1:0npu_selid=8
  dec_npuid=1 enc_npuid=1 dec_engid=-1 enc_engid=-1 dec_saidx=11 enc_saidx=8
------------------------------------------------------
name=Dialup ver=2 serial=1 198.51.100.1:0->0.0.0.0:0 nexthop=198.51.100.2 tun_id=10.0.0.1 tun_id6=::10.0.0.1 status=up dst_mtu=0 weight=1
bound_if=19 real_if=0 lgwy=static/1 tun=intf mode=dialup/2 encap=none options[0x228]=npu frag-rfc  role=primary accept_traffic=1 overlay_id=0

proxyid_num=0 child_num=1 refcnt=3 ilast=42952401 olast=42952401 ad=/0
stat: rxp=734 txp=114 rxb=113640 txb=9576
dpd: mode=on-demand on=0 status=ok idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
    Previous
    Next

    Geography-based tunneled internet browsing New

    Geography-based tunneled internet browsing New

    A FortiGate VPN gateway can be configured to route egress traffic to the Internet through a specific interface (port2 or port3) based on the originating geolocation of the ingress client traffic (Canada or US). This can be achieved using FortiClient Secure Internet Access (SIA) configuration together with a policy route to route traffic to the proper egress interface.

    Previously, using the supported configuration of Matching IPsec tunnel gateway based on address parameters, IPsec clients with public source IP addresses originating from a specific geolocation (country/region) were matched by specifying the source geography within the IPsec tunnel configuration itself, namely, in the Phase 1 configuration. This meant that for every geolocation to be matched, a new IPsec tunnel, consisting of Phase 1 and Phase 2 settings, needed to be configured.

    FortiOS has added support for specifying source geography addresses in firewall policies and policy routes on a FortiGate configured for dial-up IPsec remote access. With this enhancement, a single IPsec tunnel can be used while matching client source IP addresses based on geolocation can be achieved by configuring source geography addresses in the firewall policies and policy routes.

    Example

    In this example, the client PC1 behind FGTA with NAT enabled is located in Canada. FGTD is configured as the VPN Gateway with:

    • Firewall source address (geo-CA) configured with CA country

    • VPN IPsec tunnel

    • Firewall policy with geo-CA selected as the source address

    This example shows how a firewall policy and policy route involving a dialup IPsec tunnel can both be matched based on the source IP geolocation of incoming dialup clients. FortiOS internally keeps track of the original geolocation of incoming dialup traffic and integrates with firewall policies and with policy routing.

    To configure FGTD:

    1. On FGTD, configure a firewall address with a geolocation country/region:

      config firewall address
    edit "geo-CA"
        set uuid 3c2d2398-9d91-51f0-4c8d-58f43ee65c8a
        set type geography
        set country "CA"
    next
end

    2. Configure an IPsec VPN tunnel: 

      config vpn ipsec phase1-interface
    edit "Dialup"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set dhgrp 20 21
        set wizard-type dialup-fortigate
        set transport auto
        set psksecret ENC *
    next
end
config vpn ipsec phase2-interface
    edit "Dialup"
        set phase1name "Dialup"
        set proposal aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set dhgrp 20 21
    next
end

    3. Configure a firewall policy and select geo-CA as the source address: 

      config firewall policy
    edit 1
        set name "vpn_Dialup_local"
        set uuid 9378cc0e-9d8e-51f0-4e0d-a90274db10fb
        set srcintf "port1"
        set dstintf "Dialup"
        set action accept
        set srcaddr "Dialup_local"
        set dstaddr "Dialup_remote"
        set schedule "always"
        set service "ALL"
        set comments "VPN: Dialup -- Created by VPN wizard"
    next
    edit 2
        set name "vpn_Dialup_remote"
        set uuid 937abc9e-9d8e-51f0-c288-04ad4bb6f72f
        set srcintf "Dialup"
        set dstintf "port1"
        set action accept
        set srcaddr "geo-CA"
        set dstaddr "192.168.5.0"
        set schedule "always"
        set service "ALL"
        set comments "VPN: Dialup -- Created by VPN wizard"
    next
end

    4. Configure a policy route to ensure client traffic from Canada is routed out of port2: 

      config router policy
    edit 1
        set input-device "Dialup"
        set srcaddr "geo-CA"
        set dstaddr "all"
        set gateway 198.51.100.2
        set output-device "port2"
    next
end

    5. Verify using the VPN IKE gateway list and the VPN tunnel list:

      • VPN IKE gateway list:

        # diagnose vpn ike gateway list 

vd: root/0
name: Dialup_0
version: 2
interface: port13 19
addr: 198.51.100.1:500 -> 192.0.2.1:500
tun_id: 192.0.2.1/::10.0.0.7
remote_location: 0.0.0.0
network-id: 0
transport: UDP
created: 263s ago
peer-id: 192.0.2.1
peer-id-auth: no
pending-queue: 0
PPK: no
IKE SA: created 1/1  established 1/1  time 10/10/10 ms
IPsec SA: created 1/2  established 1/2  time 0/0/0 ms

  id/spi: 5 7608e6dac7750e94/564ba227bdbd6dee
  direction: responder
  status: established 263-263s ago = 10ms
  proposal: aes128-sha256
  child: no
  SK_ei: 933120ad1055a39a-1c27f7ed4dfb258a
  SK_er: 32520d03666c4cbe-b79c65eff6b69c12
  SK_ai: 37da2c44ddb06cef-ab93d092d0c3ef7b-a182b40e35c98c60-2a6937a90a089707
  SK_ar: 4afc71586c84b9bd-e7e6a247bde21748-072dbdeb992b005c-c8466694bd177444
  PPK: no
  message-id sent/recv: 0/11
  QKD: no
  PQC-KEM (IKE): no
  PQC-KEM (all IPsec): no
  lifetime/rekey: 86400/85866
  DPD sent/recv: 00000000/00000000
  peer-id: 192.0.2.1

      • VPN tunnel list:

        # diagnose vpn tunnel list 
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Dialup_0 ver=2 serial=7 198.51.100.1:0->192.0.2.1:0 nexthop=198.51.100.2 tun_id=192.0.2.1 tun_id6=::10.0.0.7 status=up dst_mtu=1500 weight=1 country=CA
bound_if=19 real_if=19 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none options[0x22a8]=npu rgwy-chg frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0

parent=Dialup index=0
proxyid_num=1 child_num=0 refcnt=5 ilast=105 olast=106 ad=/0
stat: rxp=159 txp=4 rxb=24588 txb=336
dpd: mode=on-demand on=1 status=ok idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0 
proxyid=Dialup proto=0 sa=1 ref=2 serial=2 add-route
  src: 0:192.168.5.0-192.168.5.255:0
  dst: 0:10.1.100.0-10.1.100.255:0
  SA:  ref=6 options=6a6 type=00 soft=0 mtu=1438 expire=43075/0B replaywin=2048
       seqno=405 esn=0 replaywin_lastseq=00000013 qat=0 rekey=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=43186/43200
  dec: spi=9dc42e9e esp=aes key=16 e3c82f72ce497d27736b120cda74f23a
       ah=sha256 key=32 b9702181e33b8b4986b4d3b847bfe0307231ee423dc8651085dcfe58d88771c8
  enc: spi=c8e99d60 esp=aes key=16 c40474714b560d0855653089b4cea604
       ah=sha256 key=32 45bf85337226f86b9a7774657170b206db1df5b40a9eb31a3ec2bb79949c9b32
  dec:pkts/bytes=2/168, enc:pkts/bytes=4/624
  npu_flag=03 npu_rgwy=192.0.2.1:0 npu_lgwy=198.51.100.1:0npu_selid=8
  dec_npuid=1 enc_npuid=1 dec_engid=-1 enc_engid=-1 dec_saidx=11 enc_saidx=8
------------------------------------------------------
name=Dialup ver=2 serial=1 198.51.100.1:0->0.0.0.0:0 nexthop=198.51.100.2 tun_id=10.0.0.1 tun_id6=::10.0.0.1 status=up dst_mtu=0 weight=1
bound_if=19 real_if=0 lgwy=static/1 tun=intf mode=dialup/2 encap=none options[0x228]=npu frag-rfc  role=primary accept_traffic=1 overlay_id=0

proxyid_num=0 child_num=1 refcnt=3 ilast=42952401 olast=42952401 ad=/0
stat: rxp=734 txp=114 rxb=113640 txb=9576
dpd: mode=on-demand on=0 status=ok idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
    Previous
    Next