Fortinet black logo

Administration Guide

Using SSL VPN interfaces in zones

Using SSL VPN interfaces in zones

SSL VPN interfaces can be used in zones, simplifying firewall policy configuration in some scenarios.

Example

In this example, a zone is created that includes a physical interface (port4) and an SSL VPN interface. The zone is used as the source interface in a firewall policy. PC1 is used for regular access with a firewall policy, and PC2 uses the SSL VPN for access.

To create a zone that includes the port4 and ssl.root interfaces in the GUI:
  1. Go to Network > Interfaces and click Create New > Zone.

  2. Set the name of the zone, such as zone_sslvpn_and_port4.

  3. Add port4 and ssl.root to the Interface members.

  4. Click OK.

To configure SSL VPN settings in the GUI:
  1. Go to VPN > SSL-VPN Settings.

  2. Set Listen on Interface(s) to port2.

  3. Set Listen on Port to 1443.

  4. Select a Server Certificate (fgt_gui_automation is used in this example).

  5. Configure the remaining settings as required.

  6. Click Apply.

To configure a firewall policy with the zone as the source interface in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Set the policy name, such as policy_to_sslvpn_tunnel.

  3. Set Incoming Interface to zone_sslvpn_and_port4.

  4. Set Outgoing Interface to port1.

  5. Configure the remaining settings as required.

  6. Click OK.

To configure the zone, SSL VPN, and policy in the CLI:
  1. Create a zone that includes the port4 and ssl.root interfaces:

    config system zone
        edit "zone_sslvpn_and_port4"
            set interface "port4" "ssl.root"
        next
    end
  2. Configure SSL VPN settings with port2 as the source interface:

    config vpn ssl settings
        set servercert "fgt_gui_automation"
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set dns-server1 8.8.8.8
        set dns-server2 8.8.4.4
        set port 1443
        set source-interface "port2"
        set source-address "all"
        set source-address6 "all"
        set default-portal "web-access"
    end
  3. Configure a firewall policy with the zone as the source interface:

    config firewall policy
        edit 2
            set name "policy_to_sslvpn_tunnel"
            set srcintf "zone_sslvpn_and_port4"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set nat enable
            set users "u1"
        next
    end
To test the configuration:
  1. On PC1, open a browser and try to access the server at 172.16.200.44.

    You are redirected to the authentication page.

  2. Enter the Username and Password, then click Continue.

    You are redirected back to the server.

  3. On PC2, access the SSL VPN web portal.

  4. Enter the Username and Password, then click Login.

  5. Access the server using the bookmark.

Using SSL VPN interfaces in zones

SSL VPN interfaces can be used in zones, simplifying firewall policy configuration in some scenarios.

Example

In this example, a zone is created that includes a physical interface (port4) and an SSL VPN interface. The zone is used as the source interface in a firewall policy. PC1 is used for regular access with a firewall policy, and PC2 uses the SSL VPN for access.

To create a zone that includes the port4 and ssl.root interfaces in the GUI:
  1. Go to Network > Interfaces and click Create New > Zone.

  2. Set the name of the zone, such as zone_sslvpn_and_port4.

  3. Add port4 and ssl.root to the Interface members.

  4. Click OK.

To configure SSL VPN settings in the GUI:
  1. Go to VPN > SSL-VPN Settings.

  2. Set Listen on Interface(s) to port2.

  3. Set Listen on Port to 1443.

  4. Select a Server Certificate (fgt_gui_automation is used in this example).

  5. Configure the remaining settings as required.

  6. Click Apply.

To configure a firewall policy with the zone as the source interface in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Set the policy name, such as policy_to_sslvpn_tunnel.

  3. Set Incoming Interface to zone_sslvpn_and_port4.

  4. Set Outgoing Interface to port1.

  5. Configure the remaining settings as required.

  6. Click OK.

To configure the zone, SSL VPN, and policy in the CLI:
  1. Create a zone that includes the port4 and ssl.root interfaces:

    config system zone
        edit "zone_sslvpn_and_port4"
            set interface "port4" "ssl.root"
        next
    end
  2. Configure SSL VPN settings with port2 as the source interface:

    config vpn ssl settings
        set servercert "fgt_gui_automation"
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set dns-server1 8.8.8.8
        set dns-server2 8.8.4.4
        set port 1443
        set source-interface "port2"
        set source-address "all"
        set source-address6 "all"
        set default-portal "web-access"
    end
  3. Configure a firewall policy with the zone as the source interface:

    config firewall policy
        edit 2
            set name "policy_to_sslvpn_tunnel"
            set srcintf "zone_sslvpn_and_port4"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set nat enable
            set users "u1"
        next
    end
To test the configuration:
  1. On PC1, open a browser and try to access the server at 172.16.200.44.

    You are redirected to the authentication page.

  2. Enter the Username and Password, then click Continue.

    You are redirected back to the server.

  3. On PC2, access the SSL VPN web portal.

  4. Enter the Username and Password, then click Login.

  5. Access the server using the bookmark.