beautypg.com

Configuring firewall addresses, Configuring web-only firewall policies, Configuring web-only firewall policies” on – Fortinet FORTIOS V3.0 MR7 User Manual

Page 44

background image

FortiOS v3.0 MR7 SSL VPN User Guide

44

01-30007-0348-20080718

Configuring firewall policies

Configuring a FortiGate SSL VPN

specifying the level of SSL encryption to use and the authentication method

binding the user group to the firewall policy

The following topics are included in this section:

Configuring firewall addresses

Configuring tunnel-mode firewall policies

Configuring SSL VPN event-logging

Monitoring active SSL VPN sessions

Configuring firewall addresses

Configuring the firewall addresses for web-only and tunnel mode connections
involves specifying the IP source/host and destination addresses:

Web-only mode:

For the source address, select the predefined address “all” in the firewall
encryption policy to refer to web-only mode clients.

The destination address corresponds to the IP address or addresses that
remote clients need to access. The destination address may correspond to
an entire private network (behind the FortiGate unit), a range of private IP
addresses, or the private IP address of a server or host.

Tunnel mode:

The source address corresponds to the public IP address that can be
connected to the FortiGate unit. This address is used to restrict who can
access the FortiGate unit.

The destination address corresponds to the IP address or addresses that
remote clients need to access. The destination address may correspond to
an entire private network (behind the FortiGate unit), a range of private IP
addresses, or the private IP address of a server or host.

Configuring Web-only firewall policies

To specify the destination IP address

1

Go to Firewall > Address and select Create New.

2

In the Address Name field, type a name that represents the local network,
server(s), or host(s) to which IP packets may be delivered (for example,
Subnet_1

).

3

From the Type list, select Subnet/IP Range.

4

In the Subnet/IP Range field, type the corresponding IP address and subnet mask
(for example, 172.16.10.0/24).

Note: In tunnel mode, it is necessary to create a DENY firewall policy that immediately
follows the SSL VPN policy. If this policy is not created, SSL VPN tunnels will use other
ACCEPT firewall policies. See the order of the Firewall policies below: