beautypg.com

Fortinet FORTIOS V3.0 MR7 User Manual

Page 45

background image

Configuring a FortiGate SSL VPN

Configuring firewall policies

FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718

45

5

Select OK.

To define the firewall policy for web-only mode connections

1

Go to Firewall > Policy and select Create New.

2

Enter these settings in particular:

3

Select OK.

4

If the user group requires access to another server or network, create the IP
destination address (see

“To specify the destination IP address” on page 46

) and

repeat this procedure to create the required firewall policy.

5

Create additional IP destination addresses and firewall policies if required for
each additional user group.

Note: To provide access to a single host or server, you would type an IP address like
172.16.10.2/32

. To provide access to two servers having contiguous IP addresses, you

would type an IP address range like 172.16.10.[4-5].

Source

Interface/Zone
Select the FortiGate interface that accepts connections from remote
users.
Address Name
Select all.

Destination

Interface/Zone
Select the FortiGate interface to the local private network (for example,
dmz

).

Address Name
Select the IP destination address that you defined previously (for
example, Subnet_1).

Service

Select ANY.

Action

Select SSL-VPN.

SSL Client
Certificate
Restrictive

Select to allow traffic generated by holders of a (shared) group
certificate, for example, a user group containing PKI peers/users. The
holders of the group certificate must be members of an SSL VPN user
group, and the name of that user group must be present in the Allowed
list.

Cipher Strength Select one of the following options to determine the level of SSL

encryption to use. The web browser on the remote client must be
capable of matching the level that you select:
• To use any cipher suite, select Any.
• To use a 164-bit or greater cipher suite, select High >= 164.
• To use a 128-bit or greater cipher suite, select Medium >= 128.

User
Authentication
Method

Select one of the following options to bind user groups to authentication
methods:
• If the user group contains only local users, select Local.
• If the remote clients will be authenticated by an external RADIUS

server, select Radius.

• If the remote clients will be authenticated by an external LDAP server,

select LDAP.

• If the user group contains Local, RADIUS, and LDAP users, select

Any to enable all of the authentication methods. Local is attempted
first, then RADIUS, then LDAP.

Available
Groups

Select the name of the user group requiring SSL VPN access, and then
select the right-pointing arrow. Do not select more than one user group
unless all members of the selected user groups have identical access
requirements.