beautypg.com

Fortinet FORTIOS V3.0 MR7 User Manual

Page 47

background image

Configuring a FortiGate SSL VPN

Configuring firewall policies

FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718

47

3

From the Type list, select Subnet/IP Range.

4

In the Subnet/IP Range field, type the corresponding IP address and subnet mask
(for example, 172.16.10.0/24). If the remote client’s IP address is unknown,
the Subnet/IP Range should be “all”, with 0.0.0.0/0.0.0.0 as the address used.

5

In the Interface field, select the interface to the internal (private) network.

6

Select OK.

To specify the destination IP address

1

Go to Firewall > Address and select Create New.

2

In the Address Name field, type a name that represents the local network,
server(s), or host(s) to which IP packets may be delivered (for example,
Subnet_2

).

3

In the Subnet/IP Range field, type the corresponding IP address (for example,
192.168.22.0/24

for a subnet, or 192.168.22.2/32 for a server or host), or

IP address range (192.168.22.[10-25]).

4

In the Interface field, select the interface to the external (public) network.

5

Select OK.

To define the firewall policy for tunnel-mode operations

1

Go to Firewall > Policy and select Create New.

2

Enter these settings:

Note: To provide access to a single host or server, you would type an IP address like
172.16.10.2/32

. To provide access to two servers having contiguous IP addresses, you

would type an IP address range like 172.16.10.[4-5].

Source

Interface/Zone
Select the FortiGate interface that accepts connections from
remote users (for example, external).
Address Name
Select the name that corresponds to the IP address of the remote
user.

Destination

Interface/Zone
Select the FortiGate interface to the local private network (for
example, internal).
Address Name
Select the IP destination address that you defined previously for
the host(s), server(s), or network behind the FortiGate unit (for
example, Subnet_2).

Service

Select ANY.

Action

Select SSL-VPN.

SSL Client Certificate
Restrictive

Select to allow traffic generated by holders of a (shared) group
certificate, for example, a user group containing PKI peers/users.
The holders of the group certificate must be members of an SSL
VPN user group, and the name of that user group must be present
in the Allowed field.