Академический Документы
Профессиональный Документы
Культура Документы
FortiOS 5.6 is now available: Release Notes | What's New | Upgrade Path
FORTICLIENT / FORTICLIENT 5.4 / FORTIGATE / FORTIOS 5.4 / FORTIOS 5.4.0 / FORTIOS 5.4.1 / FORTIOS
5.4.2 / FORTIOS 5.4.3 / VPNS
SSL VPN using web and tunnel mode
Posted on December 23, 2015 by Victoria Martin
In this example, you will allow remote users to access the corporate network using an SSL VPN,
connecting either by web mode using a web browser or tunnel mode using FortiClient. This allows
users to access network resources, such as the Internal Segmentation Firewall (ISFW) used in this
example.
http://cookbook.fortinet.com/sslvpnusingwebandtunnelmode54/ 1/14
4/16/2017 SSL VPN using web and tunnel mode Fortinet Cookbook
For users connecting via tunnel mode, traf៛�c to the Internet will also �ow through the FortiGate, to
apply security scanning to this traf៛�c.
During the connecting phase, the FortiGate will also verify that the remote user’s antivirus software
is installed and up-to-date.
1. Creating a user and a user group
Go to User & Device User Deៜ�nition. Create a local user account for a SSL
VPN user.
Go to User & Device > User Groups. Create a user group for SSL VPN users
and add the new user account.
2. Creating an SSL VPN portal for remote users
Go to VPN > SSL-VPN Portals. Edit the full-access portal. The full-access
portal allows the use of tunnel mode and/or web mode.
Make sure Enable Split Tunneling is not selected, so that all Internet traf៛�c
will go through the FortiGate.*
3. Configuring the SSL VPN tunnel
To avoid port con�icts, set Listen on Port to 10443. Set Restrict Access to
Allow access from any host.
Under Tunnel Mode Client Settings, set IP Ranges to use the default IP
range SSLVPN_TUNNEL-ADDR1.
Under Authentication/Portal Mapping, add the SSL VPN user group and
map it to the full-access portal.
4. Adding an address for the local network
5. Adding security policies for access to the internal
network and Internet
http://cookbook.fortinet.com/sslvpnusingwebandtunnelmode54/ 3/14
4/16/2017 SSL VPN using web and tunnel mode Fortinet Cookbook
Go to Policy & Objects > IPv4 Policy. Add a security policy allowing access
to the internal network through the VPN tunnel interface. Set a policy name
that will identify what this policy is used for (in the example, SSL-VPN-
internal)
Add a second security policy allowing SSL VPN access to the Internet.
6. Setting the FortiGate unit to verify users have current
AntiVirus software
Go to the Dashboard. In the CLI Console widget, enter the following commands to enable the host
to check for compliant AntiVirus software on the remote user’s computer:
config vpn ssl web portal
edit full‐access
set host‐check av
end
7. Results
The steps for connecting to the SSL VPN different depending on whether you are using a web
http://cookbook.fortinet.com/sslvpnusingwebandtunnelmode54/ 4/14
4/16/2017 SSL VPN using web and tunnel mode Fortinet Cookbook
browser or FortiClient.
Web browsers:
Using a supported Internet browser, connect to the SSL VPN web portal
using the remote gateway con៛�gured in the SSL VPN settings (in the
example, 172.20.121.46:10443)
In this example, selecting the ISFW Bookmark allows you to connect to the
ISFW FortiGate.
You can also use the Quick Connection for other allowed types of traf៛�c,
such as SSH.
FortiClient:
http://cookbook.fortinet.com/sslvpnusingwebandtunnelmode54/ 5/14
4/16/2017 SSL VPN using web and tunnel mode Fortinet Cookbook
Set VPN Type to SSL VPN, set Remote Gateway to the IP of the listening
FortiGate interface (in the example, 172.20.121.46). Select Customize Port
and set it to 10443.
Select Add.
About Latest Posts
Victoria Martin
Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She
graduated with a Bachelor's degree from Mount Allison University, after which she
attended Humber College's book publishing program, followed by the more practical
technical writing program at Algonquin College. She does need glasses but also likes
wearing them, since glasses make you look smarter.
Leave a Reply
Connect with:
Powered by OneAll Social Login
Join the discussion
Nishit Patel
I upgraded from 5.2.10 to 5.4.4. Whe ssl-vpn con៛�gured in web mode and tunnel
mode. We use ៛�refox to connect to work network. But when we login, we don’t see
tunnel mode and also don’t see connect button?
Whitney Lo
how can I add security policies for access to the Internet if I am using wan load
balancing. I cannot ៛�nd wan1 or wan 2 or wan load balance on outgoing interface
Michael P. Gray
I must be missing something. I followed this recipe with minor changes for IP
information. I can authenticate when making the VPN connection. I can check the
logs and see the connected client. The client gets a proper address in the subnet
that I identi៛�ed, and gets the DNS entries that I speci៛�ed but no gateway. The
client cannot access anything in the internal LAN. What am I missing?
http://cookbook.fortinet.com/sslvpnusingwebandtunnelmode54/ 7/14
4/16/2017 SSL VPN using web and tunnel mode Fortinet Cookbook
Keith Leroux
Hi Michael–shot in the dark, but did you add the user group to the sslvpn-
>internal policy?
Michael P. Gray
Michael P. Gray
Keith Leroux
iacopo
Hello.
Is 10443 port a must if you want to change from default port (443)? I would like to
change to a different port than 443 or 10443 but it seems it’s not working, am I
missing something?
http://cookbook.fortinet.com/sslvpnusingwebandtunnelmode54/ 8/14
4/16/2017 SSL VPN using web and tunnel mode Fortinet Cookbook
Thanks!
Victoria Martin
Hello,
Port 10443 is an unassigned port, which is why it was used for the VPN. Any
other unassigned port can also be used without causing con�ict.
If you are having trouble using a different port, doublecheck that you are
using the correct port number in your URL (if you are using web mode) or
FortiClient (for tunnel mode). If after checking this you still have trouble, I
would recommend contacting Fortinet Support.
Bob Sauvage
If the subnet from the client is the same that one from the Enterprise network,
what to do ?
Keith Leroux
Hello Bob,
In the case of overlapping subnets, you will have to use VIPs. Here’s a
knowledge base article that should help you out:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD35117
Henry
http://cookbook.fortinet.com/sslvpnusingwebandtunnelmode54/ 9/14
4/16/2017 SSL VPN using web and tunnel mode Fortinet Cookbook
Henry
Hello
Thanks an Regards.
paradoxxxical
i’m not sure why Henry’s question was ignored, but it’s valid as the
SSL-VPN-Internet in step 5, cannot be created with WAN LLB setup.
It allows you to select the speci៛�c lan for the SSL-VPN-Internal, but
not for the Internet. I created a route instead, but experiencing
similar issues to Michael P. Gray.
Victoria Martin
Limbad Sagar
Dear Sir/Madam
I have Con៛�g SSL_VPN using Forticlient, It’s working good and another function is
Mac Address bind it’s Possible in our Fortigate Firewall but our issues is Static Ip
bind it’s Possible that mean user connect to forticlient with fortigate ៛�rewall also
assign one Local_Ip (SSL_VPN_Range).So Please Inform me, It’s Possible
Forticlient Side Static_Ip bind in Our ៛�rewall ?
http://cookbook.fortinet.com/sslvpnusingwebandtunnelmode54/ 10/14
4/16/2017 SSL VPN using web and tunnel mode Fortinet Cookbook
Landy.Wang
Limbad Sagar
Dear Mam,
we are using Fortinet 100D and have 2 internet connection and using Port
Forwarding our Fortinet Firewall , both are Internet connection port Forwarding
but some time internet connection down that time i lost connection. any another
idea failover root in port forwarding.
Limbad Sagar
Victoria Martin
Hello Limbad,
I’m not quite sure I understand your question. This recipe was written
using a FortiGate 100D, so its set up should be similar to yours.
http://cookbook.fortinet.com/sslvpnusingwebandtunnelmode54/ 11/14
4/16/2017 SSL VPN using web and tunnel mode Fortinet Cookbook
Adam Bristow
Hello,
There was a way to enable UTF-8, however this has since been replaced
with speci៛�c language options. This is con៛�gured in the CLI. Open the CLI
Console and enter the following:
Adam
David
I think we don’t have to enable NAT on the the policy ssl.root to LAN.
Adam Bristow
Hello David,
http://cookbook.fortinet.com/sslvpnusingwebandtunnelmode54/ 12/14
4/16/2017 SSL VPN using web and tunnel mode Fortinet Cookbook
Regards,
Adam
Santosh Sharma
Victoria Martin
Hello Santosh,
Santosh Sharma
http://cookbook.fortinet.com/sslvpnusingwebandtunnelmode54/ 13/14
4/16/2017 SSL VPN using web and tunnel mode Fortinet Cookbook
CONTACT | DOCUMENTATION LIBRARY | CLI PORTAL | FUSE | VIDEOS | SUPPORT | CORPORATE | LEGAL
© 2017 Fortinet
http://cookbook.fortinet.com/sslvpnusingwebandtunnelmode54/ 14/14