Chapter 10 Install and System Administration for FortiOS 5.0 : PPTP and L2TP : FortiGate unit as a PPTP server : Adding the security policy
  
Adding the security policy
The security policy specifies the source and destination addresses that can generate traffic inside the PPTP tunnel and defines the scope of services permitted through the tunnel. If a selection of services are required, define a service group.
To configure the firewall for the PPTP tunnel - web-based manager
1. Go to Policy > Policy > Policy and select Create New.
2. Leave the Policy Type as Firewall and the Policy Subtype as Address.
3. Complete the following and select OK:
Incoming Interface
The FortiGate interface connected to the Internet.
Source Address
Select the name that corresponds to the range of addresses that you reserved for PPTP clients.
Outgoing Interface
The FortiGate interface connected to the internal network.
Destination Address
Select the name that corresponds to the IP addresses behind the FortiGate unit.
Schedule
always
Service
ALL
Action
ACCEPT
Do not select identity-based policy, as this will cause the PPTP access to fail. Authentication is configured in the PPTP configuration setup
To configure the firewall for the PPTP tunnel - CLI
config firewall policy
edit 1
set srcintf <interface to internet>
set dstintf <interface to internal network>
set srcaddr <reserved_range>
set dstaddr <internal_addresses>
set action accept
set schedule always
set service ALL
end
See Also
Configuring user authentication for PPTP clients
Enabling PPTP and specifying the PPTP IP address range
FortiGate unit as a PPTP server
PPTP and L2TP