Configuring a port-forwarding security policy
To create a port-forwarding security policy for PPTP pass through you must first create an address range reserved for the PPTP clients.
To create an address range - web-based manager
1. Go to Firewall Objects > Address > Addresses and select Create New.
2. Enter a Name for the range, for example, External_PPTP.
3. Select a Type of Subnet/IP Range.
4. Enter the IP address range.
5. Select the Interface to the Internet.
6. Select OK.
To create an address range - CLI
config firewall address
edit External_PPTP
set iprange <ip_range>
set start-ip <ip_address>
set end-ip <ip_address>
set associated-interface <internet_interface>
end
With the address set, you can add the security policy.
To add the security policy - web-based manager
1. Go to Policy > Policy > Policy and select Create New.
2. Leave the Policy Type as Firewall and the Policy Subtype as Address.
3. Complete the following and select OK:
Incoming Interface | The FortiGate interface connected to the Internet. |
Source Address | Select the address range created in the previous step. |
Outgoing Interface | The FortiGate interface connected to the PPTP server. |
Destination Address | Select the VIP address created in the previous steps. |
Schedule | always |
Service | PPTP |
Action | ACCEPT |
To add the security policy - CLI
config firewall policy
edit <policy_number>
set srcintf <interface to internet>
set dstintf <interface to PPTP server>
set srcaddr <address_range>
set dstaddr <PPTP_server_address>
set action accept
set schedule always
set service PPTP
end
See Also