Creating the security policies
You need to define security policies to permit your SSL VPN clients, web-mode or tunnel-mode, to connect to the protected networks behind the FortiGate unit. Before you create the security policies, you must define the source and destination addresses to include in the policy. See
“Creating the firewall addresses”.
Two types of security policy are required:
• An SSL VPN policy enables clients to authenticate and permits a web-mode connection to the destination network. In this example, there are two destination networks, so there will be two SSL VPN policies. The authentication, ensures that only authorized users access the destination network.
• A tunnel-mode policy is a regular ACCEPT security policy that enables traffic to flow between the SSL VPN tunnel interface and the protected network. Tunnel-mode policies are required if you want to provide tunnel-mode connections for your clients. In this example, there are two destination networks, so there will be two tunnel-mode policies.
To create the SSL VPN security policies - web-based manager
1. Go to Policy > Policy > Policy and select Create New.
2. Select the Policy Type of VPN and the Policy Subtype as SSL-VPN.
3. Enter the following information:
Incoming Interface | port1 |
Remote Address | All |
Local Interface | port2 |
Local Protected Interface | Subnet_1 |
4. Under Configure SSL-VPN Authentication Rules, select Create New and enter the following information:
Group(s) | group1 |
Schedule | always |
Service | ALL |
SSL-VPN Portal | portal1 |
5. Select OK, and then select OK again.
6. Select Create New.
7. Select the Policy Type of VPN and the Policy Subtype as SSL-VPN.
8. Enter the following information:
Incoming Interface | port1 |
Remote Address | All |
Local Interface | port3 |
Local Protected Interface | Subnet_2 |
9. Under Configure SSL-VPN Authentication Rules, select Create New and enter the following information:
Group(s) | group2 |
Schedule | always |
Service | ALL |
SSL-VPN Portal | portal1 |
10. Select OK, and then select OK again.
To create the tunnel-mode security policies - web-based manager
1. Go to Policy > Policy > Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information, and select OK:
Incoming Interface | sslvpn tunnel interface (ssl.root) |
Source Address | Tunnel_group1 |
Outgoing Interface | port2 |
Destination Address | Subnet_1 |
Action | ACCEPT |
Enable NAT | Enable |
4. Select Create New.
5. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
6. Enter the following information, and select OK:
Incoming Interface | sslvpn tunnel interface (ssl.root) |
Source Address | Tunnel_group2 |
Outgoing Interface | port3 |
Destination Address | Subnet_2 |
Action | ACCEPT |
Enable NAT | Enable |