Create an SSL VPN security policy
At minimum, you need one SSL VPN security policy to authenticate users and provide access to the protected networks. You will need additional security policies only if you have multiple web portals that provide access to different resources. You can use one policy for multiple groups, or multiple policies to handle differences between the groups such as access to different services, or different schedules.
The SSL VPN security policy specifies:
• the remote address that corresponds to the IP address of the remote user.
• the local protected subnet address that corresponds to the IP address or addresses that remote clients need to access.
The local protected subnet address may correspond to an entire private network, a range of private IP addresses, or the private IP address of a server or host.
• the level of SSL encryption to use and the authentication method.
• which SSL VPN user groups can use the security policy.
• the times (schedule) and types of services that users can access.
• the UTM features and logging that are applied to the connection.
| Do not use ALL as the destination address. If you do, you will see the “Destination address of Split Tunneling policy is invalid” error when you enable Split Tunneling |
To create an SSL-VPN security policy - web-based manager
1. Go to Policy > Policy > Policy and select Create New.
2. Select the Policy Type as SSL.
3. Enter the following information:
Incoming Interface | Select the name of the FortiGate network interface to that connects to the Internet. |
Remote Address | Select all. |
Local Interface | Select the FortiGate network interface that connects to the protected network. |
Local Protected Subnet | Select the firewall address you created that represents the networks and servers to which the SSL VPN clients will connect. If you want to associate multiple firewall addresses or address groups with the Destination Interface/Zone, from Destination Address, select the plus symbol. In the dialog box, move the firewall addresses or address groups from the Available Addresses section to the Members section, then select OK. |
SSL Client Certificate Restrictive | Select to allow access only to holders of a (shared) group certificate. The holders of the group certificate must be members of an SSL VPN user group, and the name of that user group must be present in the Allowed field. See “Strong authentication with security certificates”. |
Cipher Strength | Select the bit level of SSL encryption. The web browser on the remote client must be capable of matching the level that you select. |
4. Under Configure SSL-VPN Authentication Rules, select Create New.
Add a user group to the policy. The New SSL VPN Authentication Rule window opens on top of the security policy. Enter the following information and then select OK. You can select Add again to add more groups.
Group(s) | Select user groups that can connect to the SSL VPN tunnel. |
User(s) | Select individual users that can connect to the SSL VPN tunnel. |
Schedule | Select always. |
SSL-VPN Portal | Select the portal the users connect to. |
Custom Login | Select to choose a configured login screen. For more information, see “Custom login screen”. |
Your identity-based policies are listed in the security policy table. The FortiGate unit searches the table from the top down to find a policy to match the client’s user group. Using the move icon in each row, you can change the order of the policies in the table to ensure the best policy will be matched first. You can also use the icons to edit or delete policies.
To create an SSL VPN security policy - CLI
To create the security policy by entering the following CLI commands.
config firewall policy
edit 0
set srcintf port1
set dstintf port2
set srcaddr all
set dstaddr OfficeLAN
set action ssl-vpn
set nat enable
config identity-based-policy
edit 0
set groups SSL-VPN
set schedule always
set service ALL
set sslvpn-poprtal <portal_name>
end
end
See Also