Create a tunnel mode security policy
If your SSL VPN will provide tunnel mode operation, you need to create a security policy to enable traffic to pass between the SSL VPN virtual interface and the protected networks. This is in addition to the SSL VPN security policy that you created in the preceding section.
The SSL VPN virtual interface is the FortiGate unit end of the SSL tunnel that connects to the remote client. It is named ssl.<vdom_name>. In the root VDOM, for example, it is named ssl.root. If VDOMs are not enabled on your FortiGate unit, the SSL VPN virtual interface is also named ssl.root.
To configure the tunnel mode security policy - web-based manager
1. Go to Policy > Policy> Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information and select OK.
Incoming Interface | Select the virtual SSL VPN interface, such as ssl.root. |
Source Address | Select the firewall address you created that represents the IP address range assigned to SSL VPN clients, such as SSL_VPN_tunnel_users. |
Outgoing Interface | Select the interface that connects to the protected network. |
Destination Address | Select the firewall address that represents the networks and servers the SSL VPN clients will connect to. To select multiple firewall addresses or address groups, select the plus sign next to the drop-down list. |
Service | Select service in the left list and use the right arrow button to move them to the right list. Select the ALL service to allow the user group access to all services. |
Action | Select Accept. |
Enable NAT | Select Enable NAT. (Optional) |
To configure the tunnel mode security policy - CLI
config firewall policy
edit <id>
set srcintf ssl.root
set dstintf <dst_interface_name>
set srcaddr <tunnel_ip_address>
set dstaddr <protected_network_address_name>
set schedule always
set service ALL
set nat enable
end
This policy enables the SSL VPN client to initiate communication with hosts on the protected network. If you want to enable hosts on the protected network to initiate communication with the SSL VPN client, you should create another Accept policy like the preceding one but with the source and destination settings reversed.
You must also add a static route for tunnel mode operation.
See Also