Creating an Internet browsing security policy
On the FortiGate unit that acts as a VPN server and will provide secure access to the Internet, you must create an Internet browsing security policy. This policy differs depending on whether your gateway-to-gateway configuration is policy-based or route-based.
To create an Internet browsing policy - policy-based VPN
1. Go to Policy > Policy > Policy and select Create New.
2. Select the Policy Type as VPN and leave the Policy Subtype as IPsec.
3. Enter the following information and then select OK:
Local Interface | The interface to which the VPN tunnel is bound. |
Local Protected Subnet | All |
Outgoing VPN Interface | The interface to which the VPN tunnel is bound. |
Remote Protected Subnet | The internal range of address of the remote spoke site. |
VPN Tunnel | Select Use Existing and select the tunnel that provides access to the private network behind the FortiGate unit. |
Allow traffic to be initiated from the remote site | Enable |
Inbound NAT | Enable |
4. Enable inbound NAT in the CLI.
config firewall policy
edit <policy_number>
set natinbound enable
end
To create an Internet browsing policy - route-based VPN
1. Go to Policy > Policy > Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information and then select OK:
Incoming Interface | The IPsec VPN interface. |
Source Address | All |
Outgoing Interface | The interface that connects to the Internet. The virtual IPsec interface is configured on this physical interface. |
Destination Address | The internal range of address of the remote spoke site. |
Action | ACCEPT |
Enable NAT | Enable |
The VPN clients must be configured to route all Internet traffic through the VPN tunnel.