Chapter 17 System Administration : PPTP and L2TP : FortiGate unit as a PPTP server : Adding the security policy
  
Adding the security policy
The security policy specifies the source and destination addresses that can generate traffic inside the PPTP tunnel and defines the scope of services permitted through the tunnel. If a selection of services are required, define a service group.
To configure the firewall for the PPTP tunnel - web-based manager
1. Go to Policy & Objects > Policy > IPv4 or Policy & Objects > Policy > IPv6 and select Create New.
2. Complete the following and select OK:
Incoming Interface
The FortiGate interface connected to the Internet.
Source Address
Select the name that corresponds to the range of addresses that you reserved for PPTP clients.
Outgoing Interface
The FortiGate interface connected to the internal network.
Destination Address
Select the name that corresponds to the IP addresses behind the FortiGate unit.
Schedule
always
Service
ALL
Action
ACCEPT
To configure the firewall for the PPTP tunnel - CLI
config firewall policy OR config firewall policy6
edit 1
set srcintf <interface to internet>
set dstintf <interface to internal network>
set srcaddr <reserved_range>
set dstaddr <internal_addresses>
set action accept
set schedule always
set service ALL
end
See Also
Configuring user authentication for PPTP clients
Enabling PPTP and specifying the PPTP IP address range
FortiGate unit as a PPTP server
PPTP and L2TP