Configuring a port-forwarding security policy
To create a port-forwarding security policy for PPTP pass through you must first create an address range reserved for the PPTP clients.
To create an address range - web-based manager
1. Go to Policy & Objects > Objects > Addresses and select Create New.
2. Select a Category.
3. Enter a Name for the range, for example, External_PPTP.
4. Select a Type of Subnet/IP Range.
5. Enter the IP address range.
6. Select the Interface to the Internet.
7. Select OK.
To create an address range - CLI
config firewall address OR config firewall address6
edit External_PPTP
set iprange <ip_range>
set start-ip <ip_address>
set end-ip <ip_address>
set associated-interface <internet_interface>
end
With the address set, you can add the security policy.
To add the security policy - web-based manager
1. Go to Policy & Objects > Policy > IPv4 or Policy & Objects > Policy > IPv6 and select Create New.
2. Complete the following and select OK:
Incoming Interface | The FortiGate interface connected to the Internet. |
Source Address | Select the address range created in the previous step. |
Outgoing Interface | The FortiGate interface connected to the PPTP server. |
Destination Address | Select the VIP address created in the previous steps. |
Schedule | always |
Service | PPTP |
Action | ACCEPT |
To add the security policy - CLI
config firewall policy OR config firewall policy6
edit <policy_number>
set srcintf <interface to internet>
set dstintf <interface to PPTP server>
set srcaddr <address_range>
set dstaddr <PPTP_server_address>
set action accept
set schedule always
set service PPTP
end
See Also