Create an SSL VPN security policy
At minimum, you need one SSL VPN security policy to authenticate users and provide access to the protected networks. You will need additional security policies only if you have multiple web portals that provide access to different resources. You can use one policy for multiple groups, or multiple policies to handle differences between the groups such as access to different services, or different schedules.
The SSL VPN security policy specifies:
• The incoming interface that corresponds to the ssl.root interface.
• The SSL VPN user groups that can use the security policy.
• The times (schedule) and types of services that users can access.
• The UTM features and logging that are applied to the connection.
| Do not use ALL as the destination address. If you do, you will see the “Destination address of Split Tunneling policy is invalid” error when you enable Split Tunneling |
To create an SSL-VPN security policy - web-based manager:
1. Go to Policy & Objects > Policy > IPv4 and select Create New.
2. Enter the following information:
Incoming Interface | Select the virtual SSL VPN interface, such as ssl.root. |
Source Address | Select all. |
Source User(s) | Select to allow access only to holders of a (shared) group certificate. The holders of the group certificate must be members of an SSL VPN user group, and the name of that user group must be present in the Allowed field. See “Strong authentication with security certificates”. |
Outgoing Interface | Select the FortiGate network interface that connects to the protected network. |
Destination Address | Select the firewall address you created that represents the networks and servers to which the SSL VPN clients will connect. If you want to associate multiple firewall addresses or address groups with the Destination Interface/Zone, from Destination Address, select the plus symbol. In the dialog box, move the firewall addresses or address groups from the Available Addresses section to the Members section, then select OK. |
Service | Select services in the left list and use the right arrow button to move them to the right list. Select the ALL service to allow the user group access to all services. |
Action | Select Accept. |
Your identity-based policies are listed in the security policy table. The FortiGate unit searches the table from the top down to find a policy to match the client’s user group. Using the move icon in each row, you can change the order of the policies in the table to ensure the best policy will be matched first. You can also use the icons to edit or delete policies. Furthermore, you can drag and drop policies in the policy list to rearrange their order.
To create an SSL VPN security policy - CLI:
Create the SSL VPN security policy by entering the following CLI commands.
config firewall policy
edit <id>
set srcintf ssl.root(sslvpn tunnel interface)
set dstintf port2
set srcaddr all
set dstaddr OfficeLAN
set action ssl-vpn
set nat enable
end
See Also