A VPN provides secure access to a private network behind the FortiGate unit. You can also enable VPN clients to access the Internet securely. The FortiGate unit inspects and processes all traffic between the VPN clients and hosts on the Internet according to the Internet browsing policy. This is accomplished even though the same FortiGate interface is used for both encrypted VPN client traffic and unencrypted Internet traffic.
In the figure below, FortiGate_1 enables secure Internet browsing for FortiClient Endpoint Security users such as Dialup_1 and users on the Site_2 network behind FortiGate_2, which could be a VPN peer or a dialup client.
Example Internet-browsing configuration
You can adapt any of the following configurations to provide secure Internet browsing:
- A gateway-to-gateway configuration (see Gateway-to-gateway configurations )
- A FortiClient dialup-client configuration (see FortiClient dialup-client configurations)
- A FortiGate dialup-client configuration (see FortiGate dialup-client configurations )
The procedures in this section assume that one of these configurations is in place, and that it is operating properly.
To create an internet-browsing configuration based on an existing gateway-to-gateway configuration, you must edit the gateway-to-gateway configuration as follows:
- On the FortiGate unit that will provide Internet access, create an Internet browsing security policy. See Configuration overview , below.
- Configure the remote peer or client to route all traffic through the VPN tunnel. You can do this on a FortiGate unit or on a FortiClient Endpoint Security application. See Configuration overview .