FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 14 - IPsec VPN > Internet-browsing configuration > Creating an Internet browsing security policy

Creating an Internet browsing security policy

On the FortiGate unit that acts as a VPN server and will provide secure access to the Internet, you must create an Internet browsing security policy. This policy differs depending on whether your gateway-to-gateway configuration is policy-based or route-based.

To create an Internet browsing policy - policy-based VPN
  1. Go to Policy & Objects > Policy > IPv4 and select Create New.
  2. Enter the following information and then select OK:
Incoming Interface The interface to which the VPN tunnel is bound.
Source Address The internal range address of the remote spoke site.
Outgoing Interface The interface to which the VPN tunnel is bound.
Destination Address All
VPN Tunnel Select Use Existing and select the tunnel that provides access to the private network behind the FortiGate unit.
Allow traffic to be initiated from the remote site Enable
Inbound NAT Enable
  1. Enable inbound NAT in the CLI.

config firewall policy

edit <policy_number>

set natinbound enable

end

To create an Internet browsing policy - route-based VPN
  1. Go to Policy & Objects > Policy > IPv4 and select Create New.
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  3. Enter the following information and then select OK:
Incoming Interface The IPsec VPN interface.
Source Address The internal range address of the remote spoke site.
Outgoing Interface The interface that connects to the Internet. The virtual IPsec interface is configured on this physical interface.
Destination Address All
Action ACCEPT
Enable NAT Enable

The VPN clients must be configured to route all Internet traffic through the VPN tunnel.