> Chapter 14 - IPsec VPN > Internet-browsing configuration > Creating an Internet browsing security policy
Creating an Internet browsing security policy
On the FortiGate unit that acts as a VPN server and will provide secure access to the Internet, you must create an Internet browsing security policy. This policy differs depending on whether your gateway-to-gateway configuration is policy-based or route-based.
To create an Internet browsing policy - policy-based VPN
- Go to Policy & Objects > Policy > IPv4 and select Create New.
- Enter the following information and then select OK:
| Incoming Interface | The interface to which the VPN tunnel is bound. |
| Source Address | The internal range address of the remote spoke site. |
| Outgoing Interface | The interface to which the VPN tunnel is bound. |
| Destination Address | All |
| VPN Tunnel | Select Use Existing and select the tunnel that provides access to the private network behind the FortiGate unit. |
| Allow traffic to be initiated from the remote site | Enable |
| Inbound NAT | Enable |
- Enable inbound NAT in the CLI.
config firewall policy
edit <policy_number>
set natinbound enable
end
To create an Internet browsing policy - route-based VPN
- Go to Policy & Objects > Policy > IPv4 and select Create New.
- Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
- Enter the following information and then select OK:
| Incoming Interface | The IPsec VPN interface. |
| Source Address | The internal range address of the remote spoke site. |
| Outgoing Interface | The interface that connects to the Internet. The virtual IPsec interface is configured on this physical interface. |
| Destination Address | All |
| Action | ACCEPT |
| Enable NAT | Enable |
The VPN clients must be configured to route all Internet traffic through the VPN tunnel.
Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy
