Menu

Fortigate v4 SSL-VPN

Even though it's one of the simplest features to setup here is a configuration guide, just in case

first, via the CLI :




  • create a user for the connections:

config user local
    edit "test"
        set type password
        set passwd qwe123
    next
end


  • create user group :

config user group
    edit "SSL_USERS"
        set sslvpn-portal "full-access"
            set member "test"
    next
end


  • create an address range for the users :

config firewall address
    edit "SSLVPN_ADDR1"
        set subnet 10.212.134.0 255.255.255.0
    next
end


  • add the Pool to SSL settings :

config vpn ssl settings
    set idle-timeout 500
        set tunnel-ip-pools "SSLVPN_ADDR1"      
end


  • finally the policy few rules, from the internet to the Portal, and from Portal to where you need and back, in my case :

edit 1
        set srcintf "EXT"
        set dstintf "ssl.FGT"
            set srcaddr "all"          
            set dstaddr "LAN1" "LAN2"          
        set action ssl-vpn
        set identity-based enable
            config identity-based-policy
                edit 1
                    set schedule "always"
                        set groups "SSL_USERS"                      
                        set service "ANY"                      
                next
            end
    next
    edit 2
        set srcintf "ssl.FGT"
        set dstintf "INT"
            set srcaddr "SSLVPN_TUNNEL_ADDR1"          
            set dstaddr "LAN1" "LAN2"          
        set action accept
        set schedule "always"
            set service "ANY"          
    next
    edit 3
        set srcintf "INT"
        set dstintf "ssl.FGT"
            set srcaddr "LAN1" "LAN2"          
            set dstaddr "SSLVPN_TUNNEL_ADDR1"          
        set action accept
        set schedule "always"
            set service "ANY"          
    next
end

now same thing but via the GUI:

User :


User group :




Firewall - address :

SSL-VPN settings:
 Firewall policy, rules :




Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

13 comments:

  1. you forget this:

    from: WAN | to | LAN
    all lan1 ,lan2

    let me know if I wrong:)

    ReplyDelete
    Replies
    1. To be honest I posted this configuration while configuring it on a production device,
      The end result was correct - I had full access from an User connected via SSL-VPN to the networks defined on LAN1 and LAN2 .

      The rule you're talking about is part of the way we used to configure this on v3.

      Delete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. I love significantly your own post! I look at all post is great. I discovered your personal content using bing search. Discover my webpage is a great one as you.I work to create several content this post. Once more you can thank you and keep it create! Enjoy! https://privacidadenlared.es

    ReplyDelete
  5. The principal models is increasingly prominent with the bigger organizations who have a brand pull for potential workers e.g., G.E., IBM, Oracle, Microsoft, HCL, ICICI, Reliance, Mindtree counseling and so on. gizlilikveguvenlik.com

    ReplyDelete
  6. The present registering condition has a high focused danger of being damaged by gatherings not permitted to get to them. This dread of the potential infringement of privacy has driven people to avoid potential risk in the way in which they get to remote administrations. buy vpn

    ReplyDelete
  7. I appreciate several from the Information which has been composed, and especially the remarks posted I will visit once more.  Meer hierover leest je hier

    ReplyDelete
  8. The effects of information technology and electronic trade on plans of action, business, showcase structure, working environment, work advertise, instruction, private life and society in general. gizlilikveguvenlik.com

    ReplyDelete
  9. I have read your blog it is very helpful for me. I want to say thanks to you. I have bookmark your site for future updates. bezoek website

    ReplyDelete
  10. You do need to recognize which of your records contain individual information so you can deal with and secure that data in a way that agrees to the guidelines. mejoresvpn.com/

    ReplyDelete
  11. This was really an interesting topic and I kinda agree with what you have mentioned here! nord vpn free trial

    ReplyDelete
  12. Thanks for an interesting blog. What else may I get that sort of info written in such a perfect approach? I have an undertaking that I am just now operating on, and I have been on the lookout for such info. RapidSSL certificate

    ReplyDelete