Menu

Fortigate v4 SSL-VPN

Even though it's one of the simplest features to setup here is a configuration guide, just in case

first, via the CLI :




  • create a user for the connections:

config user local
    edit "test"
        set type password
        set passwd qwe123
    next
end


  • create user group :

config user group
    edit "SSL_USERS"
        set sslvpn-portal "full-access"
            set member "test"
    next
end


  • create an address range for the users :

config firewall address
    edit "SSLVPN_ADDR1"
        set subnet 10.212.134.0 255.255.255.0
    next
end


  • add the Pool to SSL settings :

config vpn ssl settings
    set idle-timeout 500
        set tunnel-ip-pools "SSLVPN_ADDR1"      
end


  • finally the policy few rules, from the internet to the Portal, and from Portal to where you need and back, in my case :

edit 1
        set srcintf "EXT"
        set dstintf "ssl.FGT"
            set srcaddr "all"          
            set dstaddr "LAN1" "LAN2"          
        set action ssl-vpn
        set identity-based enable
            config identity-based-policy
                edit 1
                    set schedule "always"
                        set groups "SSL_USERS"                      
                        set service "ANY"                      
                next
            end
    next
    edit 2
        set srcintf "ssl.FGT"
        set dstintf "INT"
            set srcaddr "SSLVPN_TUNNEL_ADDR1"          
            set dstaddr "LAN1" "LAN2"          
        set action accept
        set schedule "always"
            set service "ANY"          
    next
    edit 3
        set srcintf "INT"
        set dstintf "ssl.FGT"
            set srcaddr "LAN1" "LAN2"          
            set dstaddr "SSLVPN_TUNNEL_ADDR1"          
        set action accept
        set schedule "always"
            set service "ANY"          
    next
end

now same thing but via the GUI:

User :


User group :




Firewall - address :

SSL-VPN settings:
 Firewall policy, rules :




Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

4 comments:

  1. you forget this:

    from: WAN | to | LAN
    all lan1 ,lan2

    let me know if I wrong:)

    ReplyDelete
    Replies
    1. To be honest I posted this configuration while configuring it on a production device,
      The end result was correct - I had full access from an User connected via SSL-VPN to the networks defined on LAN1 and LAN2 .

      The rule you're talking about is part of the way we used to configure this on v3.

      Delete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete