|
|
Configuring a FortiGate SSL VPN | Configuring firewall policies |
3From the Type list, select Subnet/IP Range.
4In the Subnet/IP Range field, type the corresponding IP address and subnet mask (for example, 172.16.10.0/24). If the remote client’s IP address is unknown, the Subnet/IP Range should be “all”, with 0.0.0.0/0.0.0.0 as the address used.
Note: To provide access to a single host or server, you would type an IP address like 172.16.10.2/32. To provide access to two servers having contiguous IP addresses, you would type an IP address range like
5In the Interface field, select the interface to the internal (private) network.
6Select OK.
To specify the destination IP address
1Go to Firewall > Address and select Create New.
2In the Address Name field, type a name that represents the local network, server(s), or host(s) to which IP packets may be delivered (for example,
Subnet_2).
3In the Subnet/IP Range field, type the corresponding IP address (for example, 192.168.22.0/24 for a subnet, or 192.168.22.2/32 for a server or host), or IP address range
4In the Interface field, select the interface to the external (public) network.
5Select OK.
To define the firewall policy for tunnel-mode operations
1Go to Firewall > Policy and select Create New.
2Enter these settings:
Source | Interface/Zone |
| Select the FortiGate interface that accepts connections from |
| remote users (for example, external). |
| Address Name |
| Select the name that corresponds to the IP address of the remote |
| user. |
Destination | Interface/Zone |
| Select the FortiGate interface to the local private network (for |
| example, internal). |
| Address Name |
| Select the IP destination address that you defined previously for |
| the host(s), server(s), or network behind the FortiGate unit (for |
| example, Subnet_2). |
Service | Select ANY. |
Action | Select |
SSL Client Certificate Select to allow traffic generated by holders of a (shared) group
Restrictive certificate, for example, a user group containing PKI peers/users. The holders of the group certificate must be members of an SSL VPN user group, and the name of that user group must be present in the Allowed field.
FortiOS v3.0 MR7 SSL VPN User Guide |
|
47 |