Fortinet FORTIOS V3.0 MR7 manual Subnet2, To define the firewall policy for tunnel-mode operations

Page 47


Configuring a FortiGate SSL VPN	Configuring firewall policies

3From the Type list, select Subnet/IP Range.

4In the Subnet/IP Range field, type the corresponding IP address and subnet mask (for example, 172.16.10.0/24). If the remote client’s IP address is unknown, the Subnet/IP Range should be “all”, with 0.0.0.0/0.0.0.0 as the address used.

Note: To provide access to a single host or server, you would type an IP address like 172.16.10.2/32. To provide access to two servers having contiguous IP addresses, you would type an IP address range like 172.16.10.[4-5].

5In the Interface field, select the interface to the internal (private) network.

6Select OK.

To specify the destination IP address

1Go to Firewall > Address and select Create New.

2In the Address Name field, type a name that represents the local network, server(s), or host(s) to which IP packets may be delivered (for example,

Subnet_2).

3In the Subnet/IP Range field, type the corresponding IP address (for example, 192.168.22.0/24 for a subnet, or 192.168.22.2/32 for a server or host), or IP address range (192.168.22.[10-25]).

4In the Interface field, select the interface to the external (public) network.

5Select OK.

To define the firewall policy for tunnel-mode operations

1Go to Firewall > Policy and select Create New.

2Enter these settings:

Source	Interface/Zone
	Select the FortiGate interface that accepts connections from
	remote users (for example, external).
	Address Name
	Select the name that corresponds to the IP address of the remote
	user.
Destination	Interface/Zone
	Select the FortiGate interface to the local private network (for
	example, internal).
	Address Name
	Select the IP destination address that you defined previously for
	the host(s), server(s), or network behind the FortiGate unit (for
	example, Subnet_2).
Service	Select ANY.
Action	Select SSL-VPN.

SSL Client Certificate Select to allow traffic generated by holders of a (shared) group

Restrictive certificate, for example, a user group containing PKI peers/users. The holders of the group certificate must be members of an SSL VPN user group, and the name of that user group must be present in the Allowed field.

FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718	47

Image 47

Contents E R G U I D E Trademarks FortiGate v3.0 MR7 SSL VPN User GuideContents Starting a session from the Tools area Configuring SSL VPN settingsWorking with the web portal SSL VPN host OS patch checkLogging out Tunnel-mode featuresIndex Page About FortiGate SSL VPN IntroductionDocument conventions About this documentTypographic conventions FortiGate documentationFortiManager documentation Related documentationFortinet Tools and Documentation CD FortiClient documentationFortiMail documentation FortiAnalyzer documentationComments on Fortinet technical documentation Customer service and technical supportComparison of SSL and IPSec VPN technology Configuring a FortiGate SSL VPNConnectivity considerations Legacy versus web-enabled applicationsAuthentication differences Access controlSession failover support Web-only modeSSL VPN modes of operation Tunnel mode Web-only mode client requirementsTunnel-mode client requirements TopologyInfrastructure requirements Example SSL VPN configurationConfiguring the SSL VPN client Configuration overviewTo download and run the SSL VPN Virtual Desktop application Using the SSL VPN Virtual DesktopSSL VPN Virtual Desktop application Configuring the SSL VPN client To download the SSL VPN Virtual Desktop, select To ping a host or server behind the FortiGate unit Using the SSL VPN standalone tunnel clientsTo connect to a web server from the Tools area Firmware Images selection on Fortinet customer support site To download the SSL VPN standalone tunnel client WindowsFortiClientSSLVPNSetup3.0.384.exe or Username PasswordSave user name and password , and Keep connection alive Server AddressTo download the SSL VPN standalone tunnel client Linux Configuring the SSL VPN client Configuring a FortiGate SSL VPN Server User Enter your user name PasswordAdvanced settings To use the SSL VPN standalone tunnel client LinuxUse Client File Path To uninstall the SSL VPN standalone tunnel client LinuxTo download the SSL VPN standalone tunnel client MacOS Configuring the SSL VPN client To use the SSL VPN standalone tunnel client MacOS To uninstall the SSL VPN standalone tunnel client MacOSEnabling SSL VPN connections and editing SSL VPN settings Configuring SSL VPN settingsSee Specifying the cipher suite for SSL negotiations Specifying an IP address range for tunnel-mode clients Go to System Admin SettingsSpecifying a port number for web portal connections Specifying the cipher suite for SSL negotiations Setting the idle timeout settingAdding a custom caption to the web portal home Setting the client authentication timeout settingAdding Wins and DNS services for clients To add a custom caption Go to VPN SSL ConfigCustomizing the web portal login Configuring user accounts and SSL VPN user groupsUser Name DisableTo create a user account in the Local domain To create a user group Configuring user accounts and SSL VPN user groups Configuring firewall policies To specify the destination IP address Configuring firewall addresses Configuring Web-only firewall policies To define the firewall policy for web-only mode connections To specify the source IP address Configuring tunnel-mode firewall policiesTo define the firewall policy for tunnel-mode operations Subnet2Available Groups Configuring SSL VPN event-loggingUser Authentication Monitoring active SSL VPN sessions To view SSL VPN event logs Go to Log&Report Log AccessSee also Configuring SSL VPN bookmarks and bookmark groupsViewing the SSL VPN bookmark list DeleteCreate New Bookmark Configuring SSL VPN bookmarksViewing the SSL VPN Bookmark Groups list Configuring SSL VPN bookmark groupsAssigning SSL VPN bookmark groups to SSL VPN users Description Configuration ExampleSSL VPN host OS patch check VariableSSL VPN configuration for unique access permissions Enable SSL-VPN Settings Group1 user group attributes Source/destination firewall addresses Public IP To view the SSL VPN policies, go to Firewall Policy Firewall policy list SSL VPN virtual interface ssl.rootPeer network policy Source Ssl.root Source address Internet browsing policy Source Ssl.root Source addressSSL VPN dropping connections SSL VPN dropping connections SSL VPN dropping connections To log in to the FortiGate secure Http gateway Connecting to the FortiGate unitWeb portal home page features FortiGate SSL VPN Remote Access Web Portal URL re-writing Launching web portal applicationsDetails Adding a bookmark to the My Bookmarks listAdd Bookmark BookmarkHost Name/IP, or Shared File Folder Title10.10.10.10 To add a telnet connection and start a telnet sessionTo add an FTP connection and start an FTP session To add a SMB/CIFS connection and start a SMB session Launching web portal applications To add a VNC connection and start a VNC session To add a RDP connection and start a RDP session Working with the web portal 192.168.1.3 To add a SSH connection and start a SSH sessionSee also To start a telnet session from the Tools area Tunnel-mode featuresStarting a session from the Tools area Working with the ActiveX/Java Platform plug-in To initiate a VPN tunnel with the FortiGate unit To download and install the ActiveX/Java Platform pluginLogging out Uninstalling the ActiveX/Java Platform pluginTo uninstall the ActiveX/Java Platform plugin Logging out Index URL Index Page