Configuring firewall policies

Configuring a FortiGate SSL VPN

Configuring tunnel-mode firewall policies

Follow the procedures in this section to complete a tunnel-mode configuration. These procedures assume that you have already completed the procedures found in “Configuring user accounts and SSL VPN user groups” on page 42.

When a remote client initiates a connection to the FortiGate unit, the FortiGate unit authenticates the client and determines which mode of operation is in effect for the user. When tunnel mode is enabled, the user can access the server applications and network services on the internal network if required and/or download and install an ActiveX plugin from the web portal. The ActiveX control provides SSL VPN client software.

Note: On the web browser, ensure that the security settings associated with the Internet zone permit ActiveX controls to be downloaded and run.

After the user adds the ActiveX plugin to the web browser on the remote client, the user can start the SSL VPN client software to initiate an SSL VPN tunnel with the FortiGate unit. The FortiGate unit establishes the tunnel with the SSL client and assigns the client a virtual IP address. Afterward, the SSL client uses the assigned virtual IP address as its source address for the duration of the session.

To configure the FortiGate unit to support tunnel-mode access, you perform the following configuration tasks on the FortiGate unit:

Specify the IP address(es) that can be assigned to the SSL VPN client when they establish tunnels with the FortiGate unit.

Define a firewall policy to support tunnel-mode operations.

A firewall policy specifies the originating (source) IP address of a packet and the destination address defines the IP address of the intended recipient or network. In this case, the source address corresponds to the IP address of the remote user that will connect to the FortiGate unit, and the destination address corresponds to the IP address(es) of the host(s), server(s), or network behind the FortiGate unit.

Configuring the firewall policy involves:

specifying the source and destination IP addresses:

The source address corresponds to the IP address of the remote user.

The destination address corresponds to the IP address or addresses that remote clients need to access. The destination address may correspond to an entire private network, a range of private IP addresses, or the private IP address of a server or host.

specifying the level of SSL encryption to use and the authentication method

binding the user group to the firewall policy

Note: If your destination address, SSL encryption, and user group are the same as for your web-only mode connection, you do not need to create a firewall policy for tunnel mode. The FortiGate unit uses the web-only mode policy settings except for the source address range, which it obtains from the tunnel IP range settings.

To specify the source IP address

1Go to Firewall > Address and select Create New.

2In the Address Name field, type a name that represents the IP address that is permitted to set up SSL VPN connection.

 

FortiOS v3.0 MR7 SSL VPN User Guide

46

01-30007-0348-20080718

Page 45 Page 47
Page 46
Image 46
Fortinet FORTIOS V3.0 MR7 manual Configuring tunnel-mode firewall policies, To specify the source IP address
Page 45 Page 47

FORTIOS V3.0 MR7 specifications

Fortinet's FortiOS v3.0 MR7 marks a significant advancement in network security and management, providing organizations with enhanced features, technologies, and characteristics to better protect their IT environments. This version of FortiOS is designed to facilitate comprehensive security and optimized performance, ensuring that organizations can safeguard their networks against evolving threats.

One of the main features in FortiOS v3.0 MR7 is its robust firewall capabilities. The stateful firewall technology enables dynamic packet filtering based on predefined security policies. This strengthens the organization's perimeter defense by allowing or denying traffic based on user-defined rules. Additionally, the integrated Application Control feature extends the firewall's capabilities by identifying and controlling applications regardless of port usage, enabling organizations to enforce security policies on a finer-grained level.

FortiOS v3.0 MR7 also introduces advanced intrusion prevention system (IPS) functionalities. The next-generation IPS utilizes deep packet inspection and real-time threat intelligence to detect and block attacks before they can compromise the network. Coupled with Fortinet’s threat research team, which ensures timely updates of security signatures, this system helps organizations mitigate risks posed by sophisticated cyber threats.

Another key characteristic of FortiOS v3.0 MR7 is its enhanced VPN capabilities. The support for both SSL and IPsec VPN allows secure remote access for employees and offers flexible options for secure communication over the internet. This feature is essential for organizations that embrace remote work, ensuring that sensitive data remains protected regardless of the user's location.

In addition to its powerful security features, FortiOS v3.0 MR7 includes advanced reporting and logging capabilities. Users can generate detailed reports that highlight security events, traffic patterns, and performance metrics. This data not only improves visibility into network security but also assists in compliance with regulatory requirements.

Moreover, the platform's user-friendly interface enhances the overall management experience. Administrators can quickly configure settings, monitor activity, and respond to incidents effectively. With centralized management capabilities, FortiOS v3.0 MR7 allows organizations to manage multiple devices from a single console, simplifying operations and reducing administrative overhead.

In summary, Fortinet's FortiOS v3.0 MR7 integrates a wealth of security features, including a stateful firewall, advanced IPS, VPN support, and comprehensive reporting functions. Together, these technologies ensure that organizations can maintain a strong security posture in an increasingly complex threat landscape.
Top Page Image Contents