Filter
Top Products
Configuring a FortiGate SSL VPN Configuring firewall policies
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718 45
5 Select OK.
To define the firewall policy for web-only mode connections
1 Go to Firewall > Policy and select Create New.
2 Enter these settings in particular:
3 Select OK.
4 If the user group requires access to another server or network, create the IP
destination address (see “To specify the destination IP address” on page 46) and
repeat this procedure to create the required firewall policy.
5 Create additional IP destination addresses and firewall policies if required for
each additional user group.
Note: To provide access to a single host or server, you would type an IP address like
172.16.10.2/32. To provide access to two servers having contiguous IP addresses, you
would type an IP address range like 172.16.10.[4-5].
Source Interface/Zone
Select the FortiGate interface that accepts connections from remote
users.
Address Name
Select all.
Destination Interface/Zone
Select the FortiGate interface to the local private network (for example,
dmz).
Address Name
Select the IP destination address that you defined previously (for
example, Subnet_1).
Service Select ANY.
Action Select SSL-VPN.
SSL Client
Certificate
Restrictive
Select to allow traffic generated by holders of a (shared) group
certificate, for example, a user group containing PKI peers/users. The
holders of the group certificate must be members of an SSL VPN user
group, and the name of that user group must be present in the Allowed
list.
Cipher Strength Select one of the following options to determine the level of SSL
encryption to use. The web browser on the remote client must be
capable of matching the level that you select:
• To use any cipher suite, select Any.
• To use a 164-bit or greater cipher suite, select High >= 164.
• To use a 128-bit or greater cipher suite, select Medium >= 128.
User
Authentication
Method
Select one of the following options to bind user groups to authentication
methods:
• If the user group contains only local users, select Local.
• If the remote clients will be authenticated by an external RADIUS
server, select Radius.
• If the remote clients will be authenticated by an external LDAP server,
select LDAP.
• If the user group contains Local, RADIUS, and LDAP users, select
Any to enable all of the authentication methods. Local is attempted
first, then RADIUS, then LDAP.
Available
Groups
Select the name of the user group requiring SSL VPN access, and then
select the right-pointing arrow. Do not select more than one user group
unless all members of the selected user groups have identical access
requirements.