Home > Enterprise security devices or applications > Fortigate firewall > VPN configuration

Fortinet firewall SSL VPN configuration

To configure Remote SSL VPN in fortinet use:

1. Go to Network -> Interfaces. See the names of WAN and LAN interfaces. Assuming VPN users will connect from WAN and then once they are connected to VPN, they need LAN access.
2. Go to Network -> Static route and see the networks that are already in use. We want to avoid these networks for VPN. Similarly look at other places such as BGP, OSPF, Policy routes so that we can figure out all networks (IPs and subnets) that are already in use.
3. Based on above plan for a VPN IP range. Go to "Policy & Objects" -> "Addresses" and create IP range for remote users "Remote User IP Range" (eg 10.10.10.10-10.10.10.50).
   • This address range should not be used anywhere.
   • It should not overlap with interface IPs or routes.
   • We dont need fortinet firewall to have a gateway in this IP range. No need to add any loopback adapter.
4. In "Policy & Objects" -> "IPv4 Policy" add forward and reverse rules from "SSL-VPN tunnel interface (ssl.root)" to LAN. Enable NAT on this rule..
   • If VPN users should be able to connect to other zones / networks other than LAN, then we should allow that access also via policy.
5. Go to "User & Device" -> "User Groups" and create group for VPN users
6. Go to "User & Device" -> "User Definition" and create a VPN user which is member of VPN group created above.
7. Go to "VPN" -> "SSL-VPN Portals" and create a portal. For this portal enable tunnel mode, leave web mode disabled. In source IP pools choose "Remote User IP Range"
   1. In tunnel mode split-access should be disabled if you want Internet access to also happen over VPN once VPN is connected. Disable it if you want Internet to continue normally even when VPN is connected.
8. Go to "VPN" -> "SSL-VPN Settings"
   1. Enable SSL VPN on WAN interface noted earlier
   2. Choose appropriate port for VPN (eg 10043)
   3. Enable redirect HTTP to SSL VPN
   4. In Address range specify custom IP range and choose "Remote User IP Range"
   5. In portal mapping create mapping between the user group created and portal created.
9. Save settings and test VPN access

Refer:

• https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/559546/ssl-vpn-full-tunnel-for-remote-user

Home > Enterprise security devices or applications > Fortigate firewall > VPN configuration