Table of Contents
Advertisement
SSL VPN virtual interface (ssl.root)
SSL VPN virtual interface (ssl.root)
60
Figure 21: Firewall policy list
To avoid overlap with other firewall policies, add a DENY policy below the SSL
VPN policies (the source is the SSL VPN tunnel IP range). See
firewall policies
for more information.
Configuration of the SSL VPN tunnel service involves a virtual interface,
ssl.<vdom_name>, which functions much like an ipsec-virtual interface. In non-
vdom implementations, this appears as ssl.root. The ssl.root interface appears in
the firewall policy interface lists and static route interface lists. The ssl-root
interface allows remote user access to additional networks. For example, the
interface facilitates the remote user´s ability to browse the Internet using the
FortiGate unit.
The SSL VPN tunnel-mode access requires the following firewall policies:
•
External > Internal, with the action set to SSL, with an SSL user group
•
ssl.root > Internal, with the action set to Accept
•
Internal > ssl.root, with the action set to Accept
This also requires a new static route and should appear as follows:
•
Destination network - <ssl tunnel mode assigned range> interface ssl.root
If you are configuring Internet access through an SSL VPN tunnel, the following
configuration must be added:
•
ssl.root > External, with the action set to Accept, with NAT enabled
Configuring a FortiGate SSL VPN
Configuring
FortiOS v3.0 MR7 SSL VPN User Guide
01-30007-0348-20080718
Advertisement
Table of Contents
