Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎02-05-2007 12:00 AM

Article Id 197144

SSL VPN tunnel recommendations - FortiOS 3.0 MR4 or higher

Article
Description SSL VPN tunnel configuration recommendations
Components
  • All FortiGate units running FortiOS 3.0 MR4 or higher
Steps or Commands

For general configuration of SSL VPN Tunnels, Use the SSL VPN User Guide.

SSL VPN network diagram.

Recommendations

  • Place the SSL VPN firewall policies at the top (source IP can be all or must be the originating public IP address) of the policy list.
  • Add a deny policy below the SSL VPN policies to avoid overlap with the other firewall policies (the source is then the SSL VPN tunnel IP range).
  • If multiple SSL VPN groups with unique access permissions are configured, restrict tunnel ranges and use firewall addresses that match the specified tunnel ranges.

Troubleshooting

  • You can sniff the traffic as outlined in the Knowledge Base  article Using the FortiOS built-in packet sniffer
  • You can check the sessions using the CLI commands:

    diag sys session filter {dport | dst | policy | proto | sport | src}

    diag sys session list


Related Articles

Troubleshooting Tool: Using the FortiOS built-in packet sniffer

Labels:
3068
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.