FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mbanica
Staff
Staff
Article Id 192993
Description
With SSL VPN it is possible to provide access to external clients to different internal resources based on user login credentials.

With IPsec this is not possible as user authentication is exchanged in phase1 and all users in the group defined will access the resources defined in phase2 for Dialup VPN tunnel.

With site to site there is no user authentication happening therefore the access can be manipulated in phase2 or firewall policies by limiting subnets or hosts to only access specific resources on the remote site.

Each portal with tunnel-mode enabled represents another tunnel or connection, for which reason it is mandatory to define different IP range per portal to clients and it should not overlap with other IPs used in the network.

This will also help providing different access depending on the source IP (IP given to the client inside the tunnel)
mbanica_FD37025_tn_FD37025a.jpg


Scope
All FortiGates.

Solution
In this example it is assumed that user test1 gets 1.1.1.2 and test2 gets 2.2.2.2.

Test1 should connect via wan1 and test2 via wan2. Test1 should only access network 192.168.6.0/24, while test2 should access both 192.168.5.0/24 and 192.168.1.0/24.

Split tunneling is used in this example.

In order to achieve this scenario the configuration should look like this:
config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "1.1.1.0" "2.2.2.0"
    set port 10443
    set source-interface "wan1" "wan2"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
        config authentication-rule
            edit 1
                set source-interface "wan1"
                set source-address "all"
                set users "test1"
                set portal "First"
            next
            edit 2
                set source-interface "wan2"
                set source-address "all"
                set users "test2"
                set portal "Second"
            next
            end
end

Portal configuration
config vpn ssl web portal
    edit "web-access"
    next
    edit "First"
       set tunnel-mode enable
       set web-mode enable
       set ip-pools "1.1.1.0"
       set split-tunneling enable
       set theme green
       set split-tunneling-routing-address "192.168.6.0/24"
    next
    edit "Second"
       set tunnel-mode enable
       set web-mode enable
       set ip-pools "2.2.2.0"
       set split-tunneling enable
       set theme orange
       set split-tunneling-routing-address "192.168.1.0/24" "192.168.5.0/24"
     next
end

Firewall policies to allow this traffic:
config firewall policy
    edit 0
        set srcintf "ssl.root"
        set dstintf "lan6"
        set srcaddr "1.1.1.0/24"
        set dstaddr "192.168.6.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
        set users "test1"
    next
    edit 0
        set srcintf "ssl.root"
        set dstintf "lan1"
        set srcaddr "2.2.2.0/24"
        set dstaddr "192.168.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
        set users "test2"
  next
  edit 0
        set srcintf "ssl.root"
        set dstintf "lan5"
        set srcaddr "2.2.2.0/24"
        set dstaddr "192.168.5.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
        set users "test2"

config router static
   edit 1
        set dst 1.1.1.0 255.255.255.0
        set device "ssl.root"
   edit 2
        set dst 2.2.2.0 255.255.255.0
        set device "ssl.root"
With split tunneling enabled only traffic to remote networks will be encapsulated, Internet traffic will go via default route of the client.

Contributors