PROCEDURE

This article is meant to explain how the Full-Tunneled SSL VPN profile is configured on Nura’s Fortigate Firewall running version 6.4.5. A Full-Tunneled SSL VPN is when all network traffic, while connected to VPN, goes through the VPN connection. Reference diagram below for the difference between Split-Tunnel and Full-Tunnel. Nura required a Full-Tunneled VPN so that the remote user’s Public IP would be masked as the Corporate Public IP of 64.71.25.230, this way remote users can access a SAAS application for Scientific Journals at this web address https://pubs.acs.org/

REQUIREMENTS

Creating a separate VPN Profile, so that we do not affect the current production configuration. This required a new test user, user group, SSL-VPN-Protals profile, VPN Subnet 192.168.250.0/24, modifying the SSL-VPN Settings, modifying the current Firewall Policy, and adding a new Firewall Policy.

STEPS

1. Create User by navigating to Users & Authentication > User Definition > Click Create New. User credential referenced here
2. Create User Groups navigating to Users & Authentication > User Groups > Click Create New. Named group “PNT_VPN_FullTunn” type set to Firewall clicked + to add test user “nuravpnuser”
3. Create VPN Subnet navigating to Policy & Objects > Addresses > Create New > Name SSL_VPN_CLIENTS configured with the following settings:
4. Color: Green
5. Type: Subnet
6. IP/Netmask: 192.168.250.0 255.255.255.0
7. Interface: Any
8. Static route configuration: Enabled
9. Comments: DHCP Range for Fully Tunneled VPN User
11. Create VPN Profile by navigating to VPN > SSL-VPN Portals > Create New Configure with the following settings_:_
12. Name: SSL-VPN-FullTun
13. Tunnel Mode: Enable
14. Enable Split Tunneling: Disable
15. Source IP Pools: Click the + and select SSL_VPN_CLIENTS
16. The rest should be default, but mirror the configuration below and click ok
18. Now we add the VPN Profile that we created to the SSL-VPN Settings by navigating to VPN > SSL-VPN Settings.
19. Navigate to Tunnel Mode Client Settings > Click + and add “SSL_VPN_CLIENTS”
21. Navigate to Authentication/Portal Mapping and click Create New
22. Users/Groups add PNT_VPN_FullTunn
23. Portal add SSL-VPN-FullTun
25. Reference full configuration below:
27. Next navigate to Policy & Objects > Firewall Policy > Locate SSLVPN-to-LAN
28. **NOTE** This policy already existed for the current split-tunnel VPN Profile. We are modifying the policy to include the configuration for full-tunnel VPN we created.
29. Hover over source column to click on the Pencil icon to edit and add the User Group “PNT_VPN_FullTunn” and add Address SSL_VPN_CLIENTS
31. When you click edit, then in the window fly out Start with the Address Tab to add SSL_VPN_CLIENTS
33. Then click User Tab to add the User Group “PNT_VPN_FullTunn” and click Apply
35. Next click Create New Policy and configure the following settings
36. Name: sslvpn tunnel mode outgoing
37. Incoming Interface: SSL-VPN tunnel interface
38. Outgoing Interface: WILINE (wan1)
39. Source: SSL_VPNCLIENTS and PNT_VPN_FullTunn
40. Destination: all
41. Schedule: always
42. Service: ALL
43. Action: ACCEPT
44. Inspection Mode: Flow-based
45. NAT: Enabled
46. Match what is configured here:
48. This completes the Full-Tunnel SSL VPN Configuration.

REFERENCES

Administration Guide | FortiGate / FortiOS 6.4.2 | Fortinet Documentation Library