Skip to main content
LuisMLG
LuisMLG
New Member
April 23, 2018
Question

web filters to VPN SSL Web-Portal mode

  • April 23, 2018
  • 2 replies
  • 7357 views

Hi guys,

I created a specific SSL-VPN Portal for a specific group of people and I configured it just to use the web-Mode. Everything is working fine, but the issue is I'd like to apply some web filters for these guys to restrict the access just to some websites.

I tried to apply the web-filter security profile to the rule which allows the traffic toward the internet but doesn't work.

I have the Split tunnelling disabled.

Firewall mode: Flow-Based.

 

Any idea?

 

Thanks guys!!

    2 replies

    LuisMLG
    LuisMLGAuthor
    New Member
    April 23, 2018

    I noted, sniffing the traffic, that the source IP when I connect with VPN WEB-mode is the IP client, and it's not assigned for fortigate like if you connect using the FortiClient and the source interface is WAN1 and not root.SSL

    LuisMLG
    LuisMLGAuthor
    New Member
    April 25, 2018

    I found out that the traffic generated form web-mode VPN-SSL is not coming from ssl.root.

    I tried to figure out which is the source interface for the Web-Mode connections but I didn't find anything in your documentation.

     

    any clue guys?

    Thanks.

    Bubu
    Bubu
    New Member
    April 27, 2018

    Verify that you have configured the SSL VPN correctly:

    http://cookbook.fortinet.com/ssl-vpn-using-web-tunnel-mode-60/

     

    Apply the policy to allow users using the VPN portal to browse on the web via the Fortigate and apply the webfilter profile :

    config firewall policy edit "your ID policy" set name "SSL VPN Access" set srcintf "ssl.root" set dstintf "WAN1" set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set logtraffic all set groups "SSLVPN-Group" set users "SSLVP-User" set webfilter-profile "Block_All" set ssl-ssh-profile "certificate-inspection" set nat enable next end

     

    You can also manage bookmarks by user group and disable user bookmarks:

    config vpn ssl web portal

    edit <portal-name>

    set user-group-bookmark [enable | disable]

    next

    end

     

    config vpn ssl web user-group-bookmark

    edit <group-name>

    config bookmark

    edit <bookmark1>

    ....

    next

    end

    ext

    end

     

    BR

    Bubu

    Terms & ConditionsAccessibility statement