FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
rmetzger
Staff
Staff
Description
This KB article describes a scenario, when a Security Administrator wants to restrict network access for certain FortiClient users, once they have established an IPsec tunnel to a FortiGate unit.

This may be accomplished by using an Identity-based policy, instead of a regular (address-based) policy, which is required for establishing IKE tunnels. However, the conditions listed hereafter are important.

Note, that the IP addressing and the command “set listen-forticlient-connection enable” is important for tunnel interfaces, when identity-based firewall policies are used. Any IP address will be acceptable, as long as it does not conflict with an existing IP address plan. This IP setting is important, because the FortiGate authentication page is a re-direct, sent to the client browser with specified IP addresses.


config system interface
    edit "port3"
        set vdom "root"
        set ip 172.31.16.190 255.255.252.0
        set type physical
    next
end


config system interface
    edit "remote-users"
        set vdom "root"
        set ip 169.254.1.1 255.255.255.255
        set type tunnel
        set remote-ip 169.254.1.1
        set listen-forticlient-connection enable

        set interface "port3"
    next
end



config vpn ipsec phase1-interface
    edit "remote-users"
        set type dynamic
        set interface "port3"
        set xauthtype auto
        set mode aggressive
        set mode-cfg enable
        set proposal 3des-sha1 aes128-sha1
        set authusrgrp "IPSec-users"
        set ipv4-start-ip 10.75.0.1
        set ipv4-end-ip 10.75.0.200
        set ipv4-netmask 255.255.255.0
        set dns-mode auto
        set ipv4-split-include "10.74.0.0/16"
        set psksecret ENC
    next
  end



config firewall policy
    edit 1
        set srcintf "remote-users"
        set dstintf "port4"
        set srcaddr "all"
        set action accept
        set identity-based enable
        set nat enable
            config identity-based-policy
                edit 1
                    set schedule "always"
                    set users "fortinet-1074"
                    set dstaddr "10.74.1.36"
                    set service "ALL"
                next
                edit 2
                    set schedule "always"
                    set users "fortinet-1075"
                    set dstaddr "10.74.1.54"
                    set service "ALL"
                next
            end
    next
end


Contributors