FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
In the version 5.0.x and 4.3.x there were 2 Firewall polices, one standard from WAN interface to the internal interface with action = sslvpn and the second one is ssl.root to the internal interface.
In the version 5.2.x, the firewall policy where authentication was done and the action was set to = sslvpn, has been merged in the sslvpn setting.
In the web GUI go to VPN > SSL > Setting. Select one or multiple interfaces (For example: WAN1 and WAN2).
Change the SSLVPN port number (For example: 11443).
Provide the correct sslvpn user group in the appropriate SSLVPN portals.
The above settings will create the following configuration which will also include the firewall policy that is no longer seen with action = sslvpn as below example in CLI:
config vpn ssl settings set idle-timeout 3000 set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set port 11443 set source-interface "wan1" set source-address "all" set source-address6 "all" set default-portal "full-access" config authentication-rule edit 1 set groups "vpngroup" set portal "full-access" next end end
So now there is No need to create that policy with the action = sslvpn.
Now only the second policy from ssl.root to internal interface should be created as in the following example:
config firewall policy edit 2 set srcintf "ssl.root" set dstintf "internal" set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "localNetwork" set action accept set schedule "always" set service "ALL" set groups "vpngroup" end
And, a static route should be created as in the below example:
config router static edit <id> set device ssl.root set dst 10.11.254.0/24 ---- > IP pool of the SSLVPN clients end