Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jskrivan_FTNT
Staff
Staff

Created on ‎04-08-2009 12:34 AM Edited on ‎07-15-2025 11:13 AM By Moderator

Article Id 195052

Technical Note: Setting up Point-to-Point Tunneling Protocol (PPTP) VPN

Description

 

This article includes the steps to set up basic Point-To-Point Tunneling Protocol (PPTP) VPN using the FortiOS firmware version 4.0 and later versions.

Important Note: To configure PPTP using a FortiGate web-based manager, create first a customized screen in the web-based manager. Those steps are described in the FortiGate Administration Guides in the chapter "PPTP VPN".

Requirements:

  1. Start of range

The first available IP address in the internal subnet to be assigned to VPN connected hosts

  1. End of range

The last available IP address in the internal subnet to be assigned to VPN connected hosts.

  1. Firewall user group

The name of the firewall user group that will be used to authentication VPN connections.


Scope

FortiOS
 


Solution

 

Configuration (CLI):

 

config vpn pptp

    set eip <address_ipv4>
    set ip-mode {range | usrgrp}
    set local-ip <address_localip>
    set sip <address_ipv4>
    set status {disable | enable}
    set usrgrp <group_name>
end

 

To remove the PPTP VPN configuration, use the following CLI commands:

 

config vpn pptp
    set status disable
end

 

Ensure any other policies related to it are disabled.

 

For verification, run a scan on the associated external port on the TCP port of 1723.

 

Variables Description and Default values
eip <address_ipv4> The ending address of the PPTP address range. default =  0.0.0.0
ip-mode
{range | usrgrp}		 Enable to have the PPTP client retrieve the IP
address from the PPTP user group or select an IP
address from the pre-configured IP address range.
local-ip
<address_localip>		 PPTP server IP address from the PPTP user group.
sip <address_ipv4> The starting address of the PPTP IP address range. default = 0.0.0.0
status
{disable | enable}		 Enable or disable PPTP VPN. disable
usrgrp <group_name> This keyword is available when status is set to
enable.
Enter the name of the user group for authenticating
PPTP clients. The user group must be added to the
FortiGate configuration before it can be specified
here. default = NULL
eip <address_ipv4> The ending address of the PPTP address range. default = 0.0.0.0
ip-mode {range | usrgrp} Enable to have the PPTP client retrieve the IP
address from the PPTP user group or select an IP
address from the pre-configured IP address range.

 

Address and policy configuration:
 
  1. Under Firewall Objects -> Address -> Address, create a new IP Range and enter the start-ip and end-ip as chosen in the CLI configuration:
  • Name: <Choose a name>
  • Type: IP Range
  • Subnet/Range: x.x.x.x-x.x.x.y   <----- Here, x.x.x.x is the start IP of the PPTP Pool, and x.x.x.y is the end IP.
  • Interface: <The WAN Interface>
  • Show in Address List: Keep this checked.
 
  1. Create a firewall policy like the following:
  • Source Interface: WAN.
  • Source: Address created in step 1.
  • Destination Interface: LAN.
  • Destination: Choose the destination to allow access to.
  • Schedule: Choose the schedule configured or use 'Always'.
  • Service: Choose the services to allow through PPTP.
  • NAT: This may or may not be required.
Labels:
37239
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.