FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 192851


In FortiOS v5.2.x and 5.0.x, policy based IPSec is disabled only in GUI by default. It can be configured in CLI or by using the Enable feature in the GUI. Once enabled, IPSec tunnels can be used in the Firewall Policy.


To enable this feature (disabled by default):

config system global
set ?
set gui-policy-based-ipsec enable
end    ==> to save the changes

Refer the appropriate FortiOS CLI Reference Guide in the Fortinet Document Library for more information.

It can also be enabled in GUI as follows:

Go to > system > Features > click on short Pencil icon > show more >
Enable > Policy-Based IPSec VPN > Click apply to save changes.

Now go to VPN > IPSec > create new phase1 > disable >  "ipsec interface mode"> configure Phase1 and Phase2

Now go to firewall policy > create new >select VPN > select > ipsec > configure accordingly:

Fully configured Policy Based IPsec VPN Firewall policy will be as below:

Config firewall policy

edit 2
        set srcintf "internal"
        set dstintf "wan2"
        set srcaddr "all"
        set dstaddr "all"
        set action ipsec
        set schedule "always"
        set service "ALL"
        set inbound enable   <--------
        set outbound enable
        set vpntunnel "testTunnel"   <------