Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jpp
New Contributor III

Block everything except VPN

I have remote PCs and central office with 2 servers. I want remote PCs to connect only to these servers and to not have any internet access. I don' t want to mess with Windows firewall - there are several different versions of Windows. Users on clients PCs don' t have administrative accounts. Can I do it only with FCT & 1 FGT ? Remote fortigates are not an option.
6 REPLIES 6
ede_pfau
Esteemed Contributor III

hi, and welcome to the forums. Yes, why not? All you need to do is define the default route in FC to point to the tunnel. On the FGT, you allow traffic to the servers (tunnel -> internal) and " forget" the policy to the internet (tunnel -> wan). That' s all.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
jpp
New Contributor III

Hi Ede, thank you for the reply. The point is, what happens when the tunnel is down - is the default route falls back to ISP' s one ? If yes, then the user has Internet; if no, how FortiClient will find the Fortigate ? Also, where do you " define the default route" ? I didn' t manage to find such thing in documentation.
neonbit
Valued Contributor

Hi Jpp, If you have the one policy as suggested by ede, then regardless if the tunnel goes down or stays up, there will be no internet access allowed. If you don' t create a internal>wan policy, then your users will never have internet access (implicy deny rule kicks in). So just create the internal>vpn rule (specify address/ports) and you should be good to go.
ede_pfau
Esteemed Contributor III

Remember that you have to start FC manually on a remote PC. As long as FC is not started the routes are unchanged. That is, the client will have internet access via it' s router. When FC is started (more precisely: when the tunnel is up), the route to the network behind the tunnel is inserted into the routing table of the client. Often you only specify the private network behind the tunnel (on the FGT' s side) in FC, like ' remote subnet: 192.168.44.0/24' . If you specify ' remote subnet: 0.0.0.0/0' instead, ALL traffic which is not directed at a local target will be sent across the tunnel, especially all internet traffic. ' 0.0.0.0/0' is called the ' default route' . @neonbit: I think you' ve got jpp wrong. The remote clients using FC should have no internet access - that' s got nothing to do with the Fortigate settings. Clients behind the FGT should well have internet access.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
jpp
New Contributor III

Thank you all for the information. I had some time to check it up. As it seems there' s no need to specify 0.0.0.0/0.0.0.0 as remote subnet, because FCT adds def gw with lower metric (20) than the windows default (25) (enable split tunnel is not checked) I can set " Auto connect" , " Always up" and " Remember password" , and then all is OK. The problem is that the user can manually disconnect the VPN and get internet access. The only thing I can think of is to add permanent route like this " route -p add 212.36.12.12 mask 255.255.255.255 192.168.1.1" where 212.36.12.12 is FGT real address and 192.168.1.1 i default gw of the client given by ISP and to delete the default route on disconnect " route delete 0.0.0.0" but that involves getting default gw on every single installation. Any other ideas ?
Chris_Lin_FTNT

On FortiGate VPN (SSL and IPSec) config, there is something called " split-tunnel" . As long as you disable split-tunnel, once VPN is up, FortiClient will add default route/default gateway. You can even config FortiClient VPN to use " always-up" so that when the tunnel is somehow down, it will try to reconnect. However, when VPN is down, the route will always fall back to your ISP' s default route.
Top Kudoed Authors