config firewall policy edit 8 set srcintf "ssl.root" set dstintf "lan" set srcaddr "SSLVPN_TUNNEL_ADDR1" set action accept set identity-based enable config identity-based-policy edit 1 set schedule "always" set logtraffic all set groups "LaserFiche" set dstaddr "192.168.0.11" set service "ALL" next edit 2 set schedule "always" set logtraffic all set groups "LaserFiche" set dstaddr "all" set service "ALL" set action deny next edit 3 set schedule "always" set logtraffic all set groups "SSL_VPN_Users" set dstaddr "all" set service "ALL" next end next edit 9 set srcintf "ssl.root" set dstintf "wan1" set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next edit 10 set srcintf "wan1" set dstintf "ssl.root" set srcaddr "all" set dstaddr "192.168.0.0/24" set action ssl-vpn set identity-based enable config identity-based-policy edit 1 set schedule "always" set utm-status enable set groups "SSL_VPN_Users" set service "ALL" set sslvpn-portal "full-access" set av-profile "default" set profile-protocol-options "default" next end next end ======= config vpn ssl settings set sslvpn-enable enable set sslv3 enable set tlsv1-0 enable set tlsv1-1 enable set tlsv1-2 enable set dns-server1 192.168.x.x set dns-server2 192.168.x.x set route-source-interface disable set reqclientcert disable set sslv2 disable set allow-ssl-big-buffer disable set allow-ssl-insert-empty-fragment enable set allow-ssl-client-renegotiation disable set force-two-factor-auth disable set force-utf8-login disable set servercert "self-sign" set algorithm default set idle-timeout 14400 set auth-timeout 28800 set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set dns-suffix '' set wins-server1 192.168.0.x set wins-server2 192.168.0.x set ipv6-dns-server1 :: set ipv6-dns-server2 :: set ipv6-wins-server1 :: set ipv6-wins-server2 :: set url-obscuration disable set http-compression disable set http-only-cookie enable set port xxx set port-precedence enable set auto-tunnel-static-route enable set auto-tunnel-policy enable end Version: FortiGate-100D v5.0,build0292,140731 (GA Patch 9) Virus-DB: 23.00809(2015-02-11 18:08) Extended DB: 23.00809(2015-02-11 18:07) IPS-DB: 5.00611(2015-02-11 02:04) IPS-ETDB: 0.00000(2001-01-01 00:00) Serial-Number: xxx Botnet DB: 1.00000(2012-05-28 22:51) BIOS version: 05000006 System Part-Number: P11510-04 Log hard disk: Available Internal Switch mode: interface Hostname: xxxx Operation Mode: NAT Current virtual domain: root Max number of virtual domains: 10 Virtual domains status: 1 in NAT mode, 0 in TP mode Virtual domain configuration: disable FIPS-CC mode: disable Current HA mode: standalone Branch point: 292 Release Version Information: GA Patch 9 FortiOS x86-64: Yes System time: Thu Feb 12 14:52:30 2015