✅ Step-by-Step: Setup SSL VPN on FortiGate 60F

Step 1: Create Address Objects for SSL VPN

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.

3. Name: SSL_VPN_TUNNEL_ADDR1

4. Type: Subnet

5. Subnet/IP Range: 10.212.134.200/255.255.255.240 (or any free IP range not conflicting with your internal network)

6. Interface: ssl.root

7. Click OK

Step 2: Configure the SSL VPN Settings

1. Go to VPN > SSL-VPN Settings

2. Under Connection Settings:

   • Listen on Interface(s): Choose the WAN interface

   • Listen on Port: Default is 443 (change if needed)

   • Restrict Access: Select the addresses or leave as All

   • Server Certificate: Choose the installed certificate or use the default

   • Tunnel Mode: ✅ Enable

   • IP Pool: Select the address object created earlier

   • DNS Server: Enter internal/external DNS as per your network

3. Scroll to Authentication/Portal Mapping:

   • Click Create New

     • User/Group: Select the appropriate user or group

     • Portal: Select full-access (or create a custom one)

4. Click Apply

Step 3: Create User(s) and User Group

? Create a User:

1. Go to User & Authentication > User Definition

2. Click Create New

3. Username: e.g. vpnuser

4. Password: Set a password

5. Click OK

? Create a User Group:

1. Go to User & Authentication > User Groups

2. Click Create New

3. Group Name: SSL_VPN_USERS

4. Add your user (vpnuser) to this group

5. Click OK

Step 4: Create Firewall Policy for SSL VPN to Internal Network

1. Go to Policy & Objects > Firewall Policy

2. Click Create New

3. Name: SSLVPN to LAN

4. Incoming Interface: ssl.root

5. Outgoing Interface: lan (or internal interface)

6. Source: SSL_VPN_TUNNEL_ADDR1

7. Destination: Your internal subnet (or specific internal resources)

8. Schedule: Always

9. Service: ALL

10. Action: Accept

11. Enable NAT

12. Click OK

Step 5: (Optional) Create Policy for Internal to SSL VPN if Needed

If your internal network needs to initiate communication to SSL VPN clients.

Step 6: Enable SSL VPN Access on WAN Interface

1. Go to Network > Interfaces

2. Edit your WAN interface

3. Under Administrative Access, enable SSL-VPN

4. Click OK

Step 7: Test the VPN

1. Open a browser and go to:
   https://<Your WAN IP or FQDN>:443

2. Login with the VPN user credentials

3. Download and install FortiClient if needed (Tunnel Mode)

✔️ Tips

• Use Let’s Encrypt SSL certificates for free HTTPS access (optional).

• You can create custom SSL VPN portals under VPN > SSL-VPN Portals for split tunneling, bookmarks, etc.

• Monitor connected users under Monitor > SSL-VPN Monitor.