SSL VPN using web and tunnel mode


In this example, you will allow remote users to access the corporate network using an SSL VPN, connecting either by web mode using a web browser or tunnel mode using FortiClient. This allows users to access network resources, such as the Internal Segmentation Firewall (ISFW) used in this example.

For users connecting via tunnel mode, traffic to the Internet will also flow through the FortiGate, to apply security scanning to this traffic.

During the connecting phase, the FortiGate will also verify that the remote user’s antivirus software is installed and up-to-date.

1. Creating a user and a user group

Go to User & Device User Definition. Create a local user account for a SSL VPN user.


Go to User & Device > User Groups. Create a user group for SSL VPN users and add the new user account.

2. Creating an SSL VPN portal for remote users

Go to VPN > SSL-VPN Portals. Edit the full-access portal. The full-access portal allows the use of tunnel mode and/or web mode.

Make sure Enable Split Tunneling is not selected, so that all Internet traffic will go through the FortiGate.

Set Source IP Pools to use the default IP range SSLVPN_TUNNEL-ADDR1.

Under Predefined Bookmarks, select create new to add a new bookmark. Bookmarks are used as links to internal network resources.

In the example, a bookmark is added to connect to a FortiGate being used as an ISFW, which can be accessed at

3. Configuring the SSL VPN tunnel

Go to VPN > SSL-VPN Settings and set Listen on Interface(s) to wan1.

To avoid port conflicts, set Listen on Port to 10443. Set Restrict Access to Allow access from any host.

In the example, the Fortinet_Factory certificate is used as the Server Certificate. It is, however, recommended that you purchase a certificate for your domain and upload it for use with an SSL VPN.

Under Tunnel Mode Client Settings, set IP Ranges to use the default IP range SSLVPN_TUNNEL-ADDR1.

Under Authentication/Portal Mapping, add the SSL VPN user group and map it to the full-access portal.

If necessary, map a portal for All Other Users/Groups.

4. Adding an address for the local network

Go to Policy & Objects > Addresses.

Add the address for the local network. Set Type to IP/Netmark, Subnet/IP Range to the local subnet, and Interface to an internal port.

5. Adding security policies for access to the internal network and Internet

Go to Policy & Objects > IPv4 Policy. Add a security policy allowing access to the internal network through the VPN tunnel interface. Set a policy name that will identify what this policy is used for (in the example, SSL-VPN-internal)

Set Incoming Interface to ssl.root and Outgoing Interface to the local network interface. Select Source and set Address to all and Source User to the SSL-VPN user group. Set Destination Address to the local network address, Service to ALL, and enable NAT.

Configure any remaining firewall and security options as desired.

Add a second security policy allowing SSL VPN access to the Internet.

For this policy, Incoming Interface is set to ssl.root, Outgoing Interface is set to wan1, and Destination is set to all.

6. Setting the FortiGate unit to verify users have current AntiVirus software

Go to the Dashboard. In the CLI Console widget, enter the following commands to enable the host to check for compliant AntiVirus software on the remote user’s computer:

config vpn ssl web portal
  edit full-access
    set host-check av


7. Results

The steps for connecting to the SSL VPN different depending on whether you are using a web browser or FortiClient.

Web browsers:

Using a supported Internet browser, connect to the SSL VPN web portal using the remote gateway configured in the SSL VPN settings (in the example,

Use the SSL VPN user’s credentials to authenticate.

The web portal appears.

In this example, selecting the ISFW Bookmark allows you to connect to the ISFW FortiGate.
To connect to the Internet, select Quick Connection. Select HTTP/HTTPS, then enter the URL and select Launch.
The website will launch.
You can also use the Quick Connection for other allowed types of traffic, such as SSH.

An SSH connection will open in your browser, connecting to the requested Host.

Java is required for an SSH connection.

On the FortiGate, go to Monitor > SSL-VPN Monitor. The user is connected to the VPN.


If you have not done so already, download FortiClient from

Open the FortiClient Console and go to Remote Access. Add a new connection.

Set VPN Type to SSL VPN, set Remote Gateway to the IP of the listening FortiGate interface (in the example, Select Customize Port and set it to 10443.

Select Add.

Connect to the VPN using the SSL VPN user’s credentials.
You are able to connect to the VPN tunnel.
On the FortiGate, go to Monitor > SSL-VPN Monitor. The user is connected to the VPN.



Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
If you do select Enable Split Tunneling, traffic not intended for the corporate network will not flow through the FortiGate or be subject to the corporate security profiles. You will also have to set your corporate network’s address as the Routing Address.
  • Jesus Garcia

    can we modify what is shown in the quick connection tool web page?

    I mean can we modify the options shown in the following image?


    Jesus Garcia

  • Nishit Patel

    I upgraded from 5.2.10 to 5.4.4. Whe ssl-vpn configured in web mode and tunnel mode. We use firefox to connect to work network. But when we login, we don’t see tunnel mode and also don’t see connect button?

  • Whitney Lo

    how can I add security policies for access to the Internet if I am using wan load balancing. I cannot find wan1 or wan 2 or wan load balance on outgoing interface

  • Michael P. Gray

    I must be missing something. I followed this recipe with minor changes for IP information. I can authenticate when making the VPN connection. I can check the logs and see the connected client. The client gets a proper address in the subnet that I identified, and gets the DNS entries that I specified but no gateway. The client cannot access anything in the internal LAN. What am I missing?

    • Keith Leroux

      Hi Michael–shot in the dark, but did you add the user group to the sslvpn->internal policy?

      • Michael P. Gray

        Yes. My policy looks identical to that of step 5 above with the exception of the icon for the LAN on the outgoing interface. It has the two green intersecting arrowed lines.

        • Michael P. Gray

          I (thanks to the Fortinet support) found the issue to be the machine I was using to test. I grabbed another laptop and it worked. I reformatted the original laptop and it now works on that as well.

          • Keith Leroux

            Fantastic! Thanks for following up with us.

  • iacopo

    Is 10443 port a must if you want to change from default port (443)? I would like to change to a different port than 443 or 10443 but it seems it’s not working, am I missing something?


    • Victoria Martin


      Port 10443 is an unassigned port, which is why it was used for the VPN. Any other unassigned port can also be used without causing conflict.

      If you are having trouble using a different port, doublecheck that you are using the correct port number in your URL (if you are using web mode) or FortiClient (for tunnel mode). If after checking this you still have trouble, I would recommend contacting Fortinet Support.

  • Bob Sauvage

    If the subnet from the client is the same that one from the Enterprise network, what to do ?

  • Henry

    Hello, I have Config WAN-load-blancing, I can’t select wan-load-balancing.

    • Henry


      If I want select wan-load-balancing in a policy, what to do ?

      Thanks an Regards.

      • paradoxxxical

        i’m not sure why Henry’s question was ignored, but it’s valid as the SSL-VPN-Internet in step 5, cannot be created with WAN LLB setup. It allows you to select the specific lan for the SSL-VPN-Internal, but not for the Internet. I created a route instead, but experiencing similar issues to Michael P. Gray.

        • Victoria Martin

          For this issue, I would recommend contacting Fortinet Support.

  • Limbad Sagar

    Dear Sir/Madam
    I have Config SSL_VPN using Forticlient, It’s working good and another function is Mac Address bind it’s Possible in our Fortigate Firewall but our issues is Static Ip bind it’s Possible that mean user connect to forticlient with fortigate firewall also assign one Local_Ip (SSL_VPN_Range).So Please Inform me, It’s Possible Forticlient Side Static_Ip bind in Our firewall ?

  • Landy.Wang

    Very Simple To Understand,Thank You Verry Much,I Love Fortigate。

  • Limbad Sagar

    Dear Mam,

    we are using Fortinet 100D and have 2 internet connection and using Port Forwarding our Fortinet Firewall , both are Internet connection port Forwarding but some time internet connection down that time i lost connection. any another idea failover root in port forwarding.

  • Limbad Sagar

    Thank you, Mam
    but mam VLAN Configuration in my Firewall Fortinet 100D that’s its possible in SSL VPN in my Fortinet Firewall 100D.

    • Victoria Martin

      Hello Limbad,

      I’m not quite sure I understand your question. This recipe was written using a FortiGate 100D, so its set up should be similar to yours.

  • Ngô Đức Trọng

    how about enable UTF-8 in web access?

    • Adam Bristow


      There was a way to enable UTF-8, however this has since been replaced with specific language options. This is configured in the CLI. Open the CLI Console and enter the following:

      config vpn ssl web portal
      set custom-lang ?

      This will show you a list of available character-sets/languages to choose from, inlcuding:

      – GB2312: Simplified Chinese
      – big5: Traditional Chinese
      – en: English (Caribbean)
      – euc-kr: Korean, using the Wxtended Unix Code (EUC)
      – fr: French
      – pg: Portuguese
      – sp: Spanish
      – x-sjis: Japanese (using the Shift Japanese Industrial Standards (SJIS).

      I hope this helps!


  • David

    I think we don’t have to enable NAT on the the policy ssl.root to LAN.

    • Adam Bristow

      Hello David,

      Theoretically it is not necessary to enable NAT for this specific policy, however it’s better to enable NAT in order to avoid similar subnets from connecting to one another. This is important if you have specific policies running in your subnet.

      I hope this helps!



  • Santosh Sharma

    there should be one option as PDF so that we can download it as PDF

    • Victoria Martin

      Hello Santosh,

      We plan to add PDFs for each recipe soon.

      • Santosh Sharma

        Hi thanks Martin for your revert

        There is no document on inter vdom routing. Please update one document on this also