SSL VPN using web and tunnel mode


In this example, you will allow remote users to access the corporate network using an SSL VPN, connecting either by web mode using a web browser or tunnel mode using FortiClient.

Web mode allows users to access network resources, such as the the AdminPC used in this example.

For users connecting via tunnel mode, traffic to the Internet will also flow through the FortiGate, to apply security scanning to this traffic. During the connecting phase, the FortiGate will also verify that the remote user’s antivirus software is installed and up-to-date.

This recipe is in the Basic FortiGate network collection. You can also use it as a standalone recipe.

This recipe allows access for members of the Employee user group, created in the previous recipe, Creating security profiles.

1. Editing the SSL VPN portal for remote users

To edit the full-access SSL VPN portal, go to VPN > SSL-VPN Portals. The full-access portal allows the use of tunnel mode and web mode.

Under Tunnel Mode, disable Enable Split Tunneling for both IPv4 and IPv6 traffic to ensure all Internet traffic will go through the FortiGate.

Set Source IP Pools to use the default IP range SSLVPN_TUNNEL-ADDR1.


Under Enable Web Mode, create Predefined Bookmarks for any internal resources that the SSL VPN users need to access. In the example, the bookmark allows the remote user RDP access to a computer on the internal network.

2. Configuring the SSL VPN tunnel

To configure the SSL VPN tunnel, go to VPN > SSL-VPN Settings.

Set Listen on Interface(s) to wan1. To avoid port conflicts, set Listen on Port to 10443. Set Restrict Access to Allow access from any host.

In the example, the Fortinet_Factory certificate is used as the Server Certificate. To ensure that traffic is secure, you should use your own CA-signed certificate. For more information about using certificates, see Preventing certificate warnings (CA-signed certificates).

Under Tunnel Mode Client Settings, set IP Ranges to use the default IP range SSLVPN_TUNNEL-ADDR1.

Under Authentication/Portal Mapping, click Create New to add the Employee user group and map it to the full-access portal.

If necessary, map a portal for All Other Users/Groups.

3. Adding security policies for access to the internal network and Internet

To add an address for the local network, go to Policy & Objects > Addresses.

Set Type to Subnet, Subnet/IP Range to the local subnet, and Interface to lan.

To create a security policy allowing access to the internal network through the VPN tunnel interface, go to Policy & Objects > IPv4 Policy.

Set Incoming Interface to ssl.root and Outgoing Interface to lan. Select Source and set Address to all and User to the Employee user group. Set Destination Address to the local network address, Service to ALL, and enable NAT.


Add a second security policy allowing SSL VPN access to the Internet.

For this policy, set Incoming Interface to ssl.root and Outgoing Interface to wan1. Select Source and set Address to all and User to the Employee user group.

4. Verifying remote user’s OS and software

To verify that remote users are using up-to-date devices to connect to your network, you can configure a host check for both operating system (supported for Windows and Mac OS) and software.

You can configure an OS host check for specific OS versions. This check includes the following options: allow the device to connect, block the device, or check that the OS is up-to-date. The default action for all OS versions is allow.

The software host can verify whether the device has AntiVirus software recognized by Windows Security Center, firewall software recognized by Windows Security Center, both, or a custom setting.

Configure both checks using the CLI:

config vpn ssl web portal
  edit full-access
    set os-check enable
      config os-check-list {macos-high-sierra-10.13 | macos-sierra-10.12 | os-x-el-capitan-10.11 | os-x-mavericks-10.9 | os-x-yosemite-10.10 |
                            windows-7 | windows-8 | windows-8.1 | windows-10 | windows-2000 | windows-vista | windows-xp}
        set action {deny | allow | check-up-to-date}
    set host-check {av | fw | av-fw| custom}


5. Results

The steps for connecting to the SSL VPN differ depending on whether you are using a web browser or FortiClient.

Web browsers:

Using a supported Internet browser, connect to the SSL VPN web portal using the remote gateway configured in the SSL VPN settings (in the example,

Log in to the SSL VPN.


After authenticating, you can access the SSL-VPN Portal. From this portal, you can launch or download FortiClient, access Bookmarks, or connect to other resources using the Quick Connection tool.

In this example, selecting the bookmark enables you to connect to the AdminPC.
To connect to the Internet, select Quick Connection. Select HTTP/HTTPS, then enter the URL and select Launch.
The website loads.
To view the list of users currently connected to the SSL VPN, go to Monitor > SSL-VPN Monitor. The user is connected to the VPN.
If a remote device fails the OS or host check, a warning message appears after authentication instead of the portal.


If you have not done so already, download FortiClient from

Open the FortiClient Console and go to Remote Access. Add a new connection.


Set VPN Type to SSL VPN, set Remote Gateway to the IP of the listening FortiGate interface (in the example, Select Customize Port and set it to 10443.

Select Add.

Log in to the SSL VPN.  
You are able to connect to the VPN tunnel.
To view the list of users currently connected to the SSL VPN, go to Monitor > SSL-VPN Monitor. The user is connected to the VPN.

For further reading, check out Basic SSL VPN configuration in the FortiOS 6.0 Online Help.

Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

If you do select Enable Split Tunneling, traffic not intended for the corporate network will not flow through the FortiGate or be subject to the corporate security profiles. You will also have to set your corporate network’s address as the Routing Address.
If you are allowing split tunneling, this policy is not required.