Secure VPN Internet-browsing configuration

Internet-browsing configuration

This section explains how to support secure web browsing performed by dialup VPN clients, and/or hosts behind a remote VPN peer. Remote users can access the private network behind the local FortiGate unit and browse the Internet securely. All traffic generated remotely is subject to the security policy that controls traffic on the private network behind the local FortiGate unit.

The following topics are included in this section:

  • Configuration overview
  • Creating an Internet browsing security policy
  • Routing all remote traffic through the VPN tunnel

 

Configuration overview

A VPN provides secure access to a private network behind the FortiGate unit. You can also enable VPN clients to access the Internet securely. The FortiGate unit inspects and processes all traffic between the VPN clients and hosts on the Internet according to the Internet browsing policy. This is accomplished even though the same FortiGate interface is used for both encrypted VPN client traffic and unencrypted Internet traffic.

In the figure below, FortiGate_1 enables secure Internet browsing for FortiClient Endpoint Security users such as Dialup_1 and users on the Site_2 network behind FortiGate_2, which could be a VPN peer or a dialup client.

 

Example Internet-browsing configuration

internet-browsing-configuration

You can adapt any of the following configurations to provide secure Internet browsing:

  • A gateway-to-gateway configuration (see Gateway-to-gateway configurations on page 1655)
  • A FortiClient dialup-client configuration (see FortiClient dialup-client configurations on page 1702)
  • A FortiGate dialup-client configuration (see FortiGate dialup-client configurations on page 1716)

The procedures in this section assume that one of these configurations is in place, and that it is operating properly.

To create an internet-browsing configuration based on an existing gateway-to-gateway configuration, you must edit the gateway-to-gateway configuration as follows:

  • On the FortiGate unit that will provide Internet access, create an Internet browsing security policy. See Configuration overview on page 1729, below.
  • Configure the remote peer or client to route all traffic through the VPN tunnel. You can do this on a FortiGate unit or on a FortiClient Endpoint Security application. See Configuration overview on page 1729.

 

Creating an Internet browsing security policy

On the FortiGate unit that acts as a VPN server and will provide secure access to the Internet, you must create an Internet browsing security policy. This policy differs depending on whether your gateway-to-gateway configuration is policy-based or route-based.

 

To create an Internet browsing policy – policy-based VPN

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information and then select OK:

Incoming Interface                   The interface to which the VPN tunnel is bound.

Source Address                        All

Outgoing Interface                   The interface to which the VPN tunnel is bound.

Destination Address                 The internal range of address of the remote spoke site.

VPN Tunnel                                Select Use Existing and select the tunnel that provides access to the private network behind the FortiGate unit.

Allow traffic to be initiated from the remote site Enable

Inbound NAT                             Enable

3. Enable inbound NAT in the CLI.

config firewall policy edit <policy_number>

set natinbound enable

end

 

To create an Internet browsing policy – route-based VPN

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter the following information and then select OK:

Incoming Interface                   The IPsec VPN interface.

Source Address                        All

Outgoing Interface                   The interface that connects to the Internet. The virtual IPsec interface is configured on this physical interface.

Destination Address                 The internal range of address of the remote spoke site.

Action                                         ACCEPT

Enable NAT                                Enable

The VPN clients must be configured to route all Internet traffic through the VPN tunnel.

 

Routing all remote traffic through the VPN tunnel

To make use of the Internet browsing configuration on the VPN server, the VPN peer or client must route all traffic through the VPN tunnel. Usually, only the traffic destined for the private network behind the FortiGate VPN server is sent through the tunnel.

The remote end of the VPN can be a FortiGate unit that acts as a peer in a gateway-to-gateway configuration, or a FortiClient application that protects an individual client PC.

  • To configure a remote peer FortiGate unit for Internet browsing via VPN, see Configuring a FortiGate remote peer to support Internet browsing on page 1732.
  • To configure a FortiClient Endpoint Security application for Internet browsing via VPN, see Configuring a FortiClient application to support Internet browsing on page 1732.

These procedures assume that your VPN connection to the protected private network is working and that you have configured the FortiGate VPN server for Internet browsing as described in Routing all remote traffic through the VPN tunnel on page 1731.

 

Configuring a FortiGate remote peer to support Internet browsing

The configuration changes to send all traffic through the VPN differ for policy-based and route-based VPNs.

 

To route all traffic through a policy-based VPN

1. At the FortiGate dialup client, go to Policy & Objects > IPv4 Policy.

2. Select the IPsec security policy and then select Edit.

3. From the Destination Address list, select all.

4. Select OK.

Packets are routed through the VPN tunnel, not just those destined for the protected private network.

 

To route all traffic through a route-based VPN

1. At the FortiGate dialup client, go to Network > Static Routes.

2. Select the default route (destination IP 0.0.0.0) and then select Edit. If there is no default route, select Create

New. Enter the following information and select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         Select the IPsec virtual interface.

Distance                                     Leave at default.

All packets are routed through the VPN tunnel, not just packets destined for the protected private network.

 

Configuring a FortiClient application to support Internet browsing

By default, the FortiClient application configures the PC so that traffic destined for the remote protected network passes through the VPN tunnel but all other traffic is sent to the default gateway. You need to modify the FortiClient settings so that it configures the PC to route all outbound traffic through the VPN.

 

To route all traffic through VPN – FortiClient application

1. At the remote host, start FortiClient.

2. Go to VPN > Connections.

3. Select the definition that connects FortiClient to the FortiGate dialup server.

4. Select Advanced and then select Edit.

5. In the Edit Connection dialog box, select Advanced.

6. In the Remote Network group, select Add.

7. In the IP and Subnet Mask fields, type 0.0.0/0.0.0.0 and select OK.

The address is added to the Remote Network list. The first destination IP address in the list establishes a VPN tunnel. The second destination address (0.0.0.0/0.0.0.0 in this case) forces all other traffic through the VPN tunnel.

8. Select OK.

 

 

This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.