Green Cloud Defense Logo
  1. Home
  2. Knowledge Base
  3. Fortinet
  4. Fortinet FortiGate – SSL VPN Setup

Fortinet FortiGate – SSL VPN Setup

SSL or Client VPNs are used to grant VPN access to users without an enterprise firewall, such as remote workers or employees at home. This article details an example SSL VPN configuration that will allow a user to access internal network infrastructure while still retaining access to the open internet.

VPN Configuration

Connect to the FortiGate VM using the Fortinet GUI. To configure the network interfaces:

  1. Go to Network > Interfaces and edit the wan1 interface.
  2. Set IP/Network Mask to
  3. Edit port1 interface (or an interface that connects to the internal network) and set IP/Network Mask to
  4. Click OK.
  5. Go to Policy & Objects > Address and create an address for internal subnet

Configure user and user group:

  1. Go to User & Device > User Definition to create a local user sslvpnuser1.
  2. Go to User & Device > User Groups to create a group sslvpngroup with the member sslvpnuser1.

Configure SSL VPN web portal (optional):

  1. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-split-tunnel-portal.
  2. Enable Split Tunneling.
  3. Select Routing Address to define the destination network that will be routed through the tunnel. Leave undefined to use the destination in the respective firewall policies.

Configure SSL VPN settings:

  1. Go to VPN > SSL-VPN Settings.
  2. For Listen on Interface(s), select wan1.
  3. Set Listen on Port to 10443.
  4. Optionally, set Restrict Access to Limit access to specific hosts, and specify the addresses of the hosts that are allowed to connect to this VPN.
  5. Choose a certificate for Server Certificate. The default is Fortinet_Factory.
  6. In Authentication/Portal Mapping All Other Users/Groups, set the Portal to tunnel-access.
  7. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-split-tunnel-portal.

Configure SSL VPN firewall policy:

  1. Go to Policy & Objects > IPv4 Policy.
  2. Fill in the firewall policy name. In this example, sslvpn split tunnel access.
  3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
  4. Choose an Outgoing Interface. In this example, port1.
  5. Set the Source to SSLVPN_TUNNEL_ADDR1 and group to sslvpngroup. The source address references the tunnel IP addresses that the remote clients are using.
  6. In this example, the Destination is
  7. Set Schedule to always, Service to ALL, and Action to Accept.
  8. Click OK.

Connecting as a User

To connect to the FortiGate SSL VPN as a user, first download the client from Then, set the FortiGate’s external IP as your connection point and enter your user credentials. Note that the above instructions configure the SSL VPN in split-tunnel mode, which will allow the user to browse the internet normally while maintaining VPN access to corporate infrastructure.

Was this article helpful?

Related Articles

Need Support?

Can't find the answer you're looking for?
Contact Support