Overview
SSL VPN provides secure encrypted connectivity for remote users to access corporate resources over the internet using standard HTTPS. Unlike IPsec site-to-site VPNs, SSL VPN is designed for individual user connections supporting both full tunnel and split tunnel configurations.
Who Should Use This Guide:
- Network administrators enabling remote workforce access
- Security engineers implementing secure connectivity
- IT teams replacing legacy VPN solutions
- Organizations supporting work-from-home users
SSL VPN vs IPsec VPN:
| Feature | SSL VPN | IPsec VPN |
|---|---|---|
| Use Case | Remote user access | Site-to-site connectivity |
| Protocol | HTTPS (TCP/443) | ESP/AH (IP Protocol 50/51) |
| Client | FortiClient software | FortiGate or third-party |
| NAT Traversal | Native (HTTPS) | Requires NAT-T |
| Firewall Friendly | Yes (standard HTTPS) | May require special rules |
Requirements
System Requirements:
| Component | Requirement |
|---|---|
| FortiGate | FortiOS 6.4 or later |
| License | SSL VPN license (included in most bundles) |
| Public IP | Static IP or DDNS hostname |
| Certificate | Valid SSL certificate (recommended) |
Network Planning:
| Item | Example Value |
|---|---|
| VPN Portal URL | https://vpn.example.com |
| VPN Client IP Pool | 10.99.0.0/24 |
| Internal Subnets | 10.0.0.0/8 (for split tunnel) |
| DNS Servers | Internal DNS server IPs |
Architecture
Internet
│
▼
┌──────────────────┐
│ FortiGate │
│ SSL VPN Portal │
│ (TCP/443) │
└────────┬─────────┘
│
┌────────┴────────┐
│ │
▼ ▼
┌─────────┐ ┌─────────┐
│ Remote │ │Corporate│
│ Users │ │ Network │
│(FortiClient) │10.0.0.0/8│
└─────────┘ └─────────┘Process
Step 1: Configure SSL Certificate
Upload or generate an SSL certificate for the VPN portal.
Upload Commercial Certificate (Recommended):
- Navigate to System → Certificates
- Click Import → Certificate
- Select Local Certificate
- Upload certificate and key files
- Click OK
CLI Method:
# Import certificate via CLI
config vpn certificate local
edit "vpn-cert"
set certificate "-----BEGIN CERTIFICATE-----..."
set private-key "-----BEGIN PRIVATE KEY-----..."
next
endVerification: Certificate appears in System → Certificates with valid dates.
Step 2: Create User Accounts
Set up user authentication for VPN access.
Create Local Users:
- Navigate to User & Authentication → User Definition
- Click Create New → Local User
- Configure:
- User Name:
<username> - Password: Strong password
- Two-Factor Authentication: Enable if required
- User Name:
- Click OK
Create User Group:
- Navigate to User & Authentication → User Groups
- Click Create New
- Configure:
- Name:
SSL-VPN-Users - Type: Firewall
- Members: Select created users
- Name:
- Click OK
CLI Method:
# Create local user
config user local
edit "<username>"
set type password
set passwd "<strong-password>"
next
end
# Create user group
config user group
edit "SSL-VPN-Users"
set member "<username>"
next
endStep 3: Configure IP Address Pool
Define the IP range assigned to VPN clients.
Create Address Object:
- Navigate to Policy & Objects → Addresses
- Click Create New → Address
- Configure:
- Name:
SSL-VPN-IP-Pool - Type: IP Range
- Start IP:
10.99.0.10 - End IP:
10.99.0.250
- Name:
- Click OK
CLI Method:
config firewall address
edit "SSL-VPN-IP-Pool"
set type iprange
set start-ip 10.99.0.10
set end-ip 10.99.0.250
next
endStep 4: Configure SSL VPN Settings
Set up the SSL VPN portal and tunnel settings.
Navigate to: VPN → SSL-VPN Settings
Portal Configuration:
| Setting | Value |
|---|---|
| Listen on Interface | WAN interface (e.g., port1) |
| Listen on Port | 443 |
| Server Certificate | Select uploaded certificate |
| Tunnel Mode Client Address Range | SSL-VPN-IP-Pool |
| DNS Server 1 | Internal DNS IP |
| DNS Server 2 | 8.8.8.8 (fallback) |
Split Tunnel Configuration:
| Setting | Description |
|---|---|
| Enable Split Tunneling | ON (recommended for performance) |
| Routing Address | Internal subnets only through VPN |
CLI Method:
config vpn ssl settings
set servercert "<certificate-name>"
set tunnel-ip-pools "SSL-VPN-IP-Pool"
set source-interface "port1"
set source-address "all"
set default-portal "full-access"
set dns-server1 10.0.0.10
set dns-server2 8.8.8.8
set split-tunneling enable
set split-tunneling-routing-address "Internal-Networks"
set idle-timeout 600
set dtls-tunnel enable
endStep 5: Create Firewall Policy
Allow SSL VPN traffic to access internal resources.
Create Policy:
- Navigate to Policy & Objects → Firewall Policy
- Click Create New
- Configure:
- Name:
SSL-VPN-to-Internal - Incoming Interface:
ssl.root - Outgoing Interface: LAN interface
- Source: All or specific addresses
- Destination: Internal networks
- Service: ALL (or restrict as needed)
- Action: ACCEPT
- NAT: Disable
- User Groups:
SSL-VPN-Users
- Name:
- Click OK
CLI Method:
config firewall policy
edit 0
set name "SSL-VPN-to-Internal"
set srcintf "ssl.root"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set schedule "always"
set groups "SSL-VPN-Users"
set logtraffic all
next
endStep 6: Configure FortiClient VPN
Set up the VPN client for remote users.
Download FortiClient:
- Official download: https://www.fortinet.com/support/product-downloads
- Select "FortiClient VPN" (free) or full FortiClient
Configure VPN Connection:
- Open FortiClient → Remote Access
- Click Configure VPN
- Add new connection:
- Connection Name:
Company VPN - Remote Gateway:
vpn.example.com - Port: 443
- Client Certificate: (if using certificate auth)
- Connection Name:
- Save configuration
Connect to VPN:
- Select VPN connection
- Enter username and password
- Click Connect
- Verify connection status shows "Connected"
Step 7: Test and Verify
Confirm VPN connectivity and access.
From Connected Client:
# Check VPN IP assignment
ipconfig /all
# Look for FortiClient SSL VPN adapter
# Test internal connectivity
ping <internal-server-ip>
# Test DNS resolution
nslookup <internal-hostname>On FortiGate - Monitor Sessions:
# List active SSL VPN sessions
diagnose vpn ssl list
# View session details
diagnose vpn ssl statisticsGUI Monitoring:
Navigate to Monitor → SSL-VPN Monitor to view:
- Connected users
- Assigned IP addresses
- Login time
- Data transferred
Troubleshooting
Common Issues:
| Symptom | Possible Cause | Solution |
|---|---|---|
| Connection failed | DNS not resolving | Verify DNS A record points to FortiGate WAN IP |
| Certificate warning | Self-signed or expired cert | Install valid commercial certificate |
| Authentication failed | Wrong credentials | Test user auth in console; check user group membership |
| Connected but no access | Firewall policy missing | Verify policy from ssl.root to internal interfaces |
| Split tunnel not working | Routing address misconfigured | Check split-tunneling-routing-address setting |
Diagnostic Commands:
# Verify SSL VPN configuration
show vpn ssl settings
# Check firewall policies
show firewall policy | grep ssl.root
# Test authentication
diagnose test authserver ldap <server-name> <username> <password>
# Debug SSL VPN connections
diagnose debug application sslvpn -1
diagnose debug enable
# Packet capture
diagnose sniffer packet any 'host <client-ip> and host <server-ip>' 4 0 lSecurity Hardening
Enable Two-Factor Authentication:
config user local
edit "<username>"
set two-factor fortitoken
set fortitoken "<token-serial>"
next
endRestrict Source IPs (Geo-blocking):
config vpn ssl settings
set source-address "Allowed-Countries"
endSession Timeouts:
config vpn ssl settings
set idle-timeout 600
set auth-timeout 28800
endVerification Checklist
Configuration:
- SSL certificate installed and valid
- User accounts created and grouped
- IP pool configured (non-overlapping)
- SSL VPN settings configured
- Firewall policy allows ssl.root traffic
Testing:
- FortiClient connects successfully
- VPN client receives IP from pool
- Internal resources accessible
- DNS resolution works
- Split tunnel routing correct (if enabled)
Security:
- Strong password policy enforced
- Two-factor authentication enabled (recommended)
- Session timeouts configured
- Logging enabled on firewall policy
References
Last Updated: February 2026