This is a Checklist for Fortigate admin access over SSL-VPN
1. Trusted hosts
Ensure that the SSL-VPN source address or SSL-VPN address pool is on the trusted host list for admin access to the Fortigate.
config system admin edit "admin" set trusthost5 10.212.134.0 255.255.255.0 set accprofile "super_admin" set vdom "root" set password yourpassword next end
2. Allowaccess on Interface
Ensure you have allowed the service or port access on the interface using the following command “set allowaccess ping https ssh” under the interface configuration.
config system interface edit "vlan100" set vdom "root" set ip 10.100.0.254 255.255.255.0 set allowaccess ping https ssh set vlanforward enable set device-identification enable set role lan set snmp-index 12 set interface "internal5" set vlanid 100 next end
3. Firewall policy
Ensure you have a firewall policy from the SSL-VPN interface to the LAN to where you intend to connect to.
config firewall policy edit 3 set name "SSL_VPN_LAN" set srcintf "ssl.root" set dstintf "vlan100" set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "all" set action accept set schedule "always" set service "ALL" set groups "SSL_VPN" next
4. Routing table
Ensure you have a route to the Firewall interface. You may have split-tunneling specifying the routable addresses by SSL-VPN any route not specified will route locally via users local internet breakout. 10.100.0.0/24 is the LAN network directly connected to the firewall. You can specify just the individual firewall interface address if you wanted to.
config vpn ssl web portal edit "full-access" set tunnel-mode enable set web-mode enable set ip-pools "SSLVPN_TUNNEL_ADDR1" set split-tunneling-routing-address "10.100.0.0/24" config bookmark-group edit "gui-bookmarks" next end next end
If using Windows you can check the routing table by running the command route print.
Please let me know what you thought of the guide and if it worked, what issues you ran into or if anything wasn’t clear. Thank you for reading.