fortigate-ipsec-40-mr3

FortiOS Handbook
Internet-browsing configuration
This section explains how to support secure web browsing performed by dialup VPN
clients, and/or hosts behind a remote VPN peer. Remote users can access the private
network behind the local FortiGate unit and browse the Internet securely. All traffic
generated remotely is subject to the security policy that controls traffic on the private
network behind the local FortiGate unit.
The following topics are included in this section:
Configuration overview
Configuration overview
Creating an Internet browsing security policy
Routing all remote traffic through the VPN tunnel
A VPN provides secure access to a private network behind the FortiGate unit. You can
also enable VPN clients to access the Internet securely. The FortiGate unit inspects and
processes all traffic between the VPN clients and hosts on the Internet according to the
Internet browsing policy. This is accomplished even though the same FortiGate interface
is used for both encrypted VPN client traffic and unencrypted Internet traffic.
In Figure 21, FortiGate_1 enables secure Internet browsing for FortiClient Endpoint
Security users such as Dialup_1 and users on the Site_2 network behind FortiGate_2,
which could be a VPN peer or a dialup client.
Figure 21: Example Internet-browsing configuration
Site_1
Dialup_1
FortiGate_1
FortiGate_
Users browse
internet through
the VPN tunnel
Web server
FG_Dialup_2
_Dialup_2
Site_2
You can adapt any of the following configurations to provide secure Internet browsing:
a gateway-to-gateway configuration (see “Gateway-to-gateway configurations” on
page 69)
a FortiClient dialup-client configuration (see “FortiClient dialup-client configurations”
on page 115)
FortiOS Handbook v3: IPsec VPNs
01-434-112804-20120111 147
http://docs.fortinet.com/