How to configure VPN for a Fortinet FortiGate Firewall

Fortinet’s FortiGate Next Generation Firewalls are network firewalls providing business users with a wide range of advanced security features for both internal and external threat protection. With support for IPsec, IKEv2, and SSL VPN connections, as well as a variety of models suitable for all levels of organisation, a FortiGate firewall is a great choice for many businesses.

On this page, we take you through the key VPN specification for the FortiGate 40F, as well as all you need to know about connecting to your Fortinet FortiGate firewall on your Mac, iPhone or iPad via IPsec, IKev2 IPsec or SSL VPN.

Menu

• Tech specs - FortiGate 40F Next Generation Firewall
• IPsec vs SSL VPN
• Set up IPsec VPN for FortiGate
• Set up IKEv2 VPN for FortiGate
• Set up Fortinet SSL VPN for FortiGate

Tech Specs: FortiGate 40F NGFW

Series: Fortinet FortiGate NGFW

Model: 40F

Recommended for: Medium sized businesses

Supported VPN Protocols: IPsec, IKEv2, Fortinet SSL

IPsec VPN throughput: 4.4 Gbps

SSL VPN throughput: 490 Mbps

Max no. of VPN users: 250

WiFi: Optional

Device Status: Active

IPsec vs SSL VPN

When it comes to VPN, FortiGate users have the choice between IPsec and Fortinet SSL VPN, both of which are fully supported in VPN Tracker for Mac and iOS.

Generally, we would recommend using IPsec VPN wherever possible, as it provides faster connection speeds and is more stable. However, SSL VPN is compatible in more network locations - making it a good fallback choice when IPsec is not available (i.e. due to network restrictions.) Overall, both standards are considered equally secure for your business. Learn more →

This guide explains step-by-step how to configure both IPsec and SSL VPN on your FortiGate firewall, as well as how to set up your VPN in VPN Tracker and get connected on Mac, iPhone and iPad.

Set up IKEv2 VPN on FortiGate

Step one: Determine address range for VPN

On your FortiGate firewall, go to Policy & Objects > Addresses and add a new address. Make sure IP Range is selected in the dropdown, then add the address range that is to be used for the new VPN:

Add a new IP address range to be used with the VPN

Step two: Create a new VPN User

Next, you need to set up a user account for the individual(s) who will be connecting to the VPN. To do so, go to User & Authentication > User Definition and create a new Local User:

Create a new user with type 'Local User'

You can now configure login credentials for the new user.

Important: Make sure to make a note of the username and password, as this will be the login you use to access the VPN later in the VPN client.

Set up your username and password

Next, add contact info for the user if desired (i.e. company email address.)

In the next step, ensure the user account status is set to Enabled, then select a User Group for the new user. This is used to determine VPN access and permissions.

You can select an existing group, or click the + to create a new one

Select or create a new user group for the new user

Give the new User Group a name and select Firewall as the type:

Create a new User Group with type 'Firewall'

Select the new User Group from the list in the right menu bar and click Save to complete setup. You can repeat these steps for any users who will be connecting to the VPN (i.e. other staff members) and add them to the new User Group.

Step three: Create a new IPsec tunnel

Next, in the sidebar, go to VPN > IPsec Tunnels and click the + to create a new IPsec Tunnel:

Create a new IPsec tunnel

In step 1, choose "Custom" as template type:

Step four: Create new IPv4 policy

Go to Policy & Objects > IPv4 Policy in the sidebar and click the + to create a new policy:

Click to add a new IPv4 policy

Give your new policy a name, then, configure the rules to match those in the screenshot:

Add these policy rules

Click OK to save your changes.

Connect to FortiGate IKEv2 IPsec VPN on Mac, iPhone, iPad

Once you've configured your Fortinet IKEv2 VPN tunnel, all you need is a VPN client to get connected to your FortiGate firewall. VPN Tracker is the best remote access solution for secure remote access on Mac, iPhone and iPad and works great with Fortinet FortiGate firewalls.

1. Open the VPN Tracker FortiGate connection creator
2. Enter the WAN IP address (or hostname) of your FortiGate device (you can find this on your FortiGate device under Network > Interfaces)
3. Follow the steps in the wizard and enter your connection details as prompted

VPN Tracker setup wizard for FortiGate IKEv2 VPN

When finished, securely save your connection in your VPN Tracker account so you can get connected to your FortiGate IKEv2 VPN in VPN Tracker on Mac, iPhone and iPad!

Configure IPsec VPN for a FortiGate Firewall

Please note, this guide applies to FortiGate firewalls running FortiOS 6.2.3 or newer. If you are using an older firmware version, check out our legacy guides.

To set up an IPsec VPN tunnel on your FortiGate firewall, first open the web interface of your device - this can usually be reached from the trusted network (LAN) of the device - then, carry out the following steps:

Step 1: Retrieve network information

You will need to make a note of certain network information to enter into the VPN client when you connect to your VPN later. You can find this information under Network > Interfaces.

Within the network overview, make a note of:

1. WAN address* (your device's public address, i.e. how your device is accessed via the internet)
2. LAN address (your device's local network, i.e. the network you're connecting to via the VPN tunnel)

Locate the WAN and LAN address of your FortiGate firewall

* If your device has a DNS hostname, use this in place of the WAN address.

Step 2: Create VPN Users

Next, you need to set up a user account for the individual(s) who will be connecting to the VPN. To do so, go to User & Authentication > User Definition and create a new Local User:

Create a new user with type 'Local User'

You can now configure login credentials for the new user. This will be the login you use to access the VPN later in the VPN client.

Set up your username and password

Next, add contact info for the user if desired (i.e. company email address.)

In the next step, ensure the user account status is set to Enabled, then select a User Group for the new user. This is used to determine VPN access and permissions.

You can select an existing group, or click the + to create a new one:

Select or create a new user group for the new user

Give the new User Group a name and select Firewall as the type:

Create a new User Group with type 'Firewall'

Select the new User Group from the list in the right menu bar and click Save to complete setup:

Select the new User Group then click save

You can repeat these steps for any users who will be connecting to the VPN (i.e. other staff members) and add them to the new User Group.

Step 3: Set up an IPsec VPN tunnel

Once you've set up all your users, you can configure the IPsec VPN tunnel.

Go to VPN > IPsec Tunnels and create a new tunnel. The template type is Remote access and for Remote device type, choose Client-based and select Cisco:

Set up a new VPN tunnel with the following properties

In the next step, select wan as the Incoming Interface. 

Then, set Pre-shared key for the Authentication method. Enter a secure password and make a note of this as you will need it to connect to the VPN later.

By User Group, select the group you set up in the previous step (i.e. vpn_tracker)

Optional: Check the box Require ‘Group Name’ on VPN client if it is likely you will be connecting to more than one VPN tunnel, then enter a Group Name of your choice.

Enter the authentication information for your VPN tunnel as described

In the final step, you can specify your network information (i.e. the network you will be connecting to via the VPN tunnel.)

For Local interface, select lan, then choose a Local Address from your list (here, we have simply selected all)

By Client Address Range, enter the network range that is to be used for your VPN connection e.g. 192.168.232.1-192.168.232.254.

A note on DNS:

Here you have the choice to use the gateway's DNS server or specify your own DNS server. Whichever option you choose here needs to match up to the settings you enter in the VPN client in the next step.

Click Create to set up your new VPN tunnel:

Fill out the network settings for the new VPN tunnel

Connect to FortiGate IPsec VPN on Mac, iPhone, iPad

Once you've configured your Fortinet IPSec VPN tunnel, all you need is a VPN client to get connected to your FortiGate firewall. VPN Tracker is the best remote access solution for secure remote access on Mac, iPhone and iPad and works great with Fortinet FortiGate firewalls.

1. Open the VPN Tracker FortiGate IPsec connection creator and create a free account
2. Enter the WAN IP address (or hostname) of your FortiGate device, then follow the remaining steps in the connection assistant
3. Once you've completed the setup wizard, securely save your connection to your account using end-to-end encryption

Follow the connection wizard to connect to FortiGate VPN

You can now connect to your FortiGate IPsec VPN in VPN Tracker on Mac, iPhone and iPad!

Set up Fortinet SSL VPN for a FortiGate firewall

An SSL VPN tunnel provides users with secure remote access to a FortiGate firewall.

To set up an SSL VPN tunnel on your FortiGate, log in to the web interface - this can usually be reached from the trusted network (LAN) of the device - then, carry out the following steps:

Step 1: Retrieve network information

You will need to make a note of certain network information to enter into the VPN client when you connect to your VPN later. You can find this information under Network > Interfaces.

Within the network overview, make a note of:

1. WAN address* (your device's public address, i.e. how your device is accessed via the internet)
2. LAN address (your device's local network, i.e. the network you're connecting to via the VPN tunnel)

Locate the WAN and LAN address of your FortiGate firewall

* If your device has a DNS hostname, use this in place of the WAN address.

Step 2: Set up the SSL tunnel

Go to the VPN tab and select SSL-VPN Portals. Then, click Create new to start setting up a new SSL-VPN Portal

Under Tunnel Mode, click the slider to Enable Split Tunneling and choose the network ranges your VPN users need to have access to (i.e. lan):

Enter the network ranges VPN users should have access to

Click OK to save your settings and create the new SSL-VPN Portal.

Step 3: Configure VPN users

VPN users are the individuals who will have access to the SSL VPN tunnel.

To set up a new user, go to User & Device > User Definition and create a new Local User:

Create a new user with type 'Local User'

In the next step, create a Username and Password. Make a note of these credentials as you will need them to log in to the VPN later.

Finally, add contact info if desired (i.e. company email address) then either select an existing User Group or create a new one by clicking the + icon. If you're creating a new User Group, select Firewall as the Type:

Create a new User Group with type 'Firewall'

Once you've added the new User Group, add the new VPN user to it and save to complete setup.

Repeat these steps for any additional VPN users you wish to add (i.e. staff members.)

Connect to FortiGate SSL VPN on Mac, iPhone, iPad

Once you've configured your Fortinet SSL VPN tunnel, all you need is a VPN client to get connected to your FortiGate firewall. VPN Tracker is the best remote access solution for secure remote access on Mac, iPhone and iPad and works great with Fortinet FortiGate firewalls.

1. Open the VPN Tracker FortiGate SSL connection creator
2. Enter the WAN IP address (or hostname) of your FortiGate device, then follow the remaining steps in the connection assistant
3. Once you've completed the setup wizard, securely save your connection to your account using end-to-end encryption

Follow the configuration wizard to connect to Fortinet SSL VPN

You can now connect to your FortiGate SSL VPN in VPN Tracker on Mac, iPhone and iPad!