FortiGate SSL VPN — Web Mode and Tunnel Mode
How FortiOS SSL VPN works for remote users: web-mode portal, full-tunnel-mode client (FortiClient), authentication with LDAP/RADIUS/SAML, and the split-tunnel decision every design faces.
- **Web mode** = clientless — a browser hits the portal (HTTPS 443), FortiGate rewrites internal apps into browser-safe HTTPS. Great for occasional users, restricted devices.
- **Tunnel mode** = FortiClient (or Forticlient VPN-only) builds a proper Layer-3 tunnel over TLS. Full IP reachability. What most companies actually deploy.
- Design decision every deployment hits: **full tunnel** (all user traffic through the FortiGate — inspection wins, capacity loses) or **split tunnel** (only corporate subnets go through — capacity wins, inspection blind on the rest).
The one-sentence mental model
SSL VPN turns TLS into a VPN transport. No IPsec, no UDP 500/4500, no NAT-T headaches. Runs on TCP 443 — the same port everything already lets out. That’s why it’s the road-warrior standard for corporate remote access.
Two modes, different use cases
Web mode (clientless)
- User points a browser at
https://vpn.company.com. - Authenticates → sees a portal page.
- Portal shows bookmarks: RDP, VNC, HTTP internal sites, SSH.
- FortiGate proxies each session — user never gets a real IP on the corporate LAN.
Pros: no client to install. Works from unmanaged devices (kiosk, contractor laptop). Fast to grant granular access.
Cons: only apps FortiGate can proxy. No thick-client (SAP, custom apps). Latency higher than tunnel mode.
Tunnel mode (full VPN client)
- User launches FortiClient (or the free FortiClient VPN-only build).
- Client authenticates, establishes TLS tunnel, receives an IP from the SSL-VPN pool.
- Traffic destined for corporate subnets (or all traffic, depending on split-tunnel config) is encapsulated over TLS.
Pros: full Layer 3 — anything IP-based works. Same experience as being on the LAN.
Cons: needs a client. IT owns the client lifecycle.
Design decision: split tunnel vs full tunnel
Full tunnel: every packet the user’s device sends goes through the FortiGate.
- Wins: full DPI on user traffic. DLP works. Web filtering enforces the corporate policy at home.
- Loses: doubles WAN traffic (user traffic + return). Streaming/Zoom quality drops.
Split tunnel: only traffic to corporate subnets goes over the VPN.
- Wins: user’s Netflix / Zoom / general internet goes direct. Great UX.
- Loses: security team has no visibility on that traffic. If the user’s home network is compromised, the endpoint is exposed.
Current best practice (2026): inverse split tunnel — full tunnel by default but exempt a small list of trusted high-bandwidth destinations (Microsoft 365, Zoom, WebEx). Best of both.
Configuring SSL VPN (tunnel mode)
Portal:
config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set web-mode disable
set ip-pools "SSLVPN-Pool"
set split-tunneling disable # or "enable" for split
next
end
Settings:
config vpn ssl settings
set servercert "Fortinet_CA_SSL"
set port 443
set source-interface "wan1"
set tunnel-ip-pools "SSLVPN-Pool"
set dns-server1 10.0.0.53
config authentication-rule
edit 1
set groups "SSLVPN-Users"
set portal "full-access"
next
end
end
Firewall policy — from the SSL VPN interface (ssl.root) into the LAN:
config firewall policy
edit 90
set srcintf "ssl.root"
set dstintf "internal"
set srcaddr "SSLVPN-Pool-Range"
set dstaddr "corporate-lan"
set service "ALL"
set action accept
set schedule always
set groups "SSLVPN-Users"
next
end
Notice groups on the policy — this is FortiOS enforcing group-based access post-authentication.
Authentication options
- Local users — quickest, doesn’t scale.
- LDAP — Active Directory. Most common. Group filter tells FortiGate which AD group can VPN.
- RADIUS — often used to chain into 2FA (FortiToken, Duo, Okta).
- SAML — modern SSO. FortiGate is the Service Provider; Azure AD / Okta / Ping is the IdP. Enables MFA / conditional access at the IdP.
Multi-factor is not optional for real deployments. Two paths: FortiToken (Fortinet’s own OTP) or an external MFA (Duo Push, Microsoft Authenticator via RADIUS or SAML).
Host checking
FortiOS can require the FortiClient endpoint to pass posture checks before completing the tunnel:
- OS version
- Antivirus running + up to date
- Disk encryption enabled
- Domain-joined
Fail = deny (or grant limited “remediation” access).
Diagnostics
diagnose vpn ssl statistics # tunnels up, users connected
diagnose vpn ssl list # list of active sessions
execute vpn sslvpn del-tunnel <user> # kick a specific user
FortiClient side: check the client’s VPN log for TLS handshake errors, cert warnings, DNS resolution issues.
Common exam / real-world mistakes
- Wrong server certificate. The default
Fortinet_CA_SSLcert triggers browser warnings. Use a public cert (Let’s Encrypt, DigiCert) for the SSL VPN interface. - Missing DNS server config in the portal. Users connect but can’t resolve
intranet.company.localbecause the tunnel doesn’t push a DNS server. - Forgetting group-based policy enforcement. Everyone in AD becomes a VPN user. Restrict via
groupson both the auth rule and the firewall policy. - Blindly enabling split tunnel. Answers UX complaints but blinds the security team. If you split-tunnel, at minimum push a DNS security service (Umbrella / FortiGuard DNS) client-side.
- Not testing MFA fallback. If SAML IdP is down, VPN is down. Have a break-glass local-account path (audited).
Cheat strip
Web mode clientless portal on HTTPS. FortiGate proxies apps.
Bookmarks: RDP / VNC / HTTP / SSH.
Tunnel mode FortiClient builds L3 tunnel. Full IP.
Port TCP 443 (default). Configurable.
Split corporate subnets only over VPN. Better UX, less visibility.
Full everything over VPN. Full inspection, more bandwidth.
Inverse full tunnel except allow-listed SaaS. Current best practice.
Auth Local | LDAP | RADIUS | SAML (+ MFA)
Posture OS ver | AV state | disk crypto | domain join
Debug diagnose vpn ssl statistics
diagnose vpn ssl list
FortiGate IPsec VPN — Site-to-Site and Dial-Up
How IPsec VPNs work on FortiOS: Phase 1 IKE, Phase 2 SA, site-to-site, dial-up, route-based vs policy-based, and the diagnostics that solve 90% of tunnel-down tickets.
FortiGate HA — FGCP Active-Passive and Active-Active
How FortiGate Clustering Protocol (FGCP) forms a redundant pair or cluster: heartbeat, session sync, election, active-passive vs active-active, override, split-brain avoidance.
Want this drilled into reflex?
1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the NSE 4® exam blueprint. Free first session. No card on file until you decide.
Related topics
AAA · RADIUS & TACACS+
Authentication, Authorization, Accounting — centralize who can log in, what they can do, and what they did. Covers RADIUS vs TACACS+, method lists, and why every network with more than 5 devices uses centralized auth.
Security FundamentalsEncryption Fundamentals
The cryptography networking engineers must understand — symmetric vs asymmetric, hashing, digital signatures, certificates, and where each is used in IPsec, TLS, SSH, and 802.1X.
Security FundamentalsFortiGate Firewall Policies — Structure, Order of Operations, NAT Inline
How firewall policies work on FortiOS: the 6 core fields, top-down first-match evaluation, how NAT lives inside the policy, and the diagnostic that tells you which policy matched.
Get the free CCNA 12-week roadmap
You're already reading up on FortiGate SSL VPN — Web Mode and Tunnel Mode. The roadmap is the order I recommend studying every CCNA topic in — with what to lab each week and where FortiGate SSL VPN — Web Mode and Tunnel Mode fits. A written personal reply, not an autoresponder. Expect it within one business day.
Personal reply from a senior network engineer. No third-party tracking. Unsubscribe any time.