Eset Endpoint Security Filtering Mode

The new Creation Wizard makes life easier for users that are unfamiliar with the creation of VPNs. However, not all of the meanings of the fields are intuitive and there are some limitations and requirements that users should be aware of.


Types of VPN tunnels


  • The wizard is only for creating dial up VPN connection tunnels.
  • The remote users need one of the following: software (version 5) The Cisco client that is included in the Apple iOS software.

Creating Policies

While the wizard does simplify tunnel configuration, such as building both phases 1 and 2 of the tunnel, it does not do everything. For example, policies still have to be created so the tunnel can pass data back and forth.


When using the wizard, there are a few pieces of information that you are going to want at your fingertips, or have configured before starting the wizard.

  • Know the type of VPN clients are your remote users using.
  • If you are using a for authentication, it needs to be installed.
  • The User Group that your users belong to. You can create one within the wizard, but it is preferable to take the time to configure it properly before starting the wizard so that there are fewer chances of making mistakes.
  • The interface/port to which users will connect.
  • Your company’s security policy on allowing split tunnel connections to your internal network.

Tour of the VPN Creation Wizard

Section 1 – VPN Setup


Every VPN tunnel needs a unique name that policies can use as a reference.  After the tunnel has been completed this name will show up in the drop down menu that lists all of the on the FortiGate. The normal best practices approach applies here.

  • Don’t make the name too long. The field is limited to 15 characters.
  • Don’t include spaces in the name.

VPN Type

  • Dial Up – FortiClient Windows, Mac, and Android

Use this option when the remote users will be connecting with the FortiClient software that is installed on their device.

  • Dial Up – iPhone / iPad Native IPsec Client

Use this option when the remote users will be connecting with the VPN client that is designed by Cisco. While the setting specifically mentions iOS devices, the Cisco VPN client on a Mac also works.

Section 2 – Authentication

RSA Signature

If the RSA Signature option is chosen, the next field will be called Certificate Name. A certificate is more secure than a Pre-Shared Key, but more effort to configure.

User Group

This user group refers to the group to which  the users logging into the VPN belong. Each tunnel can only be assigned one user group, so if the users are currently spread across multiple groups or are not part of any group, the options are either to create a group that consists of all the users accessing a single tunnel or to create a tunnel for each of the groups. Remember that everyone in the group will have the credentials to access the tunnel.

Section 3 – Network

Local Outgoing Interface

This will be the interface port on your FortiGate with which you want to associate this tunnel. For instance, if the remote user wants to use the Public used on your port when they are connecting, then that is the interface that gets assigned here.

Address Range

The address range is a pool of IP addresses that will be assigned to any device connecting to the VPN. This range does not have to be a proper range and it can stop and start at any point. For example both – or – would be valid ranges.

These addresses are not assigned to the visiting computers in the way that a server assigns addresses. These addresses are what the NATed addresses will be. The reason for NATing is that most connections will be from private networks and it is common for people to use standard private IP address ranges. If the remote computer is on a subnet and your network uses the same address range on one of its networks, then the routing could become confusing. Avoid this confusion by assigning remote computers to an address range that you know isn’t part of your existing internal network.

Subnet Mask

The is for the addresses that are being assigned to the remote devices. By having a subnet, the device knows when it needs to go to a to reach an address.

DNS Server

Use System DNS

The remote device can be assigned the same server that the FortiGate uses.


The remote device can be assigned a specific DNS server, by IP address. The requirement is that the address be reachable by the computer while connected to the tunnel. If split tunneling is not enabled and the IP address is not reachable from the FortiGate the DNS server will be useless.

Enable IPv4 Split Tunnel

Split tunneling allows the remote computer to use both the VPN connection to the networks controlled by the FortiGate (provided it is allowed by policy) and networks allowed by its regular network connections. If split tunneling were not allowed, all network traffic would have to go through the VPN tunnel. [Default setting: enabled]

Accessible Networks

This option defines which addresses the remote computer can access through the FortiGate. The drop down menu lists addresses that have been defined in the FortiGate’s Addresses section. When split tunneling is enabled, this can be used to restrict the access to only those network addresses in your network that you want the remote users to access. If split tunneling is disabled, because all of the remote users’ traffic goes through the FortiGate, you could also control which sites on the Internet the remote user can access.

Allow Endpoint Registration

endpoint security download     endpoint security companies