Technical Tip: How to use 'ssl.root' interface in zone
Description
This article describes how to use use 'ssl.root' interface in the zone.
Scope
FortiGate.
Solution
Go to Network -> Interfaces -> Create New -> Zone.
- Select 'ssl.root' in the zone.
- Make sure 'ssl.root' is not used in any firewall policy.
- If not, it will not be possible to see 'ssl.root' appear in the list.
config system zone
edit "SSL_VPN_ZONE"
set interface "port7" "ssl.root"
next
end
The next step is to create an Firewall Policy that will allow VPN users to authenticate and connect:
Note I: Since the Zone contains more than just the ssl.root interface, and authentication is configured under the IPv4 policy, users coming from other interfaces inside the zone will be prompted for authentication.
- The SSL VPN daemon process must be restarted after adding the 'ssl.root' interface at the 'SSL_VPN_ZONE'.
dia sys process pidof sslvpnd
fnsysctl killall sslvpnd
Note II: If the ssl.root interface is used in a zone, the SSL VPN might stop working upon an upgrade to the versions 7.4.1-7.4.8 and 7.6.0-7.6.2. The workarounds and the details are in the link below. The issue is resolved on versions 7.4.9 and 7.6.3.
Related documents:
Use SSL VPN interfaces in zones - New features - FortiGate 7.0.1 documentation
Using SSL VPN interfaces in zones - FortiGate 7.4.0 administration guide