Technical Tip: Not able to create SSLVPN policy with VIP

Description
This article describes when it is possible to use SSLVPN with VIP address and how to configure it.

Solution
General rules for using VIP with SSLVPN:

1) If groups have not been set in sslvpn policy, the vip/vipgrp can be used for dstaddr; (for Fortios 5.4 and later the policy will always ask for a user group)
2) If user-group is set and corresponding portal with web mode enabled in sslvpn policy, vip/vipgrp cannot be used for dstaddr;
3) If user-group is set and corresponding portal with tunnel mode enabled only in sslvpn policy, vip/vipgrp can be used for dstaddr.

Example:
If Guest-group and associated portal is 'full-access', the option to use tunnel-mode and web-mode is required.

SSL-VPN Portals are configured as following:

 

The policy to create:

 

 

When saved, most of the time the error 'Failed to save some changes: Entry not found' will show up.

 

 

Solution:

 

Disable web-mode for desired portal.

 

 

Create policy with VIP:

 

 

 

If web-mode is used, enable it back, same way as it was disabled.

This VIP will be accessible only from tunnel-mode. So after this config, if connected to SSLVPN in tunnel-mode, it will be possible to access the server/service via that VIP.