Restrict VIPs to SSL VPN Users (Split Tunnel)

Hello

• What is exactly not working?
• Did you check if a route to the related public IP through the tunnel has been added to your client?
• Did you check if the packets are reaching your FortiGate (diag sniffer packet ...)?
• Was the traffic allowed/blocked (diag debug flow ...)?
• Since this is a public IP, why need SSL VPN to reach it? By definition it should be reachable from Internet without VPN, right?

Hello. The VIP work fine. My original query was to restrict access to the VIP translation to only SSL VPN users. I don't want the VIP available to anyone who does not have a SSL VPN connection. 

• Did you check if a route to the related public IP through the tunnel has been added to your client?
• Did you check if the packets are reaching your FortiGate (diag sniffer packet ...)?
• Was the traffic allowed/blocked (diag debug flow ...)?

Why do the SSL VPN users need to use a VIP while SSL VPN provides direct access to the destination of the VIP or servers local/private IP? That's the purpose of the VPN like SSL VPN and IPsec VPN.

Toshi

FortiGate 7.2 – Restrict VIP Access to Only SSL VPN Users with Split Tunnelin

Since you need to keep the VIP while ensuring that only SSL VPN users can access it, follow these steps to configure it properly.

 Configure the VIP (Virtual IP)
Your VIP should map a public IP to an internal server, but access should be restricted to only SSL VPN users.

- **Go to**: **Policy & Objects > Virtual IPs**
- **Create or Edit the VIP** with the following settings:
- **External Interface**:
- If you still need a public IP mapping, set this to `wan1` or the relevant WAN interface.
- If the VIP should only be used internally, set this to `lan` or a VLAN interface.
- **External IP Address**: The public IP assigned to the VIP.
- **Mapped Internal IP Address**: The private IP of your server.
- **Port Forwarding**: Enabled (if only specific services are required, e.g., HTTPS on 443).

---

2. Restrict Access to Only SSL VPN Users
Remove Public WAN Access
To prevent **anyone from the internet** from accessing the VIP:
1. Go to: Policy & Objects > Firewall Policy
Find any WAN → VIP rules** that allow general public access and disable or delete them.

Create a Policy to Allow Only SSL VPN Users
Now, allow **only SSL VPN users** to access the VIP.

Go to: Policy & Objects > Firewall Policy
Create a new policy:
- **Incoming Interface**: `ssl.root` (SSL VPN tunnel interface)
- **Source**:
- SSL VPN user group **(Only allow authenticated VPN users)**
- (Optional: Restrict to specific IPs or subnets from the VPN pool)
- **Destination**: The **VIP object** you created earlier.
- **Service**: Only necessary services (e.g., HTTPS, RDP).
- **Action**: Accept.
- **NAT**: Disabled (since NAT is handled by the VIP mapping).
Move this policy above any general LAN/WAN rules to ensure it applies first.

---

Configure SSL VPN with Split Tunneling
Since split tunneling **routes only specific traffic through the VPN**, you must ensure that **traffic to the VIP is included**.

1. **Go to**: **VPN > SSL-VPN Portals**
2. **Edit the SSL VPN portal** used by your users.
3. **Ensure "Split Tunneling" is enabled**.
4. **Under "Routing Address"**, add:
- The internal IP of the VIP’s mapped server.
- (Optional) The entire subnet if multiple servers are behind VIP.

This ensures that **requests to the VIP** are routed through the SSL VPN tunnel and not through the user’s local network.

---

4. Verify Internal Routing
Ensure that FortiGate **routes VPN traffic correctly to the VIP**.

1. **Go to**: **Network > Static Routes**
2. **Ensure there is a route** allowing SSL VPN users to reach the internal subnet.
- Example:
- **Destination**: `192.168.1.0/24` (or the server's subnet)
- **Gateway**: FortiGate’s LAN IP (`192.168.1.1`)
- **Interface**: LAN/VLAN interface

---

5. Testing & Debugging
If SSL VPN users still cannot access the VIP, check for issues with:

A. Firewall Logs
Go to:
Log & Report > Forward Traffic
- Filter by:
- **Source**: SSL VPN IP range
- **Destination**: VIP address
- **Action**: Denied (if blocked)

CLI Debugging
Run these CLI commands to trace traffic:

```bash
diagnose debug enable
diagnose debug console timestamp enable
diagnose debug flow filter addr <VIP_Internal_IP>
diagnose debug flow trace start 10
```

Routing Check
Ensure that the **SSL VPN user’s traffic is reaching the VIP**:

```bash
get router info routing-table all
```

---

Expected Outcome
VIP remains active but is only accessible via SSL VPN users.
No direct access from the internet or local LAN users.
Traffic to the VIP is correctly routed through the VPN tunnel.

Would you like additional **access control**, such as allowing only specific user groups or setting time-based restrictions? 

Just a quick update. Thank you, @Christian_89, I tried what you suggested (minus the diagnostics) but it didn't work. I am going to repeat again w/ the diagnostics when time allows to see if I can isolate the issue.  

As a temporary workaround, I enabled DNS on the split tunnel and associated the public hostname w/ an internal IP address that is listed on one of the internal LAN DNS servers. It works for now and for the couple of times it hasn't, asking the user to disable IPv6 on the FortiClient network connection seems to resolve the issue.