Skip to main content
lbnmpa
lbnmpa
New Member
May 29, 2017
Question

[SSL-VPN] [FortiGate] Address Range vs Source IP Pools

  • May 29, 2017
  • 1 reply
  • 26769 views

Hello all, I have been setting up a SSL VPN with a FortiGate 80D under FortiOS 5.4.4 and I couldn't figure out something about the configuration. In the "VPN->SSL-VPN Settings" section, we find the "Tunnel Mode Client Settings" and just below, the "Address Range". At the beginning, I thought this would be the range of IP addressees assigned to the VPN users, but then I've seen that this is not the case. VPN users are getting their IP addresses from the "Source IP Pools" setting of their associated portal. So the question is: what is the use of the "Address Range" setting under "VPN->SSL-VPN Settings"? Thanks in advance for your answer. Regards,

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 30, 2017

    In CLI it's named as "tunnel-ip(v6)-pools" or "ip(v6)-pools". It can be configured at multiple places in the config now. But we have to configure portal anyway, or if you have multiple groups with different portals you have to, I recommend you configure it at each portal by leaving this SSL setting as default (no ip-pool config). One problem is you might need to use CLI to remove these values in settings.

    lbnmpa
    lbnmpaAuthor
    New Member
    May 31, 2017

    Hello Toshi,

     

    First of all, thanks for your answer.

     

    Let's take the configuration below as an example:

     

    FW-01 (settings) # show config vpn ssl settings     set servercert "Fortinet_Factory"     set idle-timeout 900     set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"     set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"     set port 8443     set source-interface "OUTSIDE"     set source-address "all"     set source-address6 "all"     set default-portal "tunnel-access"     config authentication-rule         edit 1             set groups "admin"             set portal "tunnel-admin"         next     end end

     

    If I understand well, you're telling me that even though there is a mandatory default portal to define there are also the "tunnel-ip(v6)-pools" settings that need to be defined (at least on the GUI) and they will never be used.

    Did I understand well?

     

    Thanks again for your time.

     

    Regards,

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 31, 2017

    My understanding is (I haven't thoroughly tested but at least this is how we configured for multiple customers including ourselves) the ip range in the settings is used as default when it's not defined in the portals. In GUI by default (at least 5.4.4) "custom ip range" is selected, not "automatic", and there is no range is defined in the settings. if you do "unset tunnel-ip-pools" and "unset tunnel-ipv6-pools" in CLI in your case, you can go back to the setting and see it in GUI. Of course, each portal needs to have those defined there.

    Terms & ConditionsAccessibility statement