Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎11-17-2015 08:19 AM

Article Id 198507

Technical Note: SSL VPN source-interface setting in authentication rule taking precedence

Description
This article explains how in the 'config vpn ssl settings', if the source-interface parameter is set in the authentication rule, it will take precedence over the parameter set in the 'config vpn ssl settings'.

For example:
#config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 443
    set source-interface "port1" "port2"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
        config authentication-rule
            edit 1
                set source-interface "port1"
                set source-address "all"
                set groups "test"
                set portal "full-access"
            next
        end
end

In this configuration, the port2 interface will not listen for connections, even for the default portal.

This is for CLI only, this parameter does not show in the GUI.

If the source-interface setting is enabled then the source-address setting is mandatory  If you want to listen on both interfaces for one portal it is necessary to unset the source-interface in the authentication rule.


Solution
If required to listen for a different portal on each interface, add a new authentication rule with the source-interface parameter set to the other interface.

Example:
#config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 443
    set source-interface "port1" "port2"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
        config authentication-rule
            edit 1
                set source-interface "port1"
                set source-address "all"
                set groups "test"
                set portal "full-access"
            next
            edit 2
                set source-interface "port2"
                set source-address "all"
                set groups "test2"
                set portal "web-access"
            next
        end

Related Articles

Technical Tip: SSL VPN with multiple links not able to login Error: Permission Denied

Labels:
12708
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.