Description
Solution
In the version 5.0.x and 4.3.x there were 2 Firewall polices, one standard from WAN interface to the internal interface with action = sslvpn and the second one is ssl.root to the internal interface.
In the version 5.2.x, the firewall policy where authentication was done and the action was set to = sslvpn, has been merged in the sslvpn setting.
In the version 5.2.x, the firewall policy where authentication was done and the action was set to = sslvpn, has been merged in the sslvpn setting.
Solution
In the web GUI go to VPN > SSL > Setting. Select one or multiple interfaces (For example: WAN1 and WAN2).
Change the SSLVPN port number (For example: 11443).
Provide the correct sslvpn user group in the appropriate SSLVPN portals.
The above settings will create the following configuration which will also include the firewall policy that is no longer seen with action = sslvpn as below example in CLI:
config vpn ssl settings
set idle-timeout 3000
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 11443
set source-interface "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
config authentication-rule
edit 1
set groups "vpngroup"
set portal "full-access"
next
end
end
So now there is No need to create that policy with the action = sslvpn.
Now only the second policy from ssl.root to internal interface should be created as in the following example:
config firewall policy
edit 2
set srcintf "ssl.root"
set dstintf "internal"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "localNetwork"
set action accept
set schedule "always"
set service "ALL"
set groups "vpngroup"
end
And, a static route should be created as in the below example:
config router static
edit <id>
set device ssl.root
set dst 10.11.254.0/24 ---- > IP pool of the SSLVPN clients
end
Change the SSLVPN port number (For example: 11443).
Provide the correct sslvpn user group in the appropriate SSLVPN portals.
The above settings will create the following configuration which will also include the firewall policy that is no longer seen with action = sslvpn as below example in CLI:
config vpn ssl settings
set idle-timeout 3000
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 11443
set source-interface "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
config authentication-rule
edit 1
set groups "vpngroup"
set portal "full-access"
next
end
end
So now there is No need to create that policy with the action = sslvpn.
Now only the second policy from ssl.root to internal interface should be created as in the following example:
config firewall policy
edit 2
set srcintf "ssl.root"
set dstintf "internal"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "localNetwork"
set action accept
set schedule "always"
set service "ALL"
set groups "vpngroup"
end
And, a static route should be created as in the below example:
config router static
edit <id>
set device ssl.root
set dst 10.11.254.0/24 ---- > IP pool of the SSLVPN clients
end
Labels: