Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sgagan
Staff
Staff

Created on ‎03-06-2023 10:20 PM Edited on ‎08-23-2024 12:16 AM By Moderator

Article Id 248259

Technical Tip: Access SSL VPN from Secondary IP only

Description This article describes when there are multiple IPs configured on the WAN port but to only use a secondary IP for SSL VPN.
Scope FortiGate.
Solution

It is not possible to pick the secondary IP on the SSL VPN for listening on Interface(s).

 

To select the secondary IP, there are two options: 

 

  1. Create a loopback interface: It is possible to create a loopback interface and then, create a VIP that forwards the requested to the secondary IP to the loopback interface.

  

Sgagan_0-1678138707636.png

 

After creating the loopback address, map it with the external IP and port to use on the WAN for SSL VPN.


 Sgagan_1-1678138707638.png

 

Note:

Make sure to write the desired WAN IP in the External IP address (Highlighted part).

 

  • Create a Firewall policy for the VIP from Wan to Loopback interface with source as all and destination as VIP and disable NAT.

 

image.png

 

  • On the SSL VPN settings, Select the Listening interface as the Loopback interface instead of the WAN.


Sgagan_2-1678138707639.png

 

  1. Creating Local-in Policies.

    Configure the actual interface in the SSL settings but use local-in policies to prevent access to the SSL VPN port for the primary interface IP. It is necessary to enable a secondary IP address under the WAN interface by following this KB article: Technical Tip: Set a secondary IP on a FortiGate interface.

This will then allow seeing two addresses listening when navigating from the VPN -> SSL VPN settings.

 

secondary.PNG


To only allow the VPN to use the secondary IP, it is necessary to block the VPN port over the WAN on the primary IP via a local-in policy.

  • Create an address object for the primary IP address e.g. Primary_Wan.
  • Create the firewall policy, example below:

 

config firewall local-in-policy

    edit <ID>

        set intf "WAN_" <----- Will be the WAN interface.

        set srcaddr "all" <----- Specify here all sources needed to have access to the SSL VPN.

        set dstaddr "Primary_IP" <----- This will be the address object for the WAN/external interface IP address.

        set action deny <----- Action must be 'deny'.

        set service "VPN_Port" <----- This will be a service created that is associated with the SSL VPN port.

        set schedule "always"

    next

end
8810
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.