Created on 04-25-2023 08:00 AM Edited on 03-17-2024 07:26 AM By Stephen_G
Description |
This article describes how to advertise the SSL VPN pool over BGP.
|
Scope | All FortiGate models and FortiOS versions. |
Solution |
SSL VPN clients receive the IP address from the IP space, which is neither a subnet address object nor a directly connected network. As a result, a BGP configuration is typically unable to see the SSL VPN pool.
FGT-HO # get router info routing-table all | grep ssl.root
Secondly, ensure that in BGP -> Networks configuration on the GUI, the SSL VPN pool subnet has been advertised, i.e., 15.0.0.0/24 in the example. After this configuration, the SSL VPN pool will be advertised over the BGP to the BGP peer.
get router info bgp neighbors 201.1.1.1 advertised-routes
After the creation of SSL VPN static route:
get router info bgp neighbors 201.1.1.1 advertised-routes
Network Next Hop Metric LocPrf Weight RouteTag Path *>i15.0.0.0/24 200.1.1.1 100 32768 0 i <-/-> Total number of prefixes 1
get router info bgp neighbors 200.1.1.1 received-routes VRF 0 BGP table version is 4, local router ID is 3.3.3.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path *>i15.0.0.0/24 200.1.1.1 100 0 0 i <-/->
Total number of prefixes 1 Note: If the named address is not available for the static route, it is possible to use a subnet instead. Address ranges will not work for this: it must be a subnet with 'static route configuration' enabled. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.