Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
srajapratap
Staff
Staff

Created on ‎04-25-2023 08:00 AM Edited on ‎02-12-2025 10:10 PM By Community Manager

Article Id 253822

Technical Tip: Advertising SSL VPN IP pool over BGP

Description

This article describes how to advertise the SSL VPN pool over BGP.


Topology:
FGT-HO-----Internet-----FGT-BO.


FGT-HO has SSL VPN clients connected to it using the pool of 15.0.0.0/24 subnet, and it is required to advertise that pool over BGP (either eBGP or iBGP) and make the route accessible on FGT-BO.
Scope All FortiGate models and FortiOS versions.
Solution

SSL VPN clients receive the IP address from the IP space, which is neither a subnet address object nor a directly connected network. As a result, a BGP configuration is typically unable to see the SSL VPN pool.
To resolve this, create a static route with the SSL VPN pool subnet as the destination and map the exit interface as 'ssl.root'.

 

2023-04-26_090342_msedge.png

 

FGT-HO # get router info routing-table all | grep ssl.root
S 15.0.0.0/24 [10/0] is directly connected, ssl.root, [1/0]

 

Secondly, ensure that in BGP -> Networks configuration on the GUI, the SSL VPN pool subnet has been advertised, i.e., 15.0.0.0/24 in the example. After this configuration, the SSL VPN pool will be advertised over the BGP to the BGP peer.

 

2023-04-26_091211_msedge.png

 


Before the creation of SSL VPN static route:


get router info routing-table all | grep ssl.root

get router info bgp neighbors 201.1.1.1 advertised-routes
% No prefix for neighbor 201.1.1.1


get router info bgp neighbors 200.1.1.1 received-routes
% No prefix for neighbor 200.1.1.1

 

After the creation of SSL VPN static route:


get router info routing-table all | grep ssl.root
S 15.0.0.0/24 [10/0] is directly connected, ssl.root, [1/0]

 

get router info bgp neighbors 201.1.1.1 advertised-routes
VRF 0 BGP table version is 8, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

 

Network          Next Hop            Metric     LocPrf Weight RouteTag Path

*>i15.0.0.0/24      200.1.1.1                     100  32768        0 i <-/->

Total number of prefixes 1

 

get router info bgp neighbors 200.1.1.1 received-routes

VRF 0 BGP table version is 4, local router ID is 3.3.3.3

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal

Origin codes: i - IGP, e - EGP, ? - incomplete

 

   Network          Next Hop            Metric     LocPrf Weight RouteTag Path

*>i15.0.0.0/24      200.1.1.1                     100      0        0 i <-/->

 

Total number of prefixes 1

Note: 

  • If the named address is not available for the static route, it is possible to use a subnet instead. Address ranges will not work for this: it must be a subnet with 'static route configuration' enabled.
  • This behavior is the same for remote access IPsec VPN, a static route is required to get the subnet advertised over BGP. Remember to replace the ssl.root interface on the Static Route configuration for the name of the tunnel interface of the subnet to be advertised.
5931
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.