Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ekrishnan
Staff
Staff

Created on ‎12-17-2024 11:50 PM Edited on ‎12-12-2025 07:35 AM By Community Manager

Article Id 365357

Technical Tip: Assigning Static IP for SSL VPN users

Description This article describes the configuration required to assign a static Ip for an SSLVPN user.
Scope FortiGate.
Solution

The following steps have to be followed to achieve the requirement of assigning a static IP for a particular user or host.

 

  1. Create an address object:
 

image.png

 

CLI reference:

 

config firewall address

    edit "test-10.232.11.1"

        set uuid 9a96e49c-d6d4-51f0-4b26-93d0aaec8280

        set type iprange

        set start-ip 10.232.11.1

        set end-ip 10.232.11.1

    next

end

 

  1. Create an SSL VPN portal and add the created address object in the Source IP Pools field:
 

image.png

 

CLI reference:

 

config vpn ssl web portal

    edit "static testing"

        set tunnel-mode enable

        set ip-pools "test-10.232.11.1"

        set split-tunneling disable

    next

end

 

  1. Assign the user or user group to the portal created above by going under SSL VPN settings -> Authentication/Portal Mapping.

 

image.png

 

Here the username used for the example is 'elangkk'.

 

CLI Reference:

 

config vpn ssl settings

    config authentication-rule

        edit 3

            set users "elangkk"

            set portal "static testing"

        next

    end

end

 

  1. Configure a firewall policy that will include the user or user group and the source address to be allowed (in this example: All is being used).

 

image.png

 

CLI reference:

 

config firewall policy

    edit 110

        set name "SSLVPN policy"

        set uuid b4439dc8-b4aa-51f0-6fee-2dd88b8550e6

        set srcintf "ssl.root"

        set dstintf "wan2"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set nat enable

        set groups "elangkk"

    next

end

 

Run the following SSL VPN debug commands:

 

diagnose debug application sslvpn -1

diagnose debug enable

 

To disable:

 

diagnose debug disable

 

Truncated Logs from the SSL VPN debug:

 

image.png

 

As a result, the VPN user will be connected, and the IP address defined in the SSL VPN portal will be assigned to this user.

 

Depending on the hardware models and firmware versions, only a certain number of SSL VPN portals can be created. Refer to the Maximum Value Table for 'vpn.ssl.web.portal'
6290
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.