FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anikolov
Staff
Staff
Article Id 329445
Description

 

This article describes a case of inconsistency with SSL VPN IP assignment. The case is best presented with an example, for which it will only be used chunks of configuration that are relevant to the inconsistency.

 

Scope

 

FortiGate, SSL VPN IP assignment inconsistency.

 

Solution

 

Here are the commands to type:

 

config vpn ssl web portal
    edit "admins"
        set tunnel-mode enable
        set ip-pools "admins-192.168.254.0/26"
            edit "litigation"
                set tunnel-mode enable
                set ip-pools "litigation-192.168.254.64/26"
            next
            edit "outsourcing"
                set tunnel-mode enable
                set ip-pools "outsourcing-192.168.254.128/26"
           next
end

 

config firewall address
    edit "admins-192.168.254.0/26"
        set subnet 192.168.254.0 255.255.255.192
    next
    edit "litigation-192.168.254.64/26"
        set subnet 192.168.254.64 255.255.255.192
    next
    edit "outsourcing-192.168.254.0/26"
        set subnet 192.168.254.128 255.255.255.192
    next
end

 

config vpn ssl settings
    set tunnel-ip-pools "admins" "litigation" "outsourcing"
end

 

Normally, the first IP is assigned in the pool, so for 'litigation' that would be 192.168.254.64, for 'outsourcing' that would be 192.168.254.128, but for 'admins' it would not follow the same logic and assign 192.168.254.0. By design, the IP addresses that are being assigned are treated as a range of IP addresses.

 

Even though they are configured as a subnet (in the config firewall address), they are still treated as a range of IPs, so the first IP would be assigned. However, using .0 or .255 would add confusion, therefore these two addresses would be skipped from the assignment.