This article describes a case of inconsistency with SSL VPN IP assignment. The case is best presented with an example, for which it will only be used chunks of configuration that are relevant to the inconsistency.
FortiGate, SSL VPN IP assignment inconsistency.
Here are the commands to type:
config vpn ssl web portal
edit "admins"
set tunnel-mode enable
set ip-pools "admins-192.168.254.0/26"
edit "litigation"
set tunnel-mode enable
set ip-pools "litigation-192.168.254.64/26"
next
edit "outsourcing"
set tunnel-mode enable
set ip-pools "outsourcing-192.168.254.128/26"
next
end
config firewall address
edit "admins-192.168.254.0/26"
set subnet 192.168.254.0 255.255.255.192
next
edit "litigation-192.168.254.64/26"
set subnet 192.168.254.64 255.255.255.192
next
edit "outsourcing-192.168.254.0/26"
set subnet 192.168.254.128 255.255.255.192
next
end
config vpn ssl settings
set tunnel-ip-pools "admins" "litigation" "outsourcing"
end
Normally, the first IP is assigned in the pool, so for 'litigation' that would be 192.168.254.64, for 'outsourcing' that would be 192.168.254.128, but for 'admins' it would not follow the same logic and assign 192.168.254.0. By design, the IP addresses that are being assigned are treated as a range of IP addresses.
Even though they are configured as a subnet (in the config firewall address), they are still treated as a range of IPs, so the first IP would be assigned. However, using .0 or .255 would add confusion, therefore these two addresses would be skipped from the assignment.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.