Description
This article shows the configuration to access VIP with SSL Tunnel.
Scope
Fortigate v6.0.0 onwards.
Solution
Users may want to access the VIP with Full Tunnel Mode as all the traffic will route through the VPN Virtual Adapter from Machine.
Consider the Following Scenario-
Used - 6.4.6 FortiOS
>> Firewall has the Internet access from Port1 and also on the same Interface VPN and VIP is configured.
>> The Internal web server is behind Port3 - 10.27.11.206.
>> The server is reachable with public IP as VIP is configured assume that public IP is 14.14.46.152 (WAN Interface IP or Public IP pool can be used)
1) Configure the VIP as per the requirement.
** Go to Policy&Object -> Virtual IPs - > Create New
Name: Define the name
Interface - Configure it as any
External IP - IP address or address range on the external interface that will map to an address or address range on the destination network. (Public IP in this scenario)
Mapped IP - IP address or address range on the destination network to which the external IP address is mapped. (Server IP in this Scenario)
VIP:
**Virtual Server instead of Virtual IP can also be created, select Interface as any in this also.
To see the virtual servers option in the GUI, Load Balancing must be selected in Feature Visibility -> Additional Features.
Virtual Server:
2) Configure the SSL VPN portal and make sure the web mode is disabled as VIPs only work with tunnel mode. If web mode is enabled when configuring the firewall policy, an error 'Failed to save some changes: Entry not found' will show up.
** Go to VPN -> SSL-VPN Portals.
3) Configure the Firewall Policy for the VIP
Go to Policy&Object - > Firewall Policy - > Create New
Incoming Interface - SSL-VPN tunnel interface (ssl.root)
Destination Interface - From which the real server is reachable (In this it's Port3)
Source - SSLVPN subnet + The user group which will be accessing the server
Destination - Call the VIP or Virtual server ( Set the Inspection Mode to Proxy-based. If using a Virtual server, the new virtual server will not be available in the inspection mode Flow-based)
Security Profiles - Apply as per requirement
>> Connect the VPN and test you should be able to access the VIP
Flow filter VIP :
UPStream_Firewall # id=20085 trace_id=1843 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=6, 10.212.134.200:57077->14.14.46.152:8443) from ssl
.root. flag [S], seq 1538479448, ack 0, win 64896"
id=20085 trace_id=1843 func=init_ip_session_common line=5913 msg="allocate a new session-00adb6c5"
id=20085 trace_id=1843 func=iprope_dnat_check line=5012 msg="in-[ssl.root], out-[]"
id=20085 trace_id=1843 func=iprope_dnat_tree_check line=830 msg="len=1"
id=20085 trace_id=1843 func=__iprope_check_one_dnat_policy line=4885 msg="checking gnum-100000 policy-2"
id=20085 trace_id=1843 func=get_new_addr line=1184 msg="find DNAT: IP-10.27.11.206, port-8443"
id=20085 trace_id=1843 func=__iprope_check_one_dnat_policy line=4968 msg="matched policy-2, act=accept, vip=2, flag=100, sflag=2000000" ----- > First check the VIP (This policy 2 is VIP sequence, like firewall policy)
id=20085 trace_id=1843 func=iprope_dnat_check line=5025 msg="result: skb_flags-02000000, vid-2, ret-matched, act-accept, flag-00000100"
id=20085 trace_id=1843 func=fw_pre_route_handler line=181 msg="VIP-10.27.11.206:8443, outdev-unknown"
id=20085 trace_id=1843 func=__ip_session_run_tuple line=3500 msg="DNAT 14.14.46.152:8443->10.27.11.206:8443"
id=20085 trace_id=1843 func=vf_ip_route_input_common line=2621 msg="find a route: flag=04000000 gw-10.27.11.206 via port3" ------- > Now Route check.
id=20085 trace_id=1843 func=iprope_fwd_check line=764 msg="in-[ssl.root], out-[port3], skb_flags-020000c0, vid-2, app_id: 0, url_cat_id: 0"
id=20085 trace_id=1843 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=3"
id=20085 trace_id=1843 func=__iprope_check_one_policy line=1951 msg="checked gnum-100004 policy-2, ret-matched, act-accept"
id=20085 trace_id=1843 func=__iprope_user_identity_check line=1768 msg="ret-matched"
id=20085 trace_id=1843 func=__iprope_check line=2194 msg="gnum-4e20, check-ffffffffa00270a0"
id=20085 trace_id=1843 func=__iprope_check_one_policy line=1951 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=1843 func=__iprope_check_one_policy line=1951 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=1843 func=__iprope_check_one_policy line=1951 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=1843 func=__iprope_check line=2213 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=1843 func=__iprope_check_one_policy line=2165 msg="policy-2 is matched, act-accept" ----------- > Now Policy Check
id=20085 trace_id=1843 func=iprope_fwd_check line=805 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-2"
id=20085 trace_id=1843 func=iprope_fwd_auth_check line=824 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-2"
id=20085 trace_id=1843 func=fw_forward_handler line=799 msg="Allowed by Policy-2:"
id=20085 trace_id=1843 func=ipd_post_route_handler line=490 msg="out port3 vwl_zone_id 0, state2 0x1, quality 0.
Related Article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Adding-groups-to-SSLVPN-policies-with-VIPs...
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/713497/virtual-server
