FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sgiannogloudis
Article Id 213615
Description This article describes how to configure SSL VPNs with VRFs in order to achieve traffic segmentation.
Scope FortiGate 6.4.10, 7.0.6 & 7.2.0.
Solution

In order for the SSL-VPN to be fully operational within a VRF based topology, it is necessary to configure all the interfaces involved to be on the same VRF ID.

 

In most common topologies there are three interfaces involved:

 

A) The interface which the SSL VPN is bound to.

B) SSL-VPN interface itself.

C) The egress interface.

 

For example, in the below topology, SSL-VPN is bound to port1 and the egress interface for remote users to reach local resources is port3. The configuration should look like:

 

1) SSL-VPN:

 

# config vpn ssl settings

    set source-interface "port1"  
    set port 443
end

 

2) Firewall policy:

 

# config firewall policy
    edit 1
        set name "SSL-VPN"
        set srcintf "ssl.root"
        set dstintf "port3
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

 

3) System interfaces:

 

# config system interface
    edit "port1" 
    set vdom "root"

    set vrf 10
next
    edit "port3"
        set vdom "root"
        set vrf 10
    next
        edit "ssl.root"
            set vdom "root"
             set vrf 10
            set type tunnel
        next

end