FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 254314


This article describes the case when it is wanted to use two different ports for SSL VPN connectivity because some of the clients (FortiClients) have an old configuration with an old port while transitioning the SSL VPN to a newer port.




All FortiGates and FortiOS.




In the below example, the old port was 13443 and the new port is 10443.


1) Create a DNAT/VIP for 10443 as shown by the below image.




- 'Map to' IP would be the static IP/secondary IP being used for the WAN interface.

- In the case of DHCP, leave that field

- The external service port will be the old port and mapped with a newer port.


2) Change the SSL VPN port from 13443 to 10443.




- Just change the listen port, all other settings will be the same.


3) Create a WAN-to-WAN policy with DNAT/VIP.




- NAT is disabled.

- The source could be any or limited to specific hosts based on GEO locations.

- This policy counter will be 0 even though it is being used.

- It will not be possible to capture this policy under debug flow as well.




Now any user with configurations can also connect while newer configurations with will also work.