FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
salmas
Staff
Staff
Article Id 254314
Description

 

This article describes the case when it is wanted to use two different ports for SSL VPN connectivity because some of the clients (FortiClients) have an old configuration with an old port while transitioning the SSL VPN to a newer port.

 

Scope

 

All FortiGates and FortiOS.

 

Solution

 

In the below example, the old port was 13443 and the new port is 10443.

 

1) Create a DNAT/VIP for 10443 as shown by the below image.

 

SSL_VPN_DNAT.png

 

- 'Map to' IP would be the static IP/secondary IP being used for the WAN interface.

- In the case of DHCP, leave that field 0.0.0.0.

- The external service port will be the old port and mapped with a newer port.

 

2) Change the SSL VPN port from 13443 to 10443.

 

SSL_VPN_Changed_Port.png

 

- Just change the listen port, all other settings will be the same.

 

3) Create a WAN-to-WAN policy with DNAT/VIP.

 

SSL_VPN_DNAT_Policy.png

 

- NAT is disabled.

- The source could be any or limited to specific hosts based on GEO locations.

- This policy counter will be 0 even though it is being used.

- It will not be possible to capture this policy under debug flow as well.

 

Session_From_PublicIP.jpg

 

Now any user with https://10.0.0.10:13443 configurations can also connect while newer configurations with https://10.0.0.10:10443 will also work.