Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hbac
Staff
Staff

Created on ‎01-01-2025 11:12 PM Edited on ‎12-07-2025 07:15 AM By Community Manager

Article Id 367799

Technical Tip: Reserve SSL VPN client IP addresses without an external DHCP server

Description This article describes how to reserve SSL VPN client IP addresses without an external DHCP server. 
Scope FortiGate. 
Solution

To reserve an IP address for a specific user, it is required to assign a separate SSL VPN Portal with a unique Source IP Pool to a user. The example below shows how to reserve IP addresses for User1 and User2. 

 

  • User1 -> 192.168.100.1.
  • User2 -> 192.168.100.2.

 

Assuming User1 and User2 are already created:

 

Users.PNG

 

  1. Go to Policy & Objects -> Addresses, and create two address objects for '192.168.100.1/32' and '192.168.100.2/32'.

 

addresses.PNG

 

  1. Go to VPN -> SSL VPN Portals, and create an SSL VPN Portal for User1 with Source IP Pools = 192.168.100.1/32.

 

User1.PNG

 

Repeat the same thing for User2, but with Source IP Pools = 192.168.100.2/32.

 

  1. Go to VPN -> SSL-VPN Settings -> Address Range, select 'Specify custom IP ranges', and add '192.168.100.1/32' and '192.168.100.2/32' under IP Ranges. Under Authentication/Portal Mapping, map each user to the corresponding portal. 

 

vpn setting.PNG

 

  1. Go to Policy & Objects -> Firewall Policy, create a policy with the correct source addresses and users as shown below:


policy ssl.PNG

 

CLI Reference:

 

config firewall address

    edit "192.168.100.1/32"

        set uuid 41150744-d20d-51f0-d3d2-fc828cec9162

        set subnet 192.168.100.1 255.255.255.255

    next

    edit "192.168.100.2/32"

        set uuid 4850aea0-d20d-51f0-0d0d-0af17e9661b9

        set subnet 192.168.100.2 255.255.255.255

    next

end

 

config vpn ssl web portal

    edit "User1"

        set tunnel-mode enable

        set ip-pools "192.168.100.1/32"

    next

end

 

config vpn ssl web portal

    edit "User2"

        set tunnel-mode enable

        set ip-pools "192.168.100.2/32"

    next

end

 

config vpn ssl settings

    config authentication-rule

        edit 1

            set users "User1"

            set portal "User1"

        next

        edit 2

            set users "User2"

            set portal "User2"

        next

    end

end

config firewall policy

    edit 29

        set name "SSLVPN to internal"

        set uuid 31a15122-d20e-51f0-9839-e78b178987a1

        set srcintf "ssl.root"

        set dstintf "port4"

        set action accept

        set srcaddr "192.168.100.2/32" "192.168.100.1/32"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set users "User1" "User2"

    next

end

 

Results when User1 and User2 are connected. 

 

User connected.PNG

 

It is important to note that there is a limited number of SSL-VPN Portals that can be created based on hardware models and firmware versions. Refer to the Maximum Value Table for 'vpn.ssl.web.portal'

 

Related article

Technical Tip: SSL VPN with external DHCP Server - Fortinet Community

Labels:
2228
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.