FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to configure the SSL-VPN settings in order to utilize IP Pools addresses configured on the respective firewall policies.
FortiOS versions [ 7.0.6+ ] & [ 7.2.0 ].
On v6 FortiOS versions an IP pool attached on a firewall policy could be normally utilized to access bookmarks or internal resources via SSL-VPN Web mode based on the IP which was specified on it.
For example, a firewall policy would look like:
# config firewall policy
edit 1 set name "SSL-VPN Web Mode" set srcintf "ssl.root" set dstintf "LAN" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all set nat enable set ippool enable set poolname "SSL-VPN-IP-Pool" end
# config firewall ippool edit "SSL-VPN-IP-Pool" set type overload set startip 172.16.1.1 set endip 172.16.1.1 end
However, since 7.0.0 and due to internal code changes it is necessary to enable a setting in order for FortiGate to perform source NAT based on the IP pool configured.
# config vpn ssl settings set web-mode-snat enable end