FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 211111
Description This article describes how to configure the SSL-VPN settings in order to utilize IP Pools addresses configured on the respective firewall policies.
Scope FortiOS versions [ 7.0.6+ ] & [ 7.2.0 ].

On v6 FortiOS versions an IP pool attached on a firewall policy could be normally utilized to access bookmarks or internal resources via SSL-VPN Web mode based on the IP which was specified on it.


For example, a firewall policy would look like:


# config firewall policy

    edit 1
        set name "SSL-VPN Web Mode"
        set srcintf "ssl.root"
        set dstintf "LAN"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set ippool enable
        set poolname "SSL-VPN-IP-Pool"


# config firewall ippool
    edit "SSL-VPN-IP-Pool"
        set type overload
        set startip
        set endip


However, since 7.0.0 and due to internal code changes it is necessary to enable a setting in order for FortiGate to perform source NAT based on the IP pool configured.


# config vpn ssl settings
    set web-mode-snat enable