|
On FortiOS versions v6 and above, it was possible to utilize an IP pool attached on a firewall policy to access bookmarks or internal resources via SSL-VPN Web mode based on the IP which was specified on it.
For example, a firewall policy would look like the following:
config firewall policy
edit 1
set name "SSL-VPN Web Mode"
set srcintf "ssl.root"
set dstintf "LAN"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "SSL-VPN-IP-Pool"
end
config firewall ippool
edit "SSL-VPN-IP-Pool"
set type overload
set startip 172.16.1.1
set endip 172.16.1.1
end
As of 7.0.0 and above, it is now necessary to enable a setting in order for FortiGate to perform source NAT based on the IP pool configured. This is due to internal code changes.
config vpn ssl settings
set web-mode-snat enable
end
Related article:
Technical Tip: IP pool and virtual IP behavior changes in FortiOS 6.4, 7.0, 7.2, and 7.4.
|
