On v6 and above, it was possible to utilize an IP pool attached to a firewall policy to access bookmarks or internal resources via SSL-VPN Web mode based on the IP that was specified on it.

For example, a firewall policy would look like the following:

config firewall policy

    edit 1
        set name "SSL-VPN Web Mode"
        set srcintf "ssl.root"
        set dstintf "LAN"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set ippool enable
        set poolname "SSL-VPN-IP-Pool"
    end

config firewall ippool
    edit "SSL-VPN-IP-Pool"
        set type overload
        set startip 172.16.1.1
        set endip 172.16.1.1
    end

As of v7.0.0 and above, it is now necessary to enable a setting for FortiGate to perform source NAT based on the IP pool configured. This is due to internal code changes.

config vpn ssl settings
    set web-mode-snat enable 
end

Note:

Starting from v7.0.12, v7.2.6, v7.4.0, and above 'set web-mode-snat' option under the SSL VPN settings has been removed.

Related article:

Technical Tip: IP pool and virtual IP behavior changes in FortiOS 6.4, 7.0, 7.2, and 7.4.