Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sgiannogloudis
Staff
Staff

Created on ‎05-03-2022 02:04 AM

Technical Tip: SSL-VPN Web mode with combination of IP Pools

Description This article describes how to configure the SSL-VPN settings in order to utilize IP Pools addresses configured on the respective firewall policies.
Scope FortiOS versions [ 7.0.6+ ] & [ 7.2.0 ].
Solution

On v6 FortiOS versions an IP pool attached on a firewall policy could be normally utilized to access bookmarks or internal resources via SSL-VPN Web mode based on the IP which was specified on it.

 

For example, a firewall policy would look like:

 

# config firewall policy

    edit 1
        set name "SSL-VPN Web Mode"
        set srcintf "ssl.root"
        set dstintf "LAN"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set ippool enable
        set poolname "SSL-VPN-IP-Pool"
    end

 

# config firewall ippool
    edit "SSL-VPN-IP-Pool"
        set type overload
        set startip 172.16.1.1
        set endip 172.16.1.1
    end

 

However, since 7.0.0 and due to internal code changes it is necessary to enable a setting in order for FortiGate to perform source NAT based on the IP pool configured.

 

# config vpn ssl settings
    set web-mode-snat enable 
end
200
0 Kudos

Contact Us