Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎11-17-2015 08:19 AM Edited on ‎06-17-2025 09:35 PM By Community Manager

Article Id 198507

Technical Tip: SSL VPN source-interface setting in authentication rule taking precedence

Description

 
This article explains how, in the 'config vpn ssl settings', if the source-interface parameter is set in the authentication rule, it will take precedence over the parameter set in the 'config vpn ssl settings'.
 
Scope
 
FortiGate.

For example:
 
config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 443
    set source-interface "port1" "port2"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
        config authentication-rule
            edit 1
                set source-interface "port1"
                set source-address "all"
                set groups "test"
                set portal "full-access"
            next
        end
end
 
In this configuration, the port2 interface will not listen for connections, even for the default portal. This is for CLI only; this parameter does not show in the GUI.

If the source-interface setting is enabled, then the source-address setting is mandatory. To listen on both interfaces for one portal, it is necessary to unset the source-interface in the authentication rule.


Solution

 
If required to listen for a different portal on each interface, add a new authentication rule with the source-interface parameter set to the other interface.

Example:
 
config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 443
    set source-interface "port1" "port2"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
        config authentication-rule
            edit 1
                set source-interface "port1"
                set source-address "all"
                set groups "test"
                set portal "full-access"
            next
            edit 2
                set source-interface "port2"
                set source-address "all"
                set groups "test2"
                set portal "web-access"
            next
        end

 

Related articles:

Technical Tip: SSL VPN with multiple links not able to login Error: Permission Denied
Troubleshooting Tip: SSL VPN Troubleshooting
Technical Tip: FortiGate debug SSL VPN daemon
Troubleshooting Tip: Possible reasons for FortiClient SSL VPN connectivity failure at specific perce...

Labels:
13145
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.