| Description |
This article describes when using SNAT IP pool in SSL VPN policy then it has different behavior in some FortiGate versions. |
| Scope | FortiGate. |
| Solution |
Due to recent changes in some versions (v6.4.9, v7.0.1) behavior because of NAT64/NAT46 if using 'IP pool' in SSL VPN web mode firewall policy then it will not work.
As a workaround, configure the secondary IP of the interface which is associated in the SSL VPN setting as the listening interface as the IP used in the 'IP pool'.
This behavior has been fixed in v7.06 and v7.2.1 by introducing the below command option.
config vpn ssl settings set ? web-mode-snat Enable/disable use of IP pools defined in firewall policy while using web-mode.
set web-mode-snat ? enable Enable use of IP pools defined in firewall policy while using web-mode. disable Disable use of IP pools defined in firewall policy while using web-mode.
set web-mode-snat enable WARNING: IP-pools should be added as Secondary-IP to the SSL-VPN interface.
Note: Starting from v7.0.12, v7.2.6, v7.4.0 and above 'set web-mode-snat' option under the SSL-VPN settings has been removed.
Related articles: Technical Tip: SSL-VPN Web mode with combination of IP Pools Technical Tip: IP pool and virtual IP behavior changes in FortiOS 6.4, 7.0, 7.2, and 7.4 |
Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: SSL VPN webmode behavior with SNAT...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.