When configuring SSL VPN access to the FortiGate on two different interfaces, care needs to be taken to ensure that authentication rules are properly configured to allow access via either interface.
Under the VPN -> SSL -> Settings -> Authentication Rule
We usually specify one rule for the SSL VPN user group and then for all other groups.
The thing to look for in the case of two interfaces configured for SSL VPN is that the authentication rule is created for the first interface only.
So there are two ways that we can resolve this issue through the CLI:
1) Set the source interface to any and the source address to all
2) Create another authentication rule and configure all the parameters for that rule as desired and set the source interface as the second interface for SSL VPN.
The CLI commands to configure the Authentication rule for SSL VPN are as follows:
# config vpn ssl settings
source-interface:
(settings) # get
(Only Important Configuration shown)
== [ wan1 ]
name: wan1
== [ wan2 ]
name: wan2
source-address: == [ all ]
name: all
source-address-negate: disable
source-address6: == [ all ]
name: all
source-address6-negate: disable
default-portal : web-access
authentication-rule: == [ 1 ]
id: 1
(settings) # config authentication-rule
(authentication-rule) # edit 1
(1) # get
id : 1
source-interface: == [ wan1 ] <----- Interface is set to wan1 and none for wan2 name: wan1
source-address: == [ all ]
name: all
Solution 1 -- Modify authentication rule to match both interfaces
# config vpn ssl settings
(settings) # config authentication-rule
(authentication-rule) # edit 1
(1) # set source-interface any
(1) # next
(authentication-rule) # end
(settings) # end
Solution 2 -- Add a new authentication rule for the second interface.
# config vpn ssl settings
(settings) # config authentication-rule
(authentication-rule) # edit 2
new entry '2' added
(2) # set source-interface wan2
(2) # next
(authentication-rule) # end
(settings) # end
Solution 3 – Add multiple interface in the same authentication.
# config vpn ssl settings
(settings) # config authentication-rule
(authentication-rule) # edit 1
(1) # set source-interface wan1 wan2 <-----
(1) # next
(authentication-rule) # end
(settings) # end
Related Articles
Technical Note: Using Port 443 for Administrative Access and SSL VPN
Technical Tip: How to enable SSL VPN Access for two different links
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.