Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msolanki
Staff
Staff

Created on ‎07-14-2022 08:18 AM Edited on ‎07-14-2022 08:21 AM By Anonymous

Technical Tip: SSLVPN webmode behavior with SNAT IPpool

Description

This article describes when using SNAT IP pool in SSL VPN policy then it has different behavior in some FortiGate versions.
Scope FortiGate.
Solution

Due to recent changes in some  OS (6.4.9,7.0.1) behavior because of NAT64/NAT46 if using 'IP pool' in SSL VPN web mode firewall policy then it will not work.

 

As a workaround, configure the secondary IP of the interface which is associated in the SSL VPN setting as the listening interface as the IP used in the 'IP pool'.

 

msolanki_0-1657810743459.png

 

msolanki_1-1657810753669.png

 

msolanki_1-1657810753669.png

 

msolanki_2-1657810760628.png

 

This behavior has been fixed in 7.06 and 7.2.1 by introducing the below command option.

 

# config vpn ssl settings

set ?

web-mode-snat Enable/disable use of IP pools defined in firewall policy while using web-mode.

 

# set web-mode-snat ?

enable Enable use of IP pools defined in firewall policy while using web-mode.

disable Disable use of IP pools defined in firewall policy while using web-mode.

 

# set web-mode-snat enable

WARNING: IP-pools should be added as Secondary-IP to the SSL-VPN interface.

 

Related Article: Technical Tip: SSL-VPN Web mode with combination of IP Pools
765
0 Kudos
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.