Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fmerin_FTNT
Staff
Staff

Created on ‎04-30-2015 12:07 PM Edited on ‎07-10-2024 12:53 AM By Moderator

Article Id 193615

Technical Tip: Source IP used by FortiGate to access resources via SSL VPN (Web Mode)

Description

This article describes how to identify the source IP address used by FortiGate when accessing bookmarked services via the SSL VPN Web Portal.

Scope

FortiGate.


Solution

Internal network resources that are made accessible via SSL VPN Web Portal bookmarks may actually be resources behind a complex LAN topology (i.e. another remote network accessible via a site-to-site IPsec VPN and whose LAN consists of a private MPLS network).

In these cases, it is necessary to identify and configure the source IP address used by the FortiGate when accessing bookmarks to configure routing and firewall policies at the far-end router acting as the default gateway to this complex LAN.

The source IP address used by FortiGate when accessing SSL VPN Web Portal bookmarks is the IP address configured for the outgoing interface specified in the SSL VPN security policy.

  • From the web interface, this outgoing interface is specified in the Policy & Objects -> Policy -> IPv4 page and the IP address of the outgoing interface is specified in the System -> Network -> Interfaces page.
  • From the CLI, this outgoing interface is specified in config firewall policy and the IP address of the outgoing interface is specified in config system interface.

Example:

In the example below with the following CLI configuration, the source IP address will be that of the DMZ interface, 10.10.10.1.

config system interface

...

    edit "dmz"

        set vdom "root"

        set ip 10.10.10.1 255.255.255.0

        set allowaccess ping https http fgfm capwap

        set vlanforward enable

        set type physical

        set snmp-index 4

end

 

config firewall policy

 

    edit 2

        set srcintf "ssl.root"

        set dstintf "dmz"

        set srcaddr "all"

        set dstaddr "Local_DMZ"

        set action accept

        set schedule "always"

        set service "ALL"

        set groups "Test_Group"

        set nat enable

    next

end

 

Note: If another IP address needs to be used to access resources via WebMode SSLVPN and this IP address does not belong to a firewall, ippool can be used to NAT traffic to a desired IP address.

The same solution with NAT must be used in case the outgoing interface does not have the IP address, for example in a point-to-point connection with VDOM links.

Internal DNS servers specific to the SSL VPN Portal may need to be configured to allow bookmarks to be accessed via internal hostnames (see article below).

Related Articles:

Technical Note: Firewall Policy check for SSL-VPN Web mode (portal)

Configuring DNS servers per SSL VPN Portal

Labels:
15158
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.