|
In instances where have highly detailed policies for users and wish to enforce the same controls on SSL VPN users, it is possible to encounter an issue.
To avoid creating separate policies for SSL VPN if an attempt to add the SSL VPN interface object to the source interfaces of a rule that already includes other interfaces, all other interfaces will be removed from the source interface field.
The ssl.root interface can be used as a single source interface or as part of the zone.
Check the link below to add the ssl.root interface to a zone.
Technical Tip: How to use 'ssl.root' interface in zone
The reason behind this is that SSL VPN policies are inherently tied to the SSL VPN process, and because of that, they cannot be treated the same way as other interfaces.
Using 'any' cannot be used as a source either. The VPN settings page notifies that there is no SSL VPN policy configured.
Starting from the 7.0 software version, an option is added for such a requirement by allowing the ssl.root interface to be added in a Zone and then the Zone could be called as a source interface in an IPv4 Policy.
Here is a document that explains the feature: Use SSL VPN interfaces in zones 7.0.1.
Note: The drawback of it is that both SSL VPN users and users coming from other ports will have to be authenticated.
SSL VPN users via FortiClient:
Other users will be prompted with a page to authenticate.
|
