Description
This article describes the implementation of the SSL VPN interfaces in zones. The SSL VPN interface can be included in the zone as describes in the documentations below:
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/538358/use-ssl-vpn-interfaces-in-zon...
https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/538358/use-ssl-vpn-interface...
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/538358/use-ssl-vpn-interface...
Scope
FortiGate.
Solution
Since this is a new feature in 7.0.x, there is a big possibility that the user is already using SSL VPN in 6.4 or earlier and might want to make this implementation once moving to 7.0, 7.2 or 7.4. The design and the explanation in the documentation above assume this is a new implementation.
Unfortunately, if merging a configuration where SSL VPN is already in place, an issue is raised which would most likely result in a 'sslvpn_login_unknown_user' log. As the sequence of commands is not supported for SSL VPN already in use, two options are possible to fix the issue:
1) Reboot the device.
2) Remove the configuration (references) from the interfaces, add the interfaces in the zone, and redo the configuration.
From 7.4.0 there is a warning which will let the user know that it is needed to reboot for merging interfaces configuration (when already having configuration references for the interfaces intended to be used in the zone). It looks like this:
FortiGate (zone) # edit ingress-zone
FortiGate (ingress-zone) # append interface ssl.root
FortiGate (ingress-zone) # end
'This zone is used by at least one policy. If you want to add ssl.root to this zone, you must reboot the FortiGate unit in order for the changes to take effect.'
