Description
This article describes the implementation of the SSL VPN interfaces in zones. The SSL VPN interface can be included in the zone as describes in the documentations below:
Use SSL VPN interfaces in zones v7.0.1
Use SSL VPN interfaces in zones v7.2.0
Use SSL VPN interfaces in zones v7.4.0
Scope
FortiGate.
Solution
Since this is a new feature in 7.0.x, there is a big possibility that the user is already using SSL VPN in 6.4 or earlier and might want to make this implementation once moving to 7.0, 7.2 or 7.4. The design and the explanation in the documentation above assume this is a new implementation.
Unfortunately, if merging a configuration where SSL VPN is already in place, an issue is raised, which would most likely result in a 'sslvpn_login_unknown_user' log. As the sequence of commands is not supported for SSL VPN already in use, two options are possible to fix the issue:
- Reboot the device.
- Remove the configuration (references) from the interfaces, add the interfaces in the zone, and redo the configuration.
From v7.4.0, there is a warning that will let the user know that it is needed to reboot for merging interface configurations (when already having configuration references for the interfaces intended to be used in the zone). It looks like this:
FortiGate (zone) # edit ingress-zone
FortiGate (ingress-zone) # append interface ssl.root
FortiGate (ingress-zone) # end
'This zone is used by at least one policy. If you want to add ssl.root to this zone, you must reboot the FortiGate unit in order for the changes to take effect.'
Note:
Using the SSL VPN interface (ssl.root) as part of an interface zone has an issue on some firmwares. For more info, refer to this KB article:
Troubleshooting Tip: SSL VPN connection fails when ssl.root interface is added to a zone
