FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 214850
Description This article discusses the reason SSL VPN Bookmark failed when IP Pool is used in the policy.
Scope FortiOS 6.4.9, 7.0.1, 7.2.0 and earlier.

Working with SSL VPN Web Mode, create a personal Bookmark to connect internal resources.


When the Bookmark is used by the user, the FortiGate creates a local connection from Fortigate to the remote resource. The FortiGate will use the source IP as the local IP of the interface getting out to reach the internal resource.


[SSLVPN Bookmark] Foritgate [Internal1 - IP x.x.x.x] <->  [y.y.y.y] WebServer.


The TCP packet will form as following:


src.ip x.x.x.x,dst.ip y.y.y.y, src.port aaaa, dst.port 443


There are situations where customers will use a different IP other than the Internal1 (x.x.x.x), usually, an IP Pool is this option.


After FortiOS v6.4.9, v7.0.1 and v7.2.0 the way to manage this traffic in FortiOS changed because of optimization of the kernel processing flow.


For example, by having the following topology and following configuration we can demonstrate the behavior.


Internet -> [VPN SSL Bookmark] Fortigate1 [ippool] <-> IPSec <-> [Fortigate2] <-> WebSever []


# config vpn ssl web portal
    edit "web-access"
        set web-mode enable
        config bookmark-group
            edit "gui-bookmarks"
                config bookmarks
                    edit "ApacheTest"
                        set url ""


# config firewall ippool
    edit "Test"
        set startip
        set endip


# config firewall policy

edit 3

set name "ToVpn"
set srcintf "ssl.root"
set dstintf "VPN-V-LATIS"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set ippool enable
set poolname "Test"
set groups "VpnGroup"
set nat enable




The IPSec SA selectors are specific to IP Pool by company policy restrictions.


# config vpn ipsec phase2-interface
    edit "Prueba SSL Latis"
        set phase1name "VPN-V-LATIS"
        set proposal 3des-sha1
        set pfs disable
        set keylifeseconds 3600
        set src-subnet
        set dst-subnet

# config router static
    edit 1
        set dst
        set device "VPN-V-LATIS"


Only enabling the IP Pool on the firewall policy the SSL VPN Bookmark will fail, because the packet responds sync/ack from WebServer will be forward to the Internet since FG don't recognize the connection as local.


# diagnose sniffer packet any '' 4 0 l

Using Original Sniffing Mode
2022-06-15 08:25:03.327261 VPN-V-LATIS out -> syn 1295851828
2022-06-15 08:25:03.327994 VPN-V-LATIS in -> syn 2859351378 ack 1295851829
2022-06-15 08:25:03.328017 port1 out -> syn 2859351378 ack 1295851829

To FortiGate recognize this traffic as local, define IP pool addresses as the secondary IPs for the outgoing interface or use a loopback interface.


Creating the loopback interface the SSL VPN Bookmark works.


# config system interface
    edit "Lo0"
        set ip
        set type loopback
        set snmp-index 14


The sync/ack now is handled by FortiGate and the Web server works.
The syn/ack is routed through the root to be processed by FortiGate.


# diagnose sniffer packet any 'host' 4 0 l

Using Original Sniffing Mode
2022-06-15 08:39:47.460948 VPN-V-LATIS out -> syn 420135737
2022-06-15 08:39:47.462019 VPN-V-LATIS in -> syn 3796813690 ack 420135738
2022-06-15 08:39:47.462046 VPN-V-LATIS out -> ack 3796813691
2022-06-15 08:39:47.462229 VPN-V-LATIS out -> psh 420135738 ack 3796813691
2022-06-15 08:39:47.463465 VPN-V-LATIS in -> ack 420136418