I'm trying to consolidate several WAN links on a 100D running 5.4.5 into a WAN LLB link, and there is a problem: we're using SSL VPN full tunnel mode (not split tunnel) and there does not appear to be a way to create an ssl.root -> virtual-wan-link policy; selecting one removes the other from selection option. Is there some prerequisite for this that I'm missing, or are WAN LLB and SSL full tunnel modes currently incompatible?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yesterday I was running into the same thing. To create the WAN LLB interface I had to free up our 2 WAN interfaces so I replaced them with an unused interface in all policies. After this I created the WAN LLB interface and reassigned it to the policies. Redundant internet connection was working as expected but I couldn't assign the WAN LLB interface or one of the to physical WAN interfaces to the SSL.root<->WAN policy. After this I rolled back. I'm also using 5.4.5 and now I'm also questioning If this 2 features (WAN LLB and SSL VPN) are incompatible (within the same vdom)?
I opened a ticket with support and they told me as much. I suppose I'll have to use zones when I need full tunnel VPN, same way I did before they added WAN LLB in 5.2.
Dear friends,
wan-load balance and ssl vpn are two different technology .In wan-load you are going out with different Publi IP because you have marge all wan to get redundant internet and wan connection is terminated on you firewall with gateway and static routes.
But in SSL vpn you are first find the Public IP then using credential you are login.
you can merge wan IP from out side to use that service . Per wan port theri is seperate SSL link need to be created .
may be foritOS 5.6 can help you in that thing .
best regards
Hi. It's clear that we are talking about two different features but it seems that if you make use of WAN LLB you are not able to use SSLVPN Tunnelmode. For SSLVPN Tunnelmode you need to have a ssl.root-internal and an ssl.root-wan policy. The thing is that if you have bundled the WAN interfaces to a WAN LLB link you are not able to select one of this interfaces for the ssl.root-wan policy. They are not offered for selction. In theory it should be possible to use the WAN LLB feature for outgoing connections only and leave SSL VPN untouched but it isn't implemented this way. The tutorial for 5.6 looks the same.
Exactly, and you can still use SSL VPN with WAN LLB - you can select the individual WAN interfaces in SSL VPN settings as available for incoming connections, and you can create ssl.root -> whatever interface policies just fine, so split tunnel mode works, except for ssl.root -> virtual-wan-link which denies you full tunneling.
So it's not possible to use SSL VPN with WanLink to route some traffic to Internet via VPN, in version 5.4?
I was running version 5.2.10 and it works fine, then I upgrade to 5.4.5, now I'm not able to configure this anymore.
Just to add some info, If I create a rule with dstinterface ANY, the traffic is routable to Internet, but use ANY is not acceptable to me.
in fortios 5.6.x you have now the capability to create a rule from ssl.root-WAN LLB.
Fortigate Newbie
Thank you for your answer. I knew that my firmware was old, but it worked perfectly until now. So i will try to migrate my devices this week and give you the result.
Best regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1690 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.