hello,
When I connect to our FortiClient VPN and navigate to the Fortinet SSL VPN Virtual Ethernet Adapter settings, I observe the default configuration upon establishing the connection as below:
Under General tab, IP Address: 10.212.134.201 and Gateway: 255.255.255.255. For the DNS is 8.8.8.8 and 8.8.4.4. This basically enables us to connect to our office environment and all the network resources.
Next, what i have done is made some changes under the Advance tab, i have added another IP: 192.168.0.33 and also a gateway: 192.168.0.1. Having added this did not disturb my internet access or to our local network resources through VPN. In fact, after disconnecting from VPN the settings i have added earlier will disappear and return to it's default settings under the advance tab.
So, my question is having added this extra info under the advance tab will it in anyway be an issue or create some form of security issue? By the way our office environment is in the 192.168.x.x range.
Maybe you could help and provide some details on this. Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
10.212.134.201/32 was assigned by the FGT and sent down to the client with those DNS IPs: 8.8.8.8/8.8.4.4. You can confirm that in the FGT SSL VPN configuration if you're managing it.
Adding an secondary IP 192.168.0.33/24 on the dynamic VPN interface on the client (windows) machine side is fine because it won't remove the primary/assigned IP, but adding GW 192.168.0.1 wouldn't do anything good. Because the GW side of this interface is the FGT only unlike LAN interfaces so it has to be configured on "ssl.root" interface to make it even reachable.
It's a dynamic interface so when the VPN goes down the additional manual configuration would be gone.
Why do you want/need to configure those, which wouldn't do anything?
Toshi
Hi, i was just trying out to see what works. The reason for doing this because we are using an application that does not work over VPN, the vendor informed us that in order for this app to work over VPN it has to be in the same subnet due to some licensing issue.
So, it was just basically a trial and error thing to see if the app works but having done the changes as above the app works. I will try to remove the GW and see if it still works. Thanks for the update.
It probably won't work in any way you modified. VPN end points wouldn't be a part of a LAN subnet on the FGT.
Toshi
Well the app worked with the additional IP and subnet mask added. Thanks anyways.
Hi @jcm,
You can simply enable NAT on the firewall policy and the application server will see traffic coming from the FortiGates interface IP which is in the same subnet.
Regards,
Windows certainly won't block you from adding an arbitrary IP on the virtual VPN interface.
Where you will hit a wall is the FortiGate. It does not know that this IP is currently "owned" by your VPN client (routing table won't point 192.168.x.y to your VPN client), so it will not know where to route reply traffic to, and it will be lost/dropped. (assuming the incoming packet from the client is accepted at all, which I'm not too sure about)
Adding additional IP and Gateway under Fortinet SSL VPN's Advanced tab for local network access is generally safe. However, verify compatibility with your office network's IP range (192.168.x.x) to avoid conflicts. Regularly review security policies for best practices. Running Fred
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.