Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jcm
New Contributor

Created on ‎11-20-2023 08:16 PM

Adding additional IP and Gateway under Fortinet SSL VPN

hello,

When I connect to our FortiClient VPN and navigate to the Fortinet SSL VPN Virtual Ethernet Adapter settings, I observe the default configuration upon establishing the connection as below:
Under General tab, IP Address: 10.212.134.201 and Gateway: 255.255.255.255. For the DNS is 8.8.8.8 and 8.8.4.4. This basically enables us to connect to our office environment and all the network resources.

Next, what i have done is made some changes under the Advance tab, i have added another IP: 192.168.0.33 and also a gateway: 192.168.0.1. Having added this did not disturb my internet access or to our local network resources through VPN. In fact, after disconnecting from VPN the settings i have added earlier will disappear and return to it's default settings under the advance tab.

So, my question is having added this extra info under the advance tab will it in anyway be an issue or create some form of security issue? By the way our office environment is in the 192.168.x.x range.

Maybe you could help and provide some details on this. Thanks.


Tally_VPN.png

Labels:
2514
0 Kudos
7 REPLIES 7
Toshi_Esumi
SuperUser
SuperUser

Created on ‎11-20-2023 11:30 PM Edited on ‎11-20-2023 11:31 PM

10.212.134.201/32 was assigned by the FGT and sent down to the client with those DNS IPs: 8.8.8.8/8.8.4.4. You can confirm that in the FGT SSL VPN configuration if you're managing it.

Adding an secondary IP 192.168.0.33/24 on the dynamic VPN interface on the client (windows) machine side is fine because it won't remove the primary/assigned IP, but adding GW 192.168.0.1 wouldn't do anything good. Because the GW side of this interface is the FGT only unlike LAN interfaces so it has to be configured on "ssl.root" interface to make it even reachable.
It's a dynamic interface so when the VPN goes down the additional manual configuration would be gone.

 

Why do you want/need to configure those, which wouldn't do anything?

 

Toshi
 

2443
jcm
New Contributor
In response to Toshi_Esumi

Created on ‎11-20-2023 11:57 PM

Hi, i was just trying out to see what works. The reason for doing this because we are using an application that does not work over VPN, the vendor informed us that in order for this app to work over VPN it has to be in the same subnet due to some licensing issue.

So, it was just basically a trial and error thing to see if the app works but having done the changes as above the app works. I will try to remove the GW and see if it still works. Thanks for the update.

2438
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to jcm

Created on ‎11-21-2023 08:20 AM

It probably won't work in any way you modified. VPN end points wouldn't be a part of a LAN subnet on the FGT.

 

Toshi

2402
jcm
New Contributor
In response to Toshi_Esumi

Created on ‎11-21-2023 05:53 PM

Well the app worked with the additional IP and subnet mask added. Thanks anyways.

2388
0 Kudos
hbac
Staff
Staff
In response to jcm

Created on ‎11-22-2023 06:12 AM

Hi @jcm,

 

You can simply enable NAT on the firewall policy and the application server will see traffic coming from the FortiGates interface IP which is in the same subnet. 

 

Regards, 

2365
pminarik
Staff
Staff

Created on ‎11-21-2023 12:14 AM

Windows certainly won't block you from adding an arbitrary IP on the virtual VPN interface.
Where you will hit a wall is the FortiGate. It does not know that this IP is currently "owned" by your VPN client (routing table won't point 192.168.x.y to your VPN client), so it will not know where to route reply traffic to, and it will be lost/dropped. (assuming the incoming packet from the client is accepted at all, which I'm not too sure about)

[ corrections always welcome ]
2432
alisoncarl
New Contributor

Created on ‎11-28-2023 11:23 PM

Adding additional IP and Gateway under Fortinet SSL VPN's Advanced tab for local network access is generally safe. However, verify compatibility with your office network's IP range (192.168.x.x) to avoid conflicts. Regularly review security policies for best practices. Running Fred

2204
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.