Don´t use VIP to a local interface?

esec · ‎09-29-2023

We have a support ticket created where we have issue denying traffic to a VIP and the TAC Engineer states that you shouldn´t use VIPs to a local interface IP for SSLVPN or management access.

Often we create a VIP to get https or ssh to a Fortigate and in some cases we use a VIP to SSLVPN to be able to have some better visibility to block traffic with normal policies instead of local-in-policies.

Do someone have any information on if that is correct these days that you shouldn´t use a VIP to a local Fortigate interface IP?

Thanks.

xshkurti · ‎09-29-2023

@esec On latest versions it is not recommended to use VIP for local traffic to Fortigate.
VIP basically is NAT, so you do nat-ting from public to private, ranges and i doubt will NAT itself for local traffic.

esec · ‎09-29-2023

Thanks, never heard of that. In this case its a VIP to a public IP.

Do yo have any reference to this? And to clarify, is it not recommended or not supported? :grinning_face:

esec · ‎10-09-2023

Technical Tip: Access SSL VPN from Secondary IP on... - Fortinet Community

Is this unsupported @xshkurti @sgagan?

esec · ‎10-23-2023

OK, according to the support this is not supported.

Don´t use VIP to a local interface?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website