Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cpd
New Contributor

Created on ‎07-24-2023 11:43 AM

Hide private wan IP in SSL-VPN

Hello All!
We have configured a SSL-VPN in a Fortigate 60F. The firmware version is 7.2.5.
This box is behind the Company's firewall so the public IP address is "nated" to the internal IP of the WAN interface.

The tunnel is stablished and seems to work fine. The problem is that the internal IP address (that of the WAN interface) appears in the fortclient app as the remote address of the tunnel.
This is a security risk, so we need to hide this IP.
Does anyone has an idea on how to do this?
Thank you!

 

Labels:
1332
0 Kudos
6 REPLIES 6
chauhans
Staff
Staff

Created on ‎07-24-2023 12:43 PM Edited on ‎07-24-2023 12:43 PM

Hi @cpd ,

 

As I have understood you have the below setup

[SSLVPN user]--------[Internet]-------<<Public wan [Companys FW] Private lan >>-------------<<Private wan [Fortigate FW] lan>>

 

And you have mentioned you are able to see the private ip address of the FortiGate wan interface in Forticlient, could you please correct me If I am wrong?


Can you share  error screenshots, to understand better?

 

Thanks

1311
0 Kudos
cpd
New Contributor

Created on ‎07-24-2023 01:05 PM

Hello @chauhans !
That'a correct. The Fortclient Android App is showing the private IP address. Obviously, it is connecting to the public IP address.

In the picture below the address 10.10.x.x is the internal IP address of the wan interface of the Fortigate:

FortiClient.jpeg

 

1304
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to cpd

Created on ‎07-24-2023 01:33 PM Edited on ‎07-24-2023 01:34 PM

I don't think it's hidable. Why do you think it's a security risk? 10.10.x.x IP is not reachable from the internet just like 192.168.1.99. And, if the users are savvy enough, they can easily see that IP once they get in an internal device with traceroute or other methods anyway.

 

Toshi

1291
0 Kudos
cpd
New Contributor
In response to Toshi_Esumi

Created on ‎07-25-2023 03:24 AM

Hello @Toshi_Esumi!
Any private information exposed to public is a security risk at some level.
In this case, the IP is a valid address for an internal firewall. Even if users could use some tools to get this information won't justify to give it for free.

We have other equipments (non Fortinet) providing the same type of VPN access and effectively hiding the internal IP Addresses. This, in fact, should be the default behavior.
Thank you.

1244
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to cpd

Created on ‎07-25-2023 06:58 AM

Then you need to ban using the smartphone app. The client app on laptop PC/Mac wouldn't show that.

 

Toshi

1240
0 Kudos
cpd
New Contributor

Created on ‎07-24-2023 01:08 PM

This is the print of the Configuration in the App. Using an URL to point to the public IP Address:

Config.jpg

 

1302
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.