Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Restrict VIPs to SSL VPN Users (Split Tunnel)
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Restrict VIPs to SSL VPN Users (Split Tunnel)
Hello,
Is it possible to restrict VIP objects to only SSLVPN users with split tunnelling enabled? I used the following KB article but it did not seem to work. The FortiGate we are using is 7.2.
The VIP uses a public IP address to map to an internal IP address.
Labels:
- Labels:
-
FortiGate
-
Virtual IP
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
- What is exactly not working?
- Did you check if a route to the related public IP through the tunnel has been added to your client?
- Did you check if the packets are reaching your FortiGate (diag sniffer packet ...)?
- Was the traffic allowed/blocked (diag debug flow ...)?
- Since this is a public IP, why need SSL VPN to reach it? By definition it should be reachable from Internet without VPN, right?
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello. The VIP work fine. My original query was to restrict access to the VIP translation to only SSL VPN users. I don't want the VIP available to anyone who does not have a SSL VPN connection.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then just add a rule to allow traffic to the VIP from SSL VPN tunnel, and don't add similar rule for any other sources.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can confirm using ssl-vpn tunnel interface (ssl.root) as the source when creating the Firewall policy does not work.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Did you check if a route to the related public IP through the tunnel has been added to your client?
- Did you check if the packets are reaching your FortiGate (diag sniffer packet ...)?
- Was the traffic allowed/blocked (diag debug flow ...)?
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why do the SSL VPN users need to use a VIP while SSL VPN provides direct access to the destination of the VIP or servers local/private IP? That's the purpose of the VPN like SSL VPN and IPsec VPN.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Really only for a TLD certificate. They can use the program without the certificate if I gave them the IP address but im being advised to avoid implementing that as the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to persuade whoever telling you to use VIP with the certificate, "Which is more secure/wiser; a) setting up a VIP on the wan interface to make a hole while you unlikely can limit the source IPs, or b) setting up SSL VPN to encrypt those limited remote users to let them use the local server IP to access it without needing the cert. Especially when those SSL VPN users likely need to access other resources inside of the FW/FGT using the local IPs?
If it's an office situation, not a datacenter situation, those users inside of the office would be able to access directly any way. SSL VPN users should be considered as the same category/group of users.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate 7.2 – Restrict VIP Access to Only SSL VPN Users with Split Tunnelin
Since you need to keep the VIP while ensuring that only SSL VPN users can access it, follow these steps to configure it properly.
Configure the VIP (Virtual IP)
Your VIP should map a public IP to an internal server, but access should be restricted to only SSL VPN users.
- **Go to**: **Policy & Objects > Virtual IPs**
- **Create or Edit the VIP** with the following settings:
- **External Interface**:
- If you still need a public IP mapping, set this to `wan1` or the relevant WAN interface.
- If the VIP should only be used internally, set this to `lan` or a VLAN interface.
- **External IP Address**: The public IP assigned to the VIP.
- **Mapped Internal IP Address**: The private IP of your server.
- **Port Forwarding**: Enabled (if only specific services are required, e.g., HTTPS on 443).
---
2. Restrict Access to Only SSL VPN Users
Remove Public WAN Access
To prevent **anyone from the internet** from accessing the VIP:
1. Go to: Policy & Objects > Firewall Policy
Find any WAN → VIP rules** that allow general public access and disable or delete them.
Create a Policy to Allow Only SSL VPN Users
Now, allow **only SSL VPN users** to access the VIP.
Go to: Policy & Objects > Firewall Policy
Create a new policy:
- **Incoming Interface**: `ssl.root` (SSL VPN tunnel interface)
- **Source**:
- SSL VPN user group **(Only allow authenticated VPN users)**
- (Optional: Restrict to specific IPs or subnets from the VPN pool)
- **Destination**: The **VIP object** you created earlier.
- **Service**: Only necessary services (e.g., HTTPS, RDP).
- **Action**: Accept.
- **NAT**: Disabled (since NAT is handled by the VIP mapping).
Move this policy above any general LAN/WAN rules to ensure it applies first.
---
Configure SSL VPN with Split Tunneling
Since split tunneling **routes only specific traffic through the VPN**, you must ensure that **traffic to the VIP is included**.
1. **Go to**: **VPN > SSL-VPN Portals**
2. **Edit the SSL VPN portal** used by your users.
3. **Ensure "Split Tunneling" is enabled**.
4. **Under "Routing Address"**, add:
- The internal IP of the VIP’s mapped server.
- (Optional) The entire subnet if multiple servers are behind VIP.
This ensures that **requests to the VIP** are routed through the SSL VPN tunnel and not through the user’s local network.
---
4. Verify Internal Routing
Ensure that FortiGate **routes VPN traffic correctly to the VIP**.
1. **Go to**: **Network > Static Routes**
2. **Ensure there is a route** allowing SSL VPN users to reach the internal subnet.
- Example:
- **Destination**: `192.168.1.0/24` (or the server's subnet)
- **Gateway**: FortiGate’s LAN IP (`192.168.1.1`)
- **Interface**: LAN/VLAN interface
---
5. Testing & Debugging
If SSL VPN users still cannot access the VIP, check for issues with:
A. Firewall Logs
Go to:
Log & Report > Forward Traffic
- Filter by:
- **Source**: SSL VPN IP range
- **Destination**: VIP address
- **Action**: Denied (if blocked)
CLI Debugging
Run these CLI commands to trace traffic:
```bash
diagnose debug enable
diagnose debug console timestamp enable
diagnose debug flow filter addr <VIP_Internal_IP>
diagnose debug flow trace start 10
```
Routing Check
Ensure that the **SSL VPN user’s traffic is reaching the VIP**:
```bash
get router info routing-table all
```
---
Expected Outcome
VIP remains active but is only accessible via SSL VPN users.
No direct access from the internet or local LAN users.
Traffic to the VIP is correctly routed through the VPN tunnel.
Would you like additional **access control**, such as allowing only specific user groups or setting time-based restrictions?
Labels
-
FortiGate
10,181 -
FortiClient
2,067 -
FortiManager
863 -
5.2
687 -
FortiAnalyzer
659 -
5.4
638 -
FortiSwitch
561 -
FortiAP
539 -
FortiClient EMS
528 -
6.0
416 -
IPsec
367 -
5.6
362 -
FortiMail
362 -
SSL-VPN
352 -
FortiNAC
258 -
6.2
251 -
Fortiweb
243 -
FortiAuthenticator v5.5
234 -
SD-WAN
177 -
FortiGuard
159 -
FortiAuthenticator
155 -
5.0
152 -
6.4
128 -
Firewall policy
128 -
FortiGateCloud
112 -
FortiCloud Products
112 -
FortiGate-VM
110 -
FortiSIEM
108 -
FortiToken
106 -
Wireless Controller
93 -
Customer Service
85 -
High Availability
80 -
FortiProxy
75 -
ZTNA
70 -
Routing
69 -
VLAN
69 -
FortiEDR
68 -
Fortivoice
67 -
DNS
67 -
SAML
64 -
FortiADC
63 -
BGP
62 -
Authentication
61 -
radius
57 -
Certificate
56 -
FortiSandbox
52 -
FortiLink
52 -
LDAP
52 -
FortiExtender
51 -
SSO
51 -
4.0MR3
49 -
NAT
49 -
FortiDNS
43 -
VDOM
41 -
Interface
40 -
Logging
39 -
Application control
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
Virtual IP
37 -
FortiConnect
34 -
Web profile
34 -
FortiPAM
32 -
FortiWAN
31 -
SSL SSH inspection
30 -
FortiConverter
28 -
FortiGate v5.2
27 -
Automation
26 -
Static route
25 -
Traffic shaping
24 -
SSID
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
Fortigate Cloud
22 -
SNMP
22 -
System settings
22 -
API
21 -
WAN optimization
20 -
FortiMonitor
19 -
OSPF
19 -
Security profile
17 -
Web application firewall profile
17 -
FortiDDoS
16 -
FortiAP profile
16 -
Web rating
16 -
FortiSOAR
15 -
Admin
15 -
Proxy policy
15 -
IP address management - IPAM
15 -
FortiGate v5.0
14 -
FortiCASB
14 -
IPS signature
14 -
Explicit proxy
13 -
Intrusion prevention
13 -
FortiManager v4.0
12 -
Traffic shaping policy
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
NAC policy
11 -
Fabric connector
11 -
Port policy
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
DNS filter
10 -
Trunk
10 -
Users
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
FortiDeceptor
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Authentication rule and scheme
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
Vulnerability Management
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Virtual wire pair
1 -
Lacework
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2426 | |
| 1303 | |
| 778 | |
| 551 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.