Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ps-support
New Contributor III

Created on ‎03-15-2025 07:47 AM

Restrict VIPs to SSL VPN Users (Split Tunnel)

Hello,
Is it possible to restrict VIP objects to only SSLVPN users with split tunnelling enabled? I used the following KB article but it did not seem to work. The FortiGate we are using is 7.2.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-access-a-VIP-from-a-SSL-VPN-tunnel-...

 

The VIP uses a public IP address to map to an internal IP address. 

 

Labels:
200
0 Kudos
9 REPLIES 9
AEK
SuperUser
SuperUser

Created on ‎03-15-2025 09:47 AM

Hello

  • What is exactly not working?
  • Did you check if a route to the related public IP through the tunnel has been added to your client?
  • Did you check if the packets are reaching your FortiGate (diag sniffer packet ...)?
  • Was the traffic allowed/blocked (diag debug flow ...)?
  • Since this is a public IP, why need SSL VPN to reach it? By definition it should be reachable from Internet without VPN, right?
AEK
AEK
181
0 Kudos
ps-support
New Contributor III

Created on ‎03-15-2025 09:52 AM

Hello. The VIP work fine. My original query was to restrict access to the VIP translation to only SSL VPN users. I don't want the VIP available to anyone who does not have a SSL VPN connection. 

176
0 Kudos
AEK
SuperUser
SuperUser
In response to ps-support

Created on ‎03-15-2025 10:11 AM

Then just add a rule to allow traffic to the VIP from SSL VPN tunnel, and don't add similar rule for any other sources.

AEK
AEK
168
0 Kudos
ps-support
New Contributor III
In response to AEK

Created on ‎03-15-2025 10:21 AM

I can confirm using ssl-vpn tunnel interface (ssl.root) as the source when creating the Firewall policy does not work. 

144
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎03-15-2025 10:26 AM

 

  • Did you check if a route to the related public IP through the tunnel has been added to your client?
  • Did you check if the packets are reaching your FortiGate (diag sniffer packet ...)?
  • Was the traffic allowed/blocked (diag debug flow ...)?

 

AEK
AEK
133
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-15-2025 12:05 PM

Why do the SSL VPN users need to use a VIP while SSL VPN provides direct access to the destination of the VIP or servers local/private IP? That's the purpose of the VPN like SSL VPN and IPsec VPN.

Toshi

103
0 Kudos
ps-support
New Contributor III
In response to Toshi_Esumi

Created on ‎03-15-2025 01:10 PM

Really only for a TLD certificate. They can use the program without the certificate if I gave them the IP address but im being advised to avoid implementing that as the solution. 

87
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to ps-support

Created on ‎03-15-2025 11:39 PM

You should be able to persuade whoever telling you to use VIP with the certificate, "Which is more secure/wiser; a) setting up a VIP on the wan interface to make a hole while you unlikely can limit the source IPs, or b) setting up SSL VPN to encrypt those limited remote users to let them use the local server IP to access it without needing the cert. Especially when those SSL VPN users likely need to access other resources inside of the FW/FGT using the local IPs?
If it's an office situation, not a datacenter situation, those users inside of the office would be able to access directly any way. SSL VPN users should be considered as the same category/group of users.

Toshi

36
0 Kudos
Christian_89
Contributor III

Created on ‎03-16-2025 12:52 AM

FortiGate 7.2 – Restrict VIP Access to Only SSL VPN Users with Split Tunnelin

Since you need to keep the VIP while ensuring that only SSL VPN users can access it, follow these steps to configure it properly.

 

 Configure the VIP (Virtual IP)
Your VIP should map a public IP to an internal server, but access should be restricted to only SSL VPN users.

- **Go to**: **Policy & Objects > Virtual IPs**
- **Create or Edit the VIP** with the following settings:
- **External Interface**:
- If you still need a public IP mapping, set this to `wan1` or the relevant WAN interface.
- If the VIP should only be used internally, set this to `lan` or a VLAN interface.
- **External IP Address**: The public IP assigned to the VIP.
- **Mapped Internal IP Address**: The private IP of your server.
- **Port Forwarding**: Enabled (if only specific services are required, e.g., HTTPS on 443).

---

2. Restrict Access to Only SSL VPN Users
Remove Public WAN Access
To prevent **anyone from the internet** from accessing the VIP:
1. Go to: Policy & Objects > Firewall Policy
Find any WAN → VIP rules** that allow general public access and disable or delete them.

Create a Policy to Allow Only SSL VPN Users
Now, allow **only SSL VPN users** to access the VIP.

Go to: Policy & Objects > Firewall Policy
Create a new policy:
- **Incoming Interface**: `ssl.root` (SSL VPN tunnel interface)
- **Source**:
- SSL VPN user group **(Only allow authenticated VPN users)**
- (Optional: Restrict to specific IPs or subnets from the VPN pool)
- **Destination**: The **VIP object** you created earlier.
- **Service**: Only necessary services (e.g., HTTPS, RDP).
- **Action**: Accept.
- **NAT**: Disabled (since NAT is handled by the VIP mapping).
Move this policy above any general LAN/WAN rules to ensure it applies first.

---

Configure SSL VPN with Split Tunneling
Since split tunneling **routes only specific traffic through the VPN**, you must ensure that **traffic to the VIP is included**.

1. **Go to**: **VPN > SSL-VPN Portals**
2. **Edit the SSL VPN portal** used by your users.
3. **Ensure "Split Tunneling" is enabled**.
4. **Under "Routing Address"**, add:
- The internal IP of the VIP’s mapped server.
- (Optional) The entire subnet if multiple servers are behind VIP.

This ensures that **requests to the VIP** are routed through the SSL VPN tunnel and not through the user’s local network.

---

4. Verify Internal Routing
Ensure that FortiGate **routes VPN traffic correctly to the VIP**.

1. **Go to**: **Network > Static Routes**
2. **Ensure there is a route** allowing SSL VPN users to reach the internal subnet.
- Example:
- **Destination**: `192.168.1.0/24` (or the server's subnet)
- **Gateway**: FortiGate’s LAN IP (`192.168.1.1`)
- **Interface**: LAN/VLAN interface

---

5. Testing & Debugging
If SSL VPN users still cannot access the VIP, check for issues with:

A. Firewall Logs
Go to:
Log & Report > Forward Traffic
- Filter by:
- **Source**: SSL VPN IP range
- **Destination**: VIP address
- **Action**: Denied (if blocked)

CLI Debugging
Run these CLI commands to trace traffic:

```bash
diagnose debug enable
diagnose debug console timestamp enable
diagnose debug flow filter addr <VIP_Internal_IP>
diagnose debug flow trace start 10
```

Routing Check
Ensure that the **SSL VPN user’s traffic is reaching the VIP**:

```bash
get router info routing-table all
```

---

Expected Outcome
VIP remains active but is only accessible via SSL VPN users.
No direct access from the internet or local LAN users.
Traffic to the VIP is correctly routed through the VPN tunnel.

Would you like additional **access control**, such as allowing only specific user groups or setting time-based restrictions? 

19
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.