Hello all, I have been setting up a SSL VPN with a FortiGate 80D under FortiOS 5.4.4 and I couldn't figure out something about the configuration. In the "VPN->SSL-VPN Settings" section, we find the "Tunnel Mode Client Settings" and just below, the "Address Range". At the beginning, I thought this would be the range of IP addressees assigned to the VPN users, but then I've seen that this is not the case. VPN users are getting their IP addresses from the "Source IP Pools" setting of their associated portal. So the question is: what is the use of the "Address Range" setting under "VPN->SSL-VPN Settings"? Thanks in advance for your answer. Regards,
Fortinet NSE4
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
In CLI it's named as "tunnel-ip(v6)-pools" or "ip(v6)-pools". It can be configured at multiple places in the config now. But we have to configure portal anyway, or if you have multiple groups with different portals you have to, I recommend you configure it at each portal by leaving this SSL setting as default (no ip-pool config). One problem is you might need to use CLI to remove these values in settings.
Hello Toshi,
First of all, thanks for your answer.
Let's take the configuration below as an example:
FW-01 (settings) # show config vpn ssl settings set servercert "Fortinet_Factory" set idle-timeout 900 set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set port 8443 set source-interface "OUTSIDE" set source-address "all" set source-address6 "all" set default-portal "tunnel-access" config authentication-rule edit 1 set groups "admin" set portal "tunnel-admin" next end end
If I understand well, you're telling me that even though there is a mandatory default portal to define there are also the "tunnel-ip(v6)-pools" settings that need to be defined (at least on the GUI) and they will never be used.
Did I understand well?
Thanks again for your time.
Regards,
Fortinet NSE4
My understanding is (I haven't thoroughly tested but at least this is how we configured for multiple customers including ourselves) the ip range in the settings is used as default when it's not defined in the portals. In GUI by default (at least 5.4.4) "custom ip range" is selected, not "automatic", and there is no range is defined in the settings. if you do "unset tunnel-ip-pools" and "unset tunnel-ipv6-pools" in CLI in your case, you can go back to the setting and see it in GUI. Of course, each portal needs to have those defined there.
Hi lbnmpa,
I had your question, couldn't find any answer in the Hansbook, but i reached this conclusion from testing.
When you configure the portal from the GUI, the "Source IP Pools" field is required, so the "Address Range" in the VPN Settings is not used. However if remove the the "Source IP Pools" from the CLI, then the "Address Range" will be used. To remove the "Source IP Pools" from CLI you can use the command below
Config vpn sll web portal
edit "portal-name"
unset ip-pools
end
Regards,
Wafik
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.