- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- [SSL-VPN] [FortiGate] Address Range vs Source IP P...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[SSL-VPN] [FortiGate] Address Range vs Source IP Pools
Hello all, I have been setting up a SSL VPN with a FortiGate 80D under FortiOS 5.4.4 and I couldn't figure out something about the configuration. In the "VPN->SSL-VPN Settings" section, we find the "Tunnel Mode Client Settings" and just below, the "Address Range". At the beginning, I thought this would be the range of IP addressees assigned to the VPN users, but then I've seen that this is not the case. VPN users are getting their IP addresses from the "Source IP Pools" setting of their associated portal. So the question is: what is the use of the "Address Range" setting under "VPN->SSL-VPN Settings"? Thanks in advance for your answer. Regards,
Fortinet NSE4
Fortinet NSE4
Labels:
- Labels:
-
5.4
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In CLI it's named as "tunnel-ip(v6)-pools" or "ip(v6)-pools". It can be configured at multiple places in the config now. But we have to configure portal anyway, or if you have multiple groups with different portals you have to, I recommend you configure it at each portal by leaving this SSL setting as default (no ip-pool config). One problem is you might need to use CLI to remove these values in settings.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Toshi,
First of all, thanks for your answer.
Let's take the configuration below as an example:
FW-01 (settings) # show config vpn ssl settings set servercert "Fortinet_Factory" set idle-timeout 900 set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set port 8443 set source-interface "OUTSIDE" set source-address "all" set source-address6 "all" set default-portal "tunnel-access" config authentication-rule edit 1 set groups "admin" set portal "tunnel-admin" next end end
If I understand well, you're telling me that even though there is a mandatory default portal to define there are also the "tunnel-ip(v6)-pools" settings that need to be defined (at least on the GUI) and they will never be used.
Did I understand well?
Thanks again for your time.
Regards,
Fortinet NSE4
Fortinet NSE4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My understanding is (I haven't thoroughly tested but at least this is how we configured for multiple customers including ourselves) the ip range in the settings is used as default when it's not defined in the portals. In GUI by default (at least 5.4.4) "custom ip range" is selected, not "automatic", and there is no range is defined in the settings. if you do "unset tunnel-ip-pools" and "unset tunnel-ipv6-pools" in CLI in your case, you can go back to the setting and see it in GUI. Of course, each portal needs to have those defined there.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi lbnmpa,
I had your question, couldn't find any answer in the Hansbook, but i reached this conclusion from testing.
When you configure the portal from the GUI, the "Source IP Pools" field is required, so the "Address Range" in the VPN Settings is not used. However if remove the the "Source IP Pools" from the CLI, then the "Address Range" will be used. To remove the "Source IP Pools" from CLI you can use the command below
Config vpn sll web portal
edit "portal-name"
unset ip-pools
end
Regards,
Wafik
Related Posts
- Help Needed: DDNS Not Working and... 181 Views
- FortiAP 231F not connecting to FG 143 Views
- Dual ISP SD-WAN load balancing and... 109 Views
- FortiAP offline/disconnected 56 Views
- Fortigate User Information 218 Views
Labels
-
FortiGate
6,909 -
FortiClient
1,364 -
5.2
801 -
5.4
639 -
FortiManager
597 -
FortiAnalyzer
435 -
6.0
416 -
5.6
362 -
FortiAP
361 -
FortiSwitch
357 -
FortiClient EMS
278 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
168 -
6.4
128 -
FortiNAC
121 -
FortiGuard
110 -
IPsec
96 -
FortiGateCloud
91 -
FortiSIEM
91 -
FortiCloud Products
85 -
SSL-VPN
82 -
FortiToken
75 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
FortiEDR
42 -
SD-WAN
41 -
Fortivoice
41 -
FortiDNS
36 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
VLAN
27 -
High Availability
27 -
FortiAuthenticator
26 -
FortiConnect
24 -
FortiWAN
23 -
FortiConverter
21 -
ZTNA
20 -
DNS
18 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
SAML
17 -
FortiGate v5.2
17 -
LDAP
17 -
Certificate
17 -
BGP
16 -
VDOM
16 -
FortiMonitor
14 -
Interface
14 -
Logging
14 -
Authentication
13 -
FortiGate v5.0
13 -
FortiLink
13 -
Routing
13 -
FortiCASB
13 -
FortiDDoS
13 -
NAT
11 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Fortigate Cloud
9 -
4.0MR2
9 -
SSID
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
IP address management - IPAM
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiBridge
7 -
WAN optimization
7 -
SNMP
7 -
Web profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
Web application firewall profile
6 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 983 | |
| 820 | |
| 446 | |
| 440 | |
| 131 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.