We are running 5.2.2 on a Fortigate 100D.
I have set up at SSL VPN portal with web mode only (no tunnel).
In the bookmarks I have added a webpage that is only accessable through a VPN tunnel.
I have added a policy that allows the access from ssl.root to the IPsec interface that the website is behind.
But I see that traffic from the web mode only portal is originating with a source address of 192.168.1.99 which is the default management IP of the fortigate.
I have greped through the whole config an can not find any relation between ssl.root and the management IP.
Access to the website is not working (ofcourse) since the management IP is not part of the Phase 2.
I have also tried to turn on NAT on the policy, but it still shows the management IP when I run diagnose debug trace.
Do anyone have any idea on how I can change the IP that the web mode is using or a way to NAT this correctly?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Unfortunately, this is expected behavior. The FortiGate would assign a client IP in split-tunnelling mode, which would act as the Layer-3 source of the traffic traversing the IPSec tunnel when the client ultimately tries to access the web server.
In web mode, the FortiGate only has its own IPs to draw from, and so it selects the highest-ordered, addressed interface as the source, regardless of the link status.
The only ways around this (AFAIK) are:
1. Use a tunnel-mode connection instead
2. Unset the management IP of the FortiGate interface that was chosen (then the next interface down would be used instead; alternately, give an IP to another unused interface, if it appears higher up in the interface list
3. Add the management IP to the QM selectors on both sides, so that it is allowed over the tunnel.
Regards, Chris McMullan Fortinet Ottawa
Unfortunately, this is expected behavior. The FortiGate would assign a client IP in split-tunnelling mode, which would act as the Layer-3 source of the traffic traversing the IPSec tunnel when the client ultimately tries to access the web server.
In web mode, the FortiGate only has its own IPs to draw from, and so it selects the highest-ordered, addressed interface as the source, regardless of the link status.
The only ways around this (AFAIK) are:
1. Use a tunnel-mode connection instead
2. Unset the management IP of the FortiGate interface that was chosen (then the next interface down would be used instead; alternately, give an IP to another unused interface, if it appears higher up in the interface list
3. Add the management IP to the QM selectors on both sides, so that it is allowed over the tunnel.
Regards, Chris McMullan Fortinet Ottawa
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.