Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hillsitsupp
New Contributor III

Created on ‎01-15-2024 12:16 PM

SSLVPN natting traffic to resource behind 2nd Fortigate

Hi

 

We have a SSLVPN Web portal on one Fortigate. When using it to get to resources behind a tunnel on another Fortigate, it seems to NAT the traffic despite the policy having NAT turned off.

 

Fortinat.png

 

FG2 sees the source address of traffic to AWS being 192.168.1.1 instead of 10.10.1.1

 

Can anyone explain what's going on here?

Labels:
1307
0 Kudos
1 Solution
hillsitsupp
New Contributor III
In response to Toshi_Esumi

Created on ‎01-15-2024 03:01 PM Edited on ‎01-15-2024 03:14 PM

Edited:

 

Looks like this is expected behavior for web SSLVPN.

 

"The source IP address used by the FortiGate when accessing SSL VPN Web Portal bookmarks is the IP address configured for the outgoing interface specified in the SSL VPN security policy."

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Source-IP-used-by-FortiGate-to-access-reso...

 

Thanks for taking a look for me.

View solution in original post

1273
7 REPLIES 7
AEK
SuperUser
SuperUser

Created on ‎01-15-2024 12:48 PM Edited on ‎01-15-2024 12:48 PM

Hi

Are you using Central SNAT on FG1?

AEK
AEK
1297
hillsitsupp
New Contributor III
In response to AEK

Created on ‎01-15-2024 03:02 PM

No, central NAT is disabled.

1270
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎01-15-2024 01:17 PM

If you're not using Central NAT as @AEK is asking, please share us the policy config at the FG1:
    ssl.root -> FG1's internal interface that has 192.168.1.1

in CLI. You need to get in "config firewall policy" then find the policy's ID "edit x", then "show".

 

Toshi

1290
hillsitsupp
New Contributor III
In response to Toshi_Esumi

Created on ‎01-15-2024 03:01 PM Edited on ‎01-15-2024 03:14 PM

Edited:

 

Looks like this is expected behavior for web SSLVPN.

 

"The source IP address used by the FortiGate when accessing SSL VPN Web Portal bookmarks is the IP address configured for the outgoing interface specified in the SSL VPN security policy."

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Source-IP-used-by-FortiGate-to-access-reso...

 

Thanks for taking a look for me.

1274
Toshi_Esumi
SuperUser
SuperUser
In response to hillsitsupp

Created on ‎01-15-2024 03:26 PM

Yes, "web mode" traffic is basically initiated by the FGT. And that's why the other mode with FortiClient is called "tunnel mode".

Toshi

1262
smayank
Staff
Staff

Created on ‎01-16-2024 03:04 AM

Hello 

This is the expected behaviour of SSL VPN Web mode. First user connect with firewall and when traffic goes to LAN it takes LAN interface IP address in source.

Thanks & Regards
Mayank Sharma

1238
NunoLour
New Contributor II

Created on ‎01-16-2024 03:14 AM Edited on ‎01-16-2024 03:15 AM

.

1234
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.