FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fmerin_FTNT
Staff
Staff
Description

This article describes how to identify the source IP address used by the FortiGate when accessing bookmarked services via the SSL VPN Web Portal


Scope

Solution

Internal network resources that are made accessible via SSL VPN Web Portal bookmarks may actually be resources behind a complex LAN topology (i.e. another remote network accessible via a site-to-site IPsec VPN and whose LAN consists of a private MPLS network).

In these cases, it is necessary to identify and configure the source IP address used by the FortiGate when accessing bookmarks in order to configure routing and firewall policies at the far end router acting as the default gateway to this complex LAN.

The source IP address used by the FortiGate when accessing SSL VPN Web Portal bookmarks is the IP address configured for the outgoing interface specified in the SSL VPN security policy.

  • From the web interface, this outgoing interface is specified in the Policy & Objects > Policy > IPv4 page and the IP address of the outgoing interface is specified in the System > Network > Interfaces page.
  • From the CLI, this outgoing interface is specified in config firewall policy and the IP address of the outgoing interface is specified in config system interface

Example

In the example below with the following CLI configuration, the source IP address will be that of the dmz interface, 10.10.10.1.

config system interface

...

    edit "dmz"

        set vdom "root"

        set ip 10.10.10.1 255.255.255.0

        set allowaccess ping https http fgfm capwap

        set vlanforward enable

        set type physical

        set snmp-index 4

end

 

config firewall policy

 

edit 2

        set srcintf "ssl.root"

        set dstintf "dmz"

        set srcaddr "all"

        set dstaddr "Local_DMZ"

        set action accept

        set schedule "always"

        set service "ALL"

        set groups "Test_Group"

        set nat enable

    next

end

Internal DNS servers specific to the SSL VPN Portal may need to be configured to allow bookmarks to be accessed via internal hostnames (see article below).


Related Articles

Technical Note: Firewall Policy check for SSL-VPN Web mode (portal)

Configuring DNS servers per SSL VPN Portal

Contributors