FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 248259
Description This article describes when there are multiple IPs configured on the WAN port but to only use secondary IP for SSL VPN.
Scope FortiGate.

It is not possible to pick the secondary IP on the SSL VPN for listening on Interface(s).


To select the secondary IP, there are two options: 


  1. Create a loopback interface: It is possible to create a loopback interface and then, create a VIP that forwards the requested to the secondary IP to the loopback interface 




After creating the loopback address, map it with the external IP and port to use on the WAN for SSL VPN.




Make sure to write the desired WAN IP in the External IP address (Highlighted part).


  • Create a Firewall policy for the VIP from Wan to Loopback interface with source as all and destination as VIP and disable NAT. 
  • On the SSL VPN settings, Select the Listening interface as the Loopback interface instead of the WAN.



  1. Creating Local-in Policies.

    Configure the actual interface in the SSL settings but use local-in policies to prevent access to the SSL VPN port for the primary interface IP.  It is necessary to enable a secondary IP address under the WAN interface by following this KB article: Technical Tip: Set a secondary IP on a FortiGate interface

This will then permit to see two address listening when navigating  from the VPN -> SSL VPN settings



To only allow the VPN to use the secondary IP, it is necessary to block the VPN port over the WAN on the primary IP via a local-in policy.

  • Create an address object for the primary IP address e.g. Primary_Wan.
  • Create the firewall policy, example below:


config firewall local-in-policy

    edit <ID>

        set intf "WAN_" <----- Will be the WAN interface.

        set srcaddr "all" <----- Specify here all sources needed to have access to the SSL VPN.

        set dstaddr "Primary_IP" <----- This will be the address object for the WAN/external interface IP address.

        set action deny <----- Action must be 'deny'.

        set service "VPN_Port" <----- This will be a service created that is associated with the SSL VPN port.

        set schedule "always"