Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fmerin_FTNT
Staff
Staff

Created on ‎04-30-2015 12:07 PM Edited on ‎01-05-2023 02:43 AM By Community Manager

Article Id 193615

Technical Tip: Source IP used by FortiGate to access resources via SSL VPN (Web Mode)

Description

This article describes how to identify the source IP address used by the FortiGate when accessing bookmarked services via the SSL VPN Web Portal

Scope

FortiGate.


Solution

Internal network resources that are made accessible via SSL VPN Web Portal bookmarks may actually be resources behind a complex LAN topology (i.e. another remote network accessible via a site-to-site IPsec VPN and whose LAN consists of a private MPLS network).

In these cases, it is necessary to identify and configure the source IP address used by the FortiGate when accessing bookmarks in order to configure routing and firewall policies at the far end router acting as the default gateway to this complex LAN.

The source IP address used by the FortiGate when accessing SSL VPN Web Portal bookmarks is the IP address configured for the outgoing interface specified in the SSL VPN security policy.

- From the web interface, this outgoing interface is specified in the Policy & Objects > Policy > IPv4 page and the IP address of the outgoing interface is specified in the System > Network > Interfaces page.

- From the CLI, this outgoing interface is specified in config firewall policy and the IP address of the outgoing interface is specified in config system interface

Example

In the example below with the following CLI configuration, the source IP address will be that of the dmz interface, 10.10.10.1.

# config system interface

...

    edit "dmz"

        set vdom "root"

        set ip 10.10.10.1 255.255.255.0

        set allowaccess ping https http fgfm capwap

        set vlanforward enable

        set type physical

        set snmp-index 4

end

 

# config firewall policy

 

edit 2

        set srcintf "ssl.root"

        set dstintf "dmz"

        set srcaddr "all"

        set dstaddr "Local_DMZ"

        set action accept

        set schedule "always"

        set service "ALL"

        set groups "Test_Group"

        set nat enable

    next

end

 

Note: If other IP address needs to be used to access resource via WebMode SSLVPN and this IP address does not belong to firewall, ippool can be used to nat traffic to desired IP address.

Internal DNS servers specific to the SSL VPN Portal may need to be configured to allow bookmarks to be accessed via internal hostnames (see article below).

Related Articles

Technical Note: Firewall Policy check for SSL-VPN Web mode (portal)

Configuring DNS servers per SSL VPN Portal

Labels:
12970
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.