Created on
04-30-2015
12:07 PM
Edited on
01-05-2023
02:43 AM
By
Anthony_E
Description
This article describes how to identify the source IP address used by the FortiGate when accessing bookmarked services via the SSL VPN Web Portal
Scope
FortiGate.
Solution
Internal network resources that are made accessible via SSL VPN Web Portal bookmarks may actually be resources behind a complex LAN topology (i.e. another remote network accessible via a site-to-site IPsec VPN and whose LAN consists of a private MPLS network).
In these cases, it is necessary to identify and configure the source IP address used by the FortiGate when accessing bookmarks in order to configure routing and firewall policies at the far end router acting as the default gateway to this complex LAN.
The source IP address used by the FortiGate when accessing SSL VPN Web Portal bookmarks is the IP address configured for the outgoing interface specified in the SSL VPN security policy.
- From the web interface, this outgoing interface is specified in the Policy & Objects > Policy > IPv4 page and the IP address of the outgoing interface is specified in the System > Network > Interfaces page.
- From the CLI, this outgoing interface is specified in config firewall policy and the IP address of the outgoing interface is specified in config system interface
Example
In the example below with the following CLI configuration, the source IP address will be that of the dmz interface, 10.10.10.1.
# config system interface
...
edit "dmz"
set vdom "root"
set ip 10.10.10.1 255.255.255.0
set allowaccess ping https http fgfm capwap
set vlanforward enable
set type physical
set snmp-index 4
…
end
# config firewall policy
…
edit 2
set srcintf "ssl.root"
set dstintf "dmz"
set srcaddr "all"
set dstaddr "Local_DMZ"
set action accept
set schedule "always"
set service "ALL"
set groups "Test_Group"
set nat enable
next
end
Note: If other IP address needs to be used to access resource via WebMode SSLVPN and this IP address does not belong to firewall, ippool can be used to nat traffic to desired IP address.
Internal DNS servers specific to the SSL VPN Portal may need to be configured to allow bookmarks to be accessed via internal hostnames (see article below).
Related Articles
Technical Note: Firewall Policy check for SSL-VPN Web mode (portal)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.