This article describes how to identify the source IP address used by the FortiGate when accessing bookmarked services via the SSL VPN Web Portal
Internal network resources that are made accessible via SSL VPN Web Portal bookmarks may actually be resources behind a complex LAN topology (i.e. another remote network accessible via a site-to-site IPsec VPN and whose LAN consists of a private MPLS network).
In these cases, it is necessary to identify and configure the source IP address used by the FortiGate when accessing bookmarks in order to configure routing and firewall policies at the far end router acting as the default gateway to this complex LAN.
The source IP address used by the FortiGate when accessing SSL VPN Web Portal bookmarks is the IP address configured for the outgoing interface specified in the SSL VPN security policy.
- From the web interface, this outgoing interface is specified in the Policy & Objects > Policy > IPv4 page and the IP address of the outgoing interface is specified in the System > Network > Interfaces page.
- From the CLI, this outgoing interface is specified in config firewall policy and the IP address of the outgoing interface is specified in config system interface
In the example below with the following CLI configuration, the source IP address will be that of the dmz interface, 10.10.10.1.
# config system interface
set vdom "root"
set ip 10.10.10.1 255.255.255.0
set allowaccess ping https http fgfm capwap
set vlanforward enable
set type physical
set snmp-index 4
# config firewall policy
set srcintf "ssl.root"
set dstintf "dmz"
set srcaddr "all"
set dstaddr "Local_DMZ"
set action accept
set schedule "always"
set service "ALL"
set groups "Test_Group"
set nat enable
Note: If other IP address needs to be used to access resource via WebMode SSLVPN and this IP address does not belong to firewall, ippool can be used to nat traffic to desired IP address.
Internal DNS servers specific to the SSL VPN Portal may need to be configured to allow bookmarks to be accessed via internal hostnames (see article below).