FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ckumar_FTNT
Staff
Staff
Article Id 191348
Description

When configuring SSL VPN access to the FortiGate on two different interfaces, care needs to be taken to ensure that authentication rules are properly configured to allow access via either interface.


Solution

Under the VPN -> SSL -> Settings -> Authentication Rule

We usually specify one rule for the SSL VPN user group and then for all other groups.

The thing to look for in the case of two interfaces configured for SSL VPN is that the authentication rule is created for the first interface only.

So there are two ways that we can resolve this issue through the CLI:

1) Set the source interface to any and the source address to all

2)  Create another authentication rule and configure all the parameters for that rule as desired and set the source interface as the second interface for SSL VPN.

The CLI commands to configure the Authentication rule for SSL VPN are as follows:

# config vpn ssl settings 
(settings) # get

(Only Important Configuration shown)

source-interface:
    == [ wan1 ]
    name: wan1
    == [ wan2 ]
    name: wan2
source-address: == [ all ]
    name: all
source-address-negate: disable
source-address6:    == [ all ]
    name: all
source-address6-negate: disable
default-portal      : web-access
authentication-rule:  == [ 1 ]
id: 1          
(settings) # config authentication-rule 
(authentication-rule) # edit 1  
(1) # get
id  : 1
source-interface: == [ wan1 ]   <----- Interface is set to wan1 and none for wan2                                                   name: wan1
source-address:  == [ all ]
    name: all

Solution 1 -- Modify authentication rule to match both interfaces

# config vpn ssl settings

(settings) # config authentication-rule
(authentication-rule) # edit 1
(1)  # set source-interface any
(1) # next
(authentication-rule) # end
(settings) # end

Solution 2 -- Add a new authentication rule for the second interface.

# config vpn ssl settings

(settings) # config authentication-rule
(authentication-rule) # edit 2
new entry '2' added
(2)  # set source-interface wan2
(2) # next
(authentication-rule) # end
(settings) # end

Solution 3 – Add multiple interface in the same authentication.

# config vpn ssl settings
(settings) # config authentication-rule
(authentication-rule) # edit 1
(1)  # set source-interface wan1 wan2          <-----
(1) # next
(authentication-rule) # end
(settings) # end


Related Articles

Technical Note: Using Port 443 for Administrative Access and SSL VPN

Technical Note : Cookie acceptance must be enabled for SSL VPN access to avoid Web Portal or tunnel ...

Technical Tip: How to enable SSL VPN Access for two different links

Contributors