Created on 08-26-2020 10:38 PM Edited on 02-25-2022 07:23 AM By Anonymous
Description
This article describes the mandatory configuration requirement to turn on SSL VPN for FortiGate-6000/7000 series for FortiOS 5.x.x, 6.2.x, 6.4.2, and 6.4.6.
Note: SSL VPN load balancing is now supported by FortiGate-6000/7000 for FortiOS 6.4.8, see FortiGate-6000F SSL VPN load balancing, FortiGate-7000E SSL VPN load balancing, or FortiGate-7000F SSL VPN load balancing.
Solution
The recommended configuration is to forward SSL VPN sessions terminated by the FortiGate-6000 /7000 series interface to the primary FPC/FPM.
This requires manually adding one or more flow rules.
It applies to both Web-mode traffic and Tunnel-mode traffic.
This configuration also applies to FortiOS 6.4.8 if you disable SSL VPN load balancing.
Additional information
SSL VPN user -----WAN-------(listening on port 8443) 6K/7k (Primary FPC/FPM)------------------LAN
Example flow rule if the SSL VPN server listening port is set to 8443:
# config load-balance flow-rule
edit 0
set status enable
set ether-type ipv4
set protocol tcp
set dst-l4port 8443-8443
set forward-slot master
set comment " ssl vpn server to primary worker"
next
end
If DTLS is used for tunnel mode SSLVPN, another flow rule has to be configured with protocol as UDP(17).
# config load-balance flow-rule
edit 0
set status enable
set ether-type ipv4
set protocol udp
set dst-l4port 8443-8443
set forward-slot master
set comment " ssl vpn server to primary worker "
next
end
If SSL VPN port customization is not possible, add the SSL VPN server IP address with listening port 443:
For example.
# config load-balance flow-rule
edit 0
set status enable
set ether-type ipv4
set protocol tcp
set dst-addr-ipv4 <ip-address with subnet mask>
set dst-l4port 443
set forward-slot master
set comment " ssl vpn server to primary worker"
end
Related link:
https://docs.fortinet.com/document/fortigate-6000/6.4.6/fortigate-6000-release-notes/398770/special-...
Related Articles
Technical Tip : How to load balance SSLVPN web-mode traffic on FortiGate-6000 series
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.