Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎03-09-2021 01:49 AM Edited on ‎05-26-2022 11:51 AM By Anonymous

Article Id 196413

Technical Tip: How to configure secondary IP address for SSL-VPN

Description
This article describes how to configure secondary ip address for SSL-VPN on a FortiGate.

Solution
A FortiGate will display only primary IP address of the specified interface as a 'Web mode access will be listening at' in SSL-VPN Settings:



 
 
However, if secondary IP addresses are configures under that specified interface, it will be possibleto connect to the SSL-VPN server (FortiGate) by using those secondary IP addresses:

1) Configure secondary IP address/es and verify it in SSL-VPN Settings:
 
 
 
 
 
2) Connect to the SSL-VPN server by using secondary IP address via web and tunnel mode:
 
 

 
 

 
 
# get  vpn  ssl monitor  
SSL VPN Login Users:
 Index   User    Auth Type      Timeout         From     HTTP in/out    HTTPS in/out
 1       ssluser    2(1)         290         172.16.228.15  0/0             0/0

SSL VPN sessions:
 Index   User    Source IP         Duration        I/O Bytes       Tunnel/Dest IP
 0       ssluser      172.16.228.15   285        155966/37084   10.212.134.200

# diagnose  sys  session list | grep -f 10443 -A 7 -B 10

session info: proto=6 proto_state=01 duration=202 expire=3599 timeout=3600 flags=00000000 sockflag=00000004 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=local may_dirty
statistic(bytes/packets/allow_err): org=208009/1083/1 reply=74149/1037/1 tuples=2
tx speed(Bps/kbps): 500/4 rx speed(Bps/kbps): 119/0
orgin->sink: org pre->in, reply out->post dev=7->13/13->7 gwy=192.168.120.10/0.0.0.0
hook=pre dir=org act=noop 172.16.228.15:59008->192.168.120.10:10443(0.0.0.0:0)
hook=post dir=reply act=noop 192.168.120.10:10443->172.16.228.15:59008(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=00:50:50:04:68:02
misc=0 policy_id=4294967295 auth_info=0 chk_client_info=0 vd=0
serial=00c6ece5 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0
As an alternative solution, a loopback interface can be used:
1) Configure a loopback interface and specify IP address wanted to be used for SSL-VPN connection.
2) Specify this loopback interface in SSL-VPN Settings.

Note.
The IP address on the loopback interface has to be accessible to the SSL-VPN clients.


Related document.
https://docs.fortinet.com/document/fortigate/6.2.2/cookbook/371626/ssl-vpn

Labels:
12026
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.