FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes that sometimes, firewall administrators may have the requirement of a change in network topology involving removing a WAN interface. This is done from the SSL VPN settings in a site with a multi-interface setup while also configuring DDNS with the same interfaces.
Scope
Removing an interface from SSL VPN settings without causing an outage.
Solution
Example:
config vpn ssl settings set source-interface "port1" "wan1" “wan2”
…..
config system ddns
edit 1
set ddns-server FortiGuardDDNS
set ddns-domain <……>
set monitor-interface "wan1" “wan2”
next
end
The interface that is required to be removed from SSL VPN must be removed from the 'monitor-interface' settings under DDNS config first then the interface can be removed from the SSL VPN settings through GUI or CLI with no concerns.
If the interface is removed from SSL VPN settings only it may lead to failure to connect any SSL VPN client as it will still be referenced in the DDNS settings especially if SSL VPN clients are using the DDNS hostname to connect to the VPN.
