Monday, December 15, 2014

Fortigate SSL VPN on multiple interfaces

There is an potential issue when setting up SSL VPN to listen on multiple interfaces on FortiOS 5.2.2 (have not tested on earlier versions).  When you create the first SSL VPN listener the Fortigate will automatically create a policy to allow SSL VPN traffic.  Due to the way the information is presented one can be excused for thinking the unit will do it for additional listeners as well.  The screenshot below shows how it looks when SSL VPN is enabled on multiple interfaces via the GUI:

 image

These are the relevant bits taken from the configuration file:

config vpn ssl settings
    set idle-timeout 900
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set source-interface "MTN" "MTC"
    set source-address "all"
    set source-address6 "all"
    set default-portal "tunnel-access"
        config authentication-rule
            edit 1
                set source-interface "MTN"
                set source-address "all"
                set groups "VPN"
                set portal "full-access"
            next
        end
end

From the above it is clear that the listener has been added, but the authentication rule has not been updated.  The fix is simple, just add an additional authentication rule via the CLI:

config vpn ssl settings
config authentication-rule
            edit 2
                set source-interface "MTC"
                set source-address "all"
                set groups "VPN"
                set portal "full-access"
            next
        end
end

Your SSL VPN clients will now be able to connect on all interfaces specified in the GUI.