IP addresses for users
After the FortiGate unit authenticates a request for a tunnel-mode connection, the FortiGate unit assigns the SSL VPN client an IP address for the session. The address is assigned from an address range (IP Pool) which is a firewall address that defines an IP address range.
| Take care to prevent overlapping IP addresses. Do not assign to clients any IP addresses that are already in use on the private network. As a precaution, consider assigning IP addresses from a network that is not commonly used (for example, 10.254.254.0/24). |
To set tunnel-mode client IP address range - web-based manager
1. Go to Firewall Objects > Address > Addresses and select Create New.
2. Enter an Name, for example, SSL_VPN_tunnel_range.
3. Select a Type of IP Range.
4. In the Subnet/IP Range field, enter the starting and ending IP addresses that you want to assign to SSL VPN clients, for example 10.254.254.[80-100].
5. In Interface, select Any.
6. Select OK.
To set tunnel-mode client IP address range - CLI
If your SSL VPN tunnel range is for example 10.254.254.80 - 10.254.254.100, you could enter
config firewall address
edit SSL_tunnel_users
set type iprange
set end-ip 10.254.254.100
set start-ip 10.254.254.80
end
end
You can select the tunnel-mode IP Pools in two places:
• The VPN > SSL > Config page IP Pools setting applies to all web portals that do not specify their own IP Pools.
• The web portal Tunnel Mode widget IP Pools setting, if used, applies only to the web portal and overrides the setting in
VPN > SSL > Config. See
“Tunnel mode and split tunneling”.