Fortinet white logo
Fortinet white logo

FortiGate-7000F Handbook

Setting up SSL VPN using flow rules

Setting up SSL VPN using flow rules

As an alternative to SSL VPN load balancing, you can manually add SSL VPN load balancing flow rules to configure the FortiGate-7000F to send all SSL VPN sessions to the primary FPM. To match SSL VPN traffic, the flow rule should include a destination port that matches the destination port of the SSL VPN server. A basic rule to send SSL VPN traffic to the primary FPM could be:

config load-balance flow-rule

edit 0

set status enable

set ether-type ipv4

set protocol tcp

set dst-l4port 443-443

set forward-slot master

set comment "ssl vpn server to primary worker"

end

This flow rule matches all sessions sent to port 443 (the default SSL VPN server listening port) and sends these sessions to the primary FPM. This should match all your SSL VPN traffic if you are using the default SSL VPN server listening port (443). This flow rule also matches all other sessions using 443 as the destination port so all of this traffic is also sent to the primary FPM.

Note

As a best practice, if you add a flow rule for SSL VPN, Fortinet recommends using a custom SSL VPN port (for example, 10443 instead of 443). This can improve performance by allowing SSL traffic on port 443 that is not part of your SSL VPN to be load balanced to FPMs instead of being sent to the primary FPM by the SSL VPN flow rule.

If you change the SSL VPN server listening port

If you have changed the SSL VPN server listening port to 10443, you can change the SSL VPN flow rule as follows:

config load-balance flow-rule

edit 26

set status enable

set ether-type ipv4

set protocol tcp

set dst-l4port 10443-10443

set forward-slot master

set comment "ssl vpn server to primary worker"

end

You can also make the SSL VPN flow rule more specific by including the SSL VPN server interface in the flow rule. For example, if your FortiGate-7000F listens for SSL VPN sessions on the 1-P4 interface:

config load-balance flow-rule

edit 26

set status enable

set ether-type ipv4

set protocol tcp

set src-interface 1-P4

set dst-l4port 10443-10443

set forward-slot master

set comment "ssl vpn server to primary worker"

end

Adding the SSL VPN server IP address

You can also add the IP address of the FortiGate-7000F interface that receives SSL VPN traffic to the SSL VPN flow rule to make sure that the flow rule only matches the traffic of SSL VPN clients connecting to the SSL VPN server. For example, if the IP address of the interface is 172.25.176.32:

config load-balance flow-rule

edit 26

set status enable

set ether-type ipv4

set protocol tcp

set dst-addr-ipv4 172.25.176.32 255.255.255.255

set dst-l4port 10443-10443

set forward-slot master

set comment "ssl vpn server to primary worker"

end

This flow rule will now only match SSL VPN sessions with 172.25.176.32 as the destination address and send all of these sessions to the primary FPM.

Setting up SSL VPN using flow rules

Setting up SSL VPN using flow rules

As an alternative to SSL VPN load balancing, you can manually add SSL VPN load balancing flow rules to configure the FortiGate-7000F to send all SSL VPN sessions to the primary FPM. To match SSL VPN traffic, the flow rule should include a destination port that matches the destination port of the SSL VPN server. A basic rule to send SSL VPN traffic to the primary FPM could be:

config load-balance flow-rule

edit 0

set status enable

set ether-type ipv4

set protocol tcp

set dst-l4port 443-443

set forward-slot master

set comment "ssl vpn server to primary worker"

end

This flow rule matches all sessions sent to port 443 (the default SSL VPN server listening port) and sends these sessions to the primary FPM. This should match all your SSL VPN traffic if you are using the default SSL VPN server listening port (443). This flow rule also matches all other sessions using 443 as the destination port so all of this traffic is also sent to the primary FPM.

Note

As a best practice, if you add a flow rule for SSL VPN, Fortinet recommends using a custom SSL VPN port (for example, 10443 instead of 443). This can improve performance by allowing SSL traffic on port 443 that is not part of your SSL VPN to be load balanced to FPMs instead of being sent to the primary FPM by the SSL VPN flow rule.

If you change the SSL VPN server listening port

If you have changed the SSL VPN server listening port to 10443, you can change the SSL VPN flow rule as follows:

config load-balance flow-rule

edit 26

set status enable

set ether-type ipv4

set protocol tcp

set dst-l4port 10443-10443

set forward-slot master

set comment "ssl vpn server to primary worker"

end

You can also make the SSL VPN flow rule more specific by including the SSL VPN server interface in the flow rule. For example, if your FortiGate-7000F listens for SSL VPN sessions on the 1-P4 interface:

config load-balance flow-rule

edit 26

set status enable

set ether-type ipv4

set protocol tcp

set src-interface 1-P4

set dst-l4port 10443-10443

set forward-slot master

set comment "ssl vpn server to primary worker"

end

Adding the SSL VPN server IP address

You can also add the IP address of the FortiGate-7000F interface that receives SSL VPN traffic to the SSL VPN flow rule to make sure that the flow rule only matches the traffic of SSL VPN clients connecting to the SSL VPN server. For example, if the IP address of the interface is 172.25.176.32:

config load-balance flow-rule

edit 26

set status enable

set ether-type ipv4

set protocol tcp

set dst-addr-ipv4 172.25.176.32 255.255.255.255

set dst-l4port 10443-10443

set forward-slot master

set comment "ssl vpn server to primary worker"

end

This flow rule will now only match SSL VPN sessions with 172.25.176.32 as the destination address and send all of these sessions to the primary FPM.