Troubleshooting Tip: Firewall policy is showing 0 bytes when using an SSL VPN web mode connection
| Description | This article describes why the firewall policy shows 0 bytes when it is using an SSL VPN web mode connection. |
| Scope | FortiGate. |
| Solution | After being connected to the SSL VPN web mode, there is no traffic hitting the policy, and it is showing 0 bytes.
Test case shows user RDP into the Windows server via SSL VPN web mode successfully.
However, the firewall policy ID 8 is showing 0 bytes.
To view the sessions list:
diagnose sys session list
To enable SSL VPN debug:
diagnose debug application sslvpn -1 diagnose debug enable
The firewall session shows it is hitting policy 0 for the RDP connection traffic:
session info: proto=6 proto_state=01 duration=465 expire=3599 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255 state=log local statistic(bytes/packets/allow_err): org=79720/1279/1 reply=888110/1581/1 tuples=2 tx speed(Bps/kbps): 171/1 rx speed(Bps/kbps): 1908/15 orgin->sink: org out->post, reply pre->in dev=0->5/5->13 gwy=0.0.0.0/10.211.1.237 hook=out dir=org act=noop 10.211.1.237:4782->10.211.1.157:3389(0.0.0.0:0) hook=in dir=reply act=noop 10.211.1.157:3389->10.211.1.237:4782(0.0.0.0:0) pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0 serial=000193e0 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=00000000 no_ofld_reason: local total session 1
This is an expected behavior. SSL VPN web mode works differently, as the source will come from the user's public IP instead of the SSL VPN tunnel address.
When accessing an intranet web page via SSL VPN web mode, traffic is being proxied. The policy 8 requires the SSL VPN (ssl.root) to the RDP destination 10.211.1.157 for connectivity and login purposes.
On the SSL VPN debug, it is possible to find that:
[14132:root:155]sslvpn_policy_match:2626 checking web session [14132:root:155]remote_ip=[192.168.244.16], user=[test], iif=3, auth=1, dsthost=[10.211.1.157], portal=[SSLvpn_web_mode] realm=[(null)], dst=10.211.1.157, dport=3389, service=[rdp]
As the SSL VPN login is successful, the FortiGate uses the LOCAL interface with IP address 10.211.1.237 for the RDP connection, instead of the public IP 192.168.244.16.
Hence, the whole traffic will be 192.168.244.16 -> FortiGate (local interface) -> 10.211.1.157.
Note: Starting with FortiOS v7.6.3, SSL VPN tunnel mode is deprecated across all FortiGate models. On models where SSL VPN web mode remains available, it has been rebranded as 'Agentless VPN'. |
