Skip to main content
nithincs
Staff & Editor
nithincs
Staff & Editor
December 23, 2024

Troubleshooting Tip: SSL VPN is not working after configuring SSL VPN in Policy-based NGFW Mode FortiGate

  • December 23, 2024
  • 0 replies
  • 857 views
Description This article describes how to configure a FortiGate running with Policy-based NGFW Mode to make SSL VPN work.
Scope FortiGate.
Solution

Generally, SSL VPN is implemented in FortiGates as per the following documents:

SSL VPN full tunnel for remote user
SSL VPN Full Tunnel Setup for Remote Users

 

After the configuration of SSL VPN as shown below, FortiGate is expected to start running the sslvpnd process.

 

Capturesslpvn2.JPG

 

Capturesslpvn1.JPG

 

The command below can be used to check whether sslvpnd is running or not.

 

xenon-kvm133 # diagnose sys process pidof sslvpnd
2474


However, in FortiGate running with Policy-based NGFW Mode, this configuration will not trigger sslvpnd, making users not able to connect to sslvpn.

 

xenon-kvm133 # diagnose sys process pidof sslvpnd

 

xenon-kvm133 #

 

This is because FortiGate with Policy-based NGFW Mode has two kinds of policy:

  1. Security policy (configurable from the GUI).
  2. Firewall policy (only configurable from CLI).

 

It is necessary to configure the firewall policy as well to make SSL VPN work in FortiGate running with Policy-based NGFW Mode.

 

config firewall policy
    edit 2
        set srcintf "ssl.root"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
        set groups "Ldap_auth_vpnusers"
    next
end

 

Either a general firewall policy with all the user groups called in SSL VPN authentication rule can be configured to match all the users, or a specific user policy can also be created.

 

Post-configuring the firewall policy for the SSL VPN user group, the sslvpnd process starts working.

 

xenon-kvm133 # diagnose sys process pidof sslvpnd
2832

 

Notes:

  • From v7.6.0, FortiGate with 2GB of memory no longer supports SSL VPN. 
  • From v7.6.3 and later, SSL VPN tunnel mode is no longer available in the GUI or CLI, and web mode is now labeled as Agentless VPN. Prior to upgrading, planning and migration from SSL VPN to IPsec VPN may be required.
  • When upgrading from previous firmware versions, any SSL VPN tunnel mode settings will not be retained and will no longer function. 

Refer to this article for FortiGate SSL VPN changes: Technical Tip: SSL VPN support on FortiGate models.
    Terms & ConditionsAccessibility statement