Skip to main content
spartan
spartan
New Member
November 7, 2024
Question

Fortigate ssl-vpn portal "Enabled for Trusted Destinations" problem

  • November 7, 2024
  • 3 replies
  • 2638 views

Hello,

 

I aim to get all the traffic of my VPN users on the firewall, except meeting, YouTube, etc. traffic. I proceeded with the information I found on the internet, set my sslvpn portal settings to "Enabled for Trusted Destinations", and left the "routing address override" field blank. I created policies to manipulate the IPs through the policy for the traffic that I want users to not come to my firewall. I wrote youtube etc addresses with negate destination in the policies.

 

When I did these, I expected it to work correctly, it worked but it worked with problems. When I ask for a route to any IP address on the client, it enters the tunnel. When I ask for YouTube, the client uses its own internet output. The problem is that clients are starting to hear our company's 10.0.0.0/8 network from their own internet output. When the "routing address override" section is left blank, do these IPs appear by default? Is there a field to reset this area? No matter what I did I couldn't fix it, please help.

 

Thanks.

 

3 replies

johnathan
Staff
johnathan
Staff
November 7, 2024

'The problem is that clients are starting to hear our company's 10.0.0.0/8 network from their own internet output. '

This statement is a little unclear, are you saying that you are seeing some internal traffic (local to the firewall) be incorrectly routed to a VPN user? Maybe a sniffer output of what you are seeing would help.

Never trust a computer you can't throw out a window.
spartan
spartanAuthor
New Member
November 8, 2024

Hi Johnathan,

 

I will try to explain the problem with screenshots.

 

Sslvpn portal; tunnel mode place

sslvpn_portal.png

 

Firewall policy

policy.png

 

This is the test1  from client pc(my pc)

ping_ipchicken.png

 

test2

ping_youtube.png

 

test3

ping_8.8.8.8.png 

 

test4

ping_microsoft.png

 

test5 

ping_instagram.png

 

192.168.1.1 => my home internet connection 

10.109.204.1 => sslvpn tunnel

 

As you can see, I tried the fqdns I specified in the policy in test1 and test2 and accessed them from my home internet as it should.

 

As I expected in test3,4,5; Since I did not specify the IP addresses in the policy, it directed me to the tunnel.

 

-

Although I did not specify it, it also directs some of the company's networks to the home internet in my route table. I don't understand why it does this even though I haven't stated it anywhere. Since these networks are critical networks, people become unable to work.

netstat.png

 

I hope it was explanatory. By the way, the firewall version is 7.0.14

 

 

 

 

 

 

 

 

 

johnathan
Staff
johnathan
Staff
November 8, 2024

Why do we have those destinations in the policy negated?
Seems like as per this article, with that enabled it will send ALL traffic except for the ones in the policy to the tunnel:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Exclude-some-traffic-from-SSL-VPN-using-Trusted/ta-p/230575

Never trust a computer you can't throw out a window.
spartan
spartanAuthor
New Member
November 11, 2024

So why do some 10.0.0.0/8 networks, which are not specified in the policy, provide access from the user's own internet as if it were written in the rule?

Terms & ConditionsAccessibility statement