Skip to main content
fh_core
fh_core
New Member
January 8, 2020
Question

IPv4 Policy SSL.ROOT with no trafic

  • January 8, 2020
  • 1 reply
  • 4478 views

Good Morning,

 

there is a small problem and I can't get it right.

 

We use some small 61E for remote purposes and everything works well.

Except from the SSL VPN Web.

----------------------------------------------------------

config firewall policy

edit 110

set name "SSL-Remote-AT12N4"

set uuid 96a7334c-8d0b-51e9-8017-d3f1cdbad98d

set srcintf "ssl.root"

set dstintf "wan2"

set srcaddr "SSLVPN_TUNNEL_ADDR1"

set dstaddr "RDSSX"

set action accept

set schedule "always"

set service "DNS" "HTTP" "HTTPS"

set utm-status enable

set groups "XA12N4"

set av-profile "default"

set ips-sensor "default"

set application-list "default"

set ssl-ssh-profile "certificate-inspection"

next

end

----------------------------------------------------

It is needed so that SSL VPN Webmode works.

If I disable it the SSL VPN does no longer work.

BUT this Policy does not get ANY traffic (0Bytes).

As a result the security rating show that a policy is not used.

 

Can somebody help me and tell what I have to do to make it work as intended?

 

1 reply

_aey_
_aey_
New Member
January 8, 2020

Hi,

 

dstintf "wan2"

 

Is it correct ?

ede_pfau
SuperUser
ede_pfau
SuperUser
January 8, 2020

So, what exactly is your intention?

I see this policy allows SSL VPN users to access a server on the net (RDSSX). Have you checked that NAT is enabled?

fh_core
fh_coreAuthor
New Member
January 8, 2020

dstintf "wan2" is correct it is the hardware port but we configured it software wise as a lan port.

 

I tried NAT and without NAT without noticing any difference.

 

For my understanding of how SSL VPN Webmode works, is that the user connects to the fortigate, after he passes the authentication the FortiGate establishes a in my case RDP connection and displays the visual content to the user.

Is that correct? 

I this case it would not matter if NAT is Enable or Disable because the Fortigate has direct access to the wan2 interface

 

Terms & ConditionsAccessibility statement