Skip to main content
hakim_okabe
hakim_okabe
Visitor III
June 8, 2025
Question

[SOLVED] SSL VPN User can't ping spesific IP but the firewall policy is already created

  • June 8, 2025
  • 1 reply
  • 951 views

I can't seems to get this working, I want if somebody connect to User SSLV VPN via FortiClient then they can connect to any local device at least by ping, but specifically for this I want them to connect to Synology NAS IP which is 192.168.110.81

 

I have added this policy

```===

config firewall policy
edit 7
set name "SSLVPN_FortiClient_Outgoing"
set uuid fb89aba2-f0f5-51ee-81b1-c690350fbb9d
set srcintf "ssl.root"
set dstintf "internal"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "MGMT_Device" "MGMT_DEVICE" "SYNOLOGI"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "Server-AV"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "Server-IPS"
set application-list "default"
set logtraffic all
set groups "SSLVPN_USER"
set nat enable
next
end

===```

 

but  still seems can't get it work

If I change [set srcintf "ssl.root" ] into other local VLAN like 192.168.60.xxx then it work perfectly and they can ping all device just fine. but for some reason this not work for forticlient user

 

Do I need to add any other additional config? any help is appreciated

 

for reference here is what each Destination means

MGMT Device

```===
edit "MGMT_Device"
set uuid 799bdc28-f2c1-51ee-e18a-f410c9f2a87f
set color 23
set subnet 192.168.110.0 255.255.255.0
next

```===

 

MGMT Device

```===
edit "MGMT_DEVICE"
set uuid 4762488c-f2c1-51ee-b4a8-82d1736beede
set associated-interface "internal"
set color 23
set subnet 192.168.110.0 255.255.255.0
next

```===

 

SYNOLOGI

```===
edit "SYNOLOGI"
set uuid 464e98ee-4012-51ef-8b30-ef0c39958e80
set associated-interface "internal"
set color 16
set subnet 192.168.110.81 255.255.255.255
next

```===

 

EDIT:

[SOLVED]

Sorry guys, it seems the problem is with my license, it only allow maximum of 25 users. so I just delete many old users and it works again now.

1 reply

funkylicious
SuperUser
funkylicious
SuperUser
June 8, 2025

if you start a debug/packet capture while user is connected to the sslvpn, what do you see in the logs for the traffic ?

 

for testing purposes i would suggest to disable all security profiles like dns filter, web filter etc and would restrict only certain traffic/ports in SERVICES.

also, as destination addresses you have a duplicate of the subnet and would disable one or just leave the one with the NAS ip.

NAT is nice, but not mandatory unless you dont have a route/default back to the FGT.

 

the sslvpn setting and sslvpn portal config would be nice to see in order to help more.

"jack of all trades, master of none"
    hakim_okabe
    hakim_okabeAuthor
    Visitor III
    June 8, 2025

     

    thanks for the reply. for now I make 2 firewall policy with only each ip address which is 

    1. SSLVPN > Server [SERVER_ASCEND = subnet 192.168.110.17 255.255.255.255]

    ```====
    set name "SSLVPN > Server"
    set uuid fb887b5c-4436-51f0-a768-a37ee1ac460c
    set srcintf "ssl.root"
    set dstintf "internal"
    set srcaddr "SSLVPN_TUNNEL_ADDR1"
    set dstaddr "SERVER_ASCEND"
    set action accept
    set schedule "always"
    set service "ALL"
    set utm-status enable
    set ssl-ssh-profile "certificate-inspection"
    set av-profile "Server-AV"
    set webfilter-profile "default"
    set dnsfilter-profile "default"
    set ips-sensor "Server-IPS"
    set application-list "default"
    set logtraffic all
    set groups "SSLVPN_USER"
    set comments " (Copy of SSLVPN > Synology)"
    set nat enable
    ===```


    2. SSLVPN > Server [Synology = subnet 192.168.110.81 255.255.255.255]

    ```====
    set name "SSLVPN > Synology"
    set uuid 3edf672e-4434-51f0-17d3-aa436fdc8fcb
    set srcintf "ssl.root"
    set dstintf "internal"
    set srcaddr "SSLVPN_TUNNEL_ADDR1"
    set dstaddr "Synology_IP"
    set action accept
    set schedule "always"
    set service "ALL"
    set logtraffic all
    set groups "SSLVPN_USER"
    set nat enable
    ===```


    with above configuration SSL Users now can ping and connect to 110.17, but still can't connect to IP other than 110.17 like 110.81 or 110.121, or other ip address even though I already put same firewall policy


    below is my SSL-VPN Settings
    ssl-vpn.png


    and below is ssl-vpn portals

    ssl portal.png

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    June 8, 2025

    I would double check that in sslvpn settings under Authentication/Portal mapping you have the user group SSLVPN_USER mapped to the portal Okabe_Gallery.

    then, I would make sure that the user that connects to it is part of the group

    next, after connecting to the vpn i would check that you get the routes installed ( route print -4 in cmd if using windows ) you can see the IP addresses of the objects Admin_Station, SERVER_ASCEND and Synology_IP .

     

    "jack of all trades, master of none"
    Terms & ConditionsAccessibility statement