Skip to main content
nai
nai
New Member
March 3, 2022
Question

SSL VPN Policy with IPS Sensor not working

  • March 3, 2022
  • 2 replies
  • 3581 views

Hi,

Im configuring an ssl vpn tunnel with ips sensor enabled on it's policy.

ips sensor only monitor everything.

remote user can connect to the ssl vpn, but can not reach server behind ssl vpn.

everything worked fine if i remove the ips sensor.

Can somebody help me and tell what I have to do to make it work as intended?

or is it ssl vpn policy not suppose enable ips sensor?

 

2 replies

Vando_Pereira
Staff
Vando_Pereira
Staff
March 3, 2022

Hello Nai,

 

So it works without the ips profile activated in the policy ?

When the IPS profile is active, do you see any logs in the:

  • Log & Report > Intrusion Prevention ?

In the IPS Sensor configuration do you have the signatures action in "Default" ? or changed to "Monitor" ?

 

You can try to do:

  • diag debug flow filter saddr <remote_user_ip>
  • diag debug flow trace start 10 (or a bigger number so you can see whats happening)
  • diag debug enable -> to activate the debug.

I think this should be enough, for you to get an idea of what's going on behind the scenes, and retrieve more information that can lead to the problem resolution.

 

Best regards. 

nai
naiAuthor
New Member
March 4, 2022

yes it is work without ips  profile activated..

there is no ips log for related policy.

all signature change to monitor

 

this is debug log:

id=20085 trace_id=21 func=print_pkt_detail line=5605 msg="vd-VPN:0 received a packet(proto=1, xxx.xxx.x.x:45079->yyy.yyy.y.y:2048) from ssl.VPN. type=8, code=0, id=45079, seq=0."
id=20085 trace_id=21 func=init_ip_session_common line=5771 msg="allocate a new session-c29e00c6"
id=20085 trace_id=21 func=vf_ip_route_input_common line=2598 msg="find a route: flag=04000000 gw-zzz.zzz.zz.z via port32"
id=20085 trace_id=21 func=fw_forward_handler line=781 msg="Allowed by Policy-208: SNAT"
id=20085 trace_id=21 func=ids_receive line=289 msg="send to ips"
id=20085 trace_id=22 func=print_pkt_detail line=5605 msg="vd-VPN:0 received a packet(proto=1, xxx.xxx.x.x:45079->yyy.yyy.y.y:2048) from ssl.VPN. type=8, code=0, id=45079, seq=1."
id=20085 trace_id=22 func=resolve_ip_tuple_fast line=5686 msg="Find an existing session, id-c29e00c6, original direction"
id=20085 trace_id=22 func=npu_handle_session44 line=1139 msg="Trying to offloading session from ssl.VPN to port32, skb.npu_flag=00000000 ses.state=01003204 ses.npu_state=0x00041008"
id=20085 trace_id=22 func=fw_forward_dirty_handler line=396 msg="state=01003204, state2=00000001, npu_state=00041008"

the rest of debug log just repetition of the 4 line of trace_id 22

from debug log, packet already find its route and allowed by policy.

 

but, from Log & Report > Forward Traffic, the packet is block by policy 0, means there is no matching policy.

Vando_Pereira
Staff
Vando_Pereira
Staff
March 4, 2022

In the SSL VPN policy do you have the SSL inspection in which mode ?

 

 

 

nai
naiAuthor
New Member
March 4, 2022

hi Vando_Pereira,

im using ssl inspection profile certificate-inspection the default one from fortigate.

nai_0-1646409656220.png

when using this ssl inspection profile in the policy, without ips enabled, ssl vpn still working as expected.

 

Terms & ConditionsAccessibility statement