When configuring SSL VPN on policy-based NGFW mode, 

After configuring the following:

1. SSL VPN Settings:

SSL-VPN Settings

2. SSL VPN Portal:

SSL-VPN Portal

3. Security Policy:

Firewall Policy

4. FortiClient: When trying to connect, the following message will be displayed on the FortiClient:

FortiClient

If no relevant SSL Inspection & Authentication policy is configured, SSL VPN daemons will not run. No 'sslvpnd' processes show.

FGT # diagnose sys process pidof sslvpnd

FGT # diagnose sys process pidof sslvpnd

FGT # diagnose sys process pidof sslvpnd

FGT # diagnose sys process pidof sslvpnd

FGT # fnsysctl killall sslvpnd
killall: sslvpnd: no process killed

FGT #

Running the following debug commands during a connection attempt will show no debug messages.

diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.
diagnose debug enable

<no output>

However, the sniffer shows incoming packets:

Sniffer

The debug flow output shows 'msg="iprope_in_check() check failed on policy 0, drop"':

Resolution:

Create a dedicated SSL-Inspection & Authentication Policy for SSL VPN.

Note: Many users configured fairly generic SSL Inspection & Authentication policies since security processing is handled by a different set of policies in NGFW policy-based mode. To avoid traffic disruption for non-SSL VPN traffic, it is important to configure a dedicated SSL VPN policy rather than editing existing zone-based or 'any' interface policies.

config firewall policy

    edit <index>

        set name "Allow_SSL-VPN"
        set srcintf "ssl.root"
        set dstintf "internal"
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "all"
        set service "ALL"
        set groups "VPN_Users"

    next

end

Inspection&Authentication

After this change, the FortiGate will start to process incoming SSL VPN traffic. Diagnostic commands also show one or more running sslvpnd processes:

FGT # diagnose sys process pidof sslvpnd
4998

FGT #

If sslvpnd debugs during a connection attempt with a local test user shows 'got user (0) group (0:0)' and the attempt fails with 'sslvpn_login_unknown_user', ensure the user is included in a group configured on the SSL Inspection & Authentication policy.

diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.
diagnose debug enable

<additional output>

[4998:root:99]fsv_logincheck_common_handler:1450 user 'jsmorth' has a matched local entry.
[4998:root:99]sslvpn_auth_check_usrgroup:3072 forming user/group list from policy.
[4998:root:99]sslvpn_auth_check_usrgroup:3119 got user (0) group (0:0).
[4998:root:99]no valid user or group candidate found.
[4998:root:99]login_failed:480 user[jsmorth],auth_type=32768 failed [sslvpn_login_unknown_user]

Ensure the user is included in the user group configured in SSL VPN settings and on the relevant SSL Inspection & Authentication Policy.

config firewall policy

    edit <index>

        set name "Allow_SSL-VPN"
        set srcintf "ssl.root"
        set dstintf "internal"
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "all"
        set service "ALL"
        set groups "VPN_Users"

    next

end

config user local

    edit "jsmorth"

        set type password

        set passwd <password>

    next

end

config user group

    edit "VPN_Users"

        append member "jsmorth"

    next

end

Authentication troubleshooting for SSL VPN in NGFW policy-based mode is otherwise similar to the default NGFW profile-based. See the article Technical Tip: A quick guide to FortiGate SSL VPN authentication and common issues and misunderstand... for some first steps in troubleshooting SSL-VPN authentication issues.