Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akileshc
Staff
Staff

Created on ‎07-08-2025 01:22 AM

Article Id 399772

Technical Tip: FortiGate Drops SSL VPN Traffic Without Dynamic Local-In Policy

Description This article describes thehow to resolve the issue of SSL VPN requests being dropped by the FortiGate. The problem occurs when the firewall does not respond to requests on port 10443, despite the local-in policy being configured to allow traffic on this port.
Scope FortiGate.
Solution

When SSL VPN traffic is received on a custom port such as 10443, FortiGate must have all required SSL VPN configurations in place. Otherwise, the system does not dynamically create a matching local-in policy, resulting in dropped traffic.

This behavior can be confirmed from the following debug flow trace: Debugging the packet flow

 

2025-06-24 10:32:58 id=65308 trace_id=21 func=__iprope_check line=2421 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000801, flag2-00000000"
2025-06-24 10:32:58 id=65308 trace_id=21 func=iprope_policy_group_check line=4902 msg="after check: ret-matched, act-drop, flag-00000801, flag2-00000000"
2025-06-24 10:32:58 id=65308 trace_id=21 func=fw_local_in_handler line=620 msg="iprope_in_check() check failed on policy 0, drop"

 

These log entries indicate that no valid local-in policy exists for traffic on port 10443, causing FortiGate to drop the connection.

 

To resolve this, ensure that all essential SSL VPN configurations are completed. This includes:

  • Defining SSL VPN users and adding them to a user group.

  • Configuring the SSL VPN portal.

  • Setting up SSL VPN settings, including:

    • Listening interface.

    • Port (e.g., 10443).

    • Certificate.

  • Creating necessary firewall policies to allow SSL VPN access. For a detailed, step-by-step guide on configuring SSL VPN, refer to the following document: SSL VPN full tunnel for remote user 

 

To confirm whether a dynamic Local-In Policy exists to permit traffic on port 10443.

 

GUI:

 

Local-In-Policy.png

 

CLI:

 

diagnose firewall iprope list | grep '10443' -A 1 -B 11
policy index=4294967295 uuid_idx=35 action=accept
flag (0):
schedule()
cos_fwd=0 cos_rev=0
group=0010000e av=00000000 au=00000000 split=00000000
host=1 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 3 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=15788,
dest(1): 10.5.63.82-10.5.63.82, uuid_idx=0,
service(2):
[6:0x3:0/(0,65535)->(10443,10443)] flags:0 helper:auto
[17:0x3:8900/(0,65535)->(10443,10443)] flags:0 helper:auto

 

Note:

This behavior also applies to other types of traffic directed to the FortiGate, including BGP. If none of these steps resolve the issue, contact Fortinet Technical Support for further assistance.
311
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.