FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to allow the magic packet in the ForitGate. The user uses the 'WakeMeOnLan' application to send the magic packet over SSL VPN.
FortiGate v7.4, v7.2 and v7.0,
Create a firewall policy that will allow the traffic from the remote user:
config firewall policy edit 3 set name "SSLVPN-Inbound" set srcintf "ssl.root" set dstintf "port4" set action accept set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "192.168.1.0/24" set schedule "always" set service "ALL" set logtraffic all set groups "VPN-GROUP" next end
Create a multicast address object:
config firewall multicast-address edit "192.168.1.255" set type broadcastmask set associated-interface "port4" set subnet 192.168.1.0 255.255.255.0 next end
The WoL tool uses the broadcast address of the target remote computer and UDP port 40000 when sending the magic packet.
Create a multicast policy and use the multicast-address object created above:
config firewall multicast-policy edit 1 set name "WoL-Allow" set logtraffic enable set srcintf "ssl.root" set dstintf "port4" set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "192.168.1.255" set protocol 17 set start-port 40000 set end-port 40000 next end
From the WoL tool, add the target computer by selecting File -> Add new computer.
Select Option->In Send the Wake-On-LAN Packets to choose 'Broadcast Address According to IP Address'.
Send the Magic Packet by selecting the WakeUp icon.
(Optional) It is possible to run the sniffer on the FortiGate to check if the magic packet has been forwarded out of the LAN internal interface while trying to wake up the remote computer:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.