FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syao
Staff
Staff
Article Id 285908
Description This article describes how to allow the magic packet in the ForitGate. The user uses the 'WakeMeOnLan' application to send the magic packet over SSL VPN.

diagram-wol.png

 

Scope FortiGate v7.4, v7.2 and v7.0,
Solution
  1. Create a firewall policy that will allow the traffic from the remote user:

 

config firewall policy
    edit 3
        set name "SSLVPN-Inbound"
        set srcintf "ssl.root"
        set dstintf "port4"
        set action accept
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "192.168.1.0/24"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set groups "VPN-GROUP"
    next
end


  1. Create a multicast address object:

 

config firewall multicast-address
    edit "192.168.1.255"
        set type broadcastmask
        set associated-interface "port4"
        set subnet 192.168.1.0 255.255.255.0
    next
end


Note:

The WoL tool uses the broadcast address of the target remote computer and UDP port 40000 when sending the magic packet.

  1. Create a multicast policy and use the multicast-address object created above:

 

config firewall multicast-policy
    edit 1
        set name "WoL-Allow"
        set logtraffic enable
        set srcintf "ssl.root"
        set dstintf "port4"
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "192.168.1.255"
        set protocol 17
        set start-port 40000
        set end-port 40000
    next
end

 

Verification:

  1. From the WoL tool, add the target computer by selecting File -> Add new computer.


WoL-Add PC.png

 

  1. Select Option -> In Send the Wake-On-LAN Packets to choose 'Broadcast Address According to IP Address'.


WoL-Option.png

 

  1.  Send the Magic Packet by selecting the WakeUp icon.


WoL-Wakeup.png

  1. (Optional) It is possible to run the sniffer on the FortiGate to check if the magic packet has been forwarded out of the LAN internal interface while trying to wake up the remote computer:

 

FortiGate-SNIFF.png

Contributors