- Create a firewall policy that will allow the traffic from the remote user:
config firewall policy
edit 3
set name "SSLVPN-Inbound"
set srcintf "ssl.root"
set dstintf "port4"
set action accept
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "192.168.1.0/24"
set schedule "always"
set service "ALL"
set logtraffic all
set groups "VPN-GROUP"
next
end
- Create a multicast address object:
config firewall multicast-address
edit "192.168.1.255"
set type broadcastmask
set associated-interface "port4"
set subnet 192.168.1.0 255.255.255.0
next
end
Note:
The WoL tool uses the broadcast address of the target remote computer and UDP port 40000 when sending the magic packet.
- Create a multicast policy and use the multicast-address object created above:
config firewall multicast-policy
edit 1
set name "WoL-Allow"
set logtraffic enable
set srcintf "ssl.root"
set dstintf "port4"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "192.168.1.255"
set protocol 17
set start-port 40000
set end-port 40000
next
end
Verification:
- From the WoL tool, add the target computer by selecting File -> Add new computer.
- Select Option -> In Send the Wake-On-LAN Packets choose 'Broadcast Address According to IP Address'.
- Send the Magic Packet by selecting the WakeUp icon.
- (Optional) It is possible to run the sniffer on the FortiGate to check if the magic packet has been forwarded out of the LAN internal interface while trying to wake up the remote computer:
Note:
While this guide can be followed for any interface or zone, it is important that, if zones are used, the source and destination are in a different zone. This is because a Multicast Policy cannot be created with the same source and destination zone and broadcast traffic will not be forwarded between interfaces belonging to the same zone.
Note:
If the Zone interface towards the PC to be woken up (WoL) has more than one interface member (which is quite likely in production), the WoL packet will be sent to every member port of the egress Zone, which is not desirable.
Example:
Here port2 is in IN-ZONE, and port4 & port5 in OUT-ZONE.
config system zone
edit "IN-ZONE"
set interface "port2"
next
edit "OUT-ZONE"
set interface "port4" "port5"
next
end
As visible in the below sniffer, the WoL packet to a PC behind port4 was sent to both port4 and port5.
diagnose sniffer packet any "port 40000" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[port 40000]
2024-09-12 03:32:37.817529 port2 in 10.171.14.23.56611 -> 10.190.15.255.40000: udp 102
2024-09-12 03:32:37.817562 port4 out 10.171.14.23.56611 -> 10.190.15.255.40000: udp 102
2024-09-12 03:32:37.817598 port5 out 10.171.14.23.56611 -> 10.190.15.255.40000: udp 102
The behavior is by design, FOS will broadcast to all members of the egress ZONE. To avoid this, enable broadcast-forward on the ingress interface and add a forward policy. e.g:
config system interface
edit "ingress_name"
....
set broadcast-forward enable <-----
next
end
config firewall policy
edit x
set srcintf "IN-ZONE"
set dstintf "OUT-ZONE"
set srcaddr "WOL-SRC"
set dstaddr "x.x.x.255" "y.y.y.255" "etc" <----- Define them as firewall address.
.....
next
end
Result:
WoL packet to PC behind Port4 only got sent out of port4, and that to PC behind port5 only sent out of port5:
di sniffer packet any "port 40000" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[port 40000]
2024-09-14 02:17:10.791922 port2 in 10.171.14.23.51070 -> 10.190.15.255.40000: udp 102
2024-09-14 02:17:10.792000 port4 out 10.171.14.23.51070 -> 10.190.15.255.40000: udp 102
2024-09-14 02:18:28.419355 port2 in 10.171.14.23.55029 -> 10.202.15.255.40000: udp 102
2024-09-14 02:18:28.419484 port5 out 10.171.14.23.55029 -> 10.202.15.255.40000: udp 102
|
