FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
amatos
Staff
Staff
Article Id 348456
Description This article describes how to block communication between users connected to the SSL VPN. In the FortiGate's default configuration, one SSL VPN user can reach another, as both are part of the same logical interface.
Scope FortiGate, SSL VPN.
Solution

When two or more users are connected to the SSL VPN, one user can reach the other via ping. For example:

 

User-A FortiClient information:

 

Client 1.png

 

User-B FortiClient information:

 

Client 2.png

 

User-A can reach User-B via pings as below:

 

ping working.png

 

In the FortiGate sniffer, note that that traffic reaches via the ssl.root interface (SSL VPN logical interface) and leaves through the same one:

sniffer working.png

 

Also, in the debug flow, note that traffic is being allowed:

flow working.png

 

The above behavior relates to the configuration of the option 'allow-traffic-redirection'. This is a configuration that allows or blocks traffic that ingress and egress via the same interface. If 'allow-traffic-redirecion' is enabled, the traffic will be allowed and not bound to any firewall policies. The FortiGate will handle the traffic based only on routing, such as the above example for the SSL VPN users. Further information about this configuration can be verified in the linked article.

 

To block this SSL VPN user from SSL VPN user traffic, it is necessary to disable the option allow-traffic-redirection, as below:

config system global
    set allow-traffic-redirect disable
end

 

With the above configuration, all traffic that ingresses and egresses the same interface now needs a firewall policy for it to work. When disabling the 'allow-traffic-redirect' for this scenario, the behavior will be as follows:

 

User-A cannot reach User-B anymore:

ping not working.png


In the debug flow, it can be observed that this traffic from ssl.root to ssl.root is blocked because there is no firewall policy to allow this traffic:


flow not working.png

 

Note that all traffic with the same behavior will be impacted by this configuration, which makes it advisable to have all firewall policies in place for the traffic which is supposed to be allowed before disabling this option.

Contributors