| Description | This article describes how to block communication between users connected to the SSL VPN. In the FortiGate's default configuration, one SSL VPN user can reach another, as both are part of the same logical interface. |
| Scope | FortiGate, SSL VPN. |
| Solution |
When two or more users are connected to the SSL VPN, one user can reach the other via ping. For example:
User-A FortiClient information:
User-B FortiClient information:
User-A can reach User-B via pings as below:
In the FortiGate sniffer, note that that traffic reaches via the ssl.root interface (SSL VPN logical interface) and leaves through the same one:
Also, in the debug flow, note that traffic is being allowed:
The above behavior relates to the configuration of the option 'allow-traffic-redirection'. This is a configuration that allows or blocks traffic that ingress and egress via the same interface. If 'allow-traffic-redirecion' is enabled, the traffic will be allowed and not bound to any firewall policies. The FortiGate will handle the traffic based only on routing, such as the above example for the SSL VPN users. Further information about this configuration can be verified in the linked article.
To block this SSL VPN user from SSL VPN user traffic, it is necessary to disable the option allow-traffic-redirection, as below: config system global
With the above configuration, all traffic that ingresses and egresses the same interface now needs a firewall policy for it to work. When disabling the 'allow-traffic-redirect' for this scenario, the behavior will be as follows:
User-A cannot reach User-B anymore:
Note that all traffic with the same behavior will be impacted by this configuration, which makes it advisable to have all firewall policies in place for the traffic which is supposed to be allowed before disabling this option. |
