Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pathik_mehta
Staff
Staff

Created on ‎09-26-2024 12:12 AM Edited on ‎08-07-2025 03:01 AM By Community Manager

Article Id 344474

Technical Tip: RDP sessions found in the local traffic logs initiated by FortiGate interface

Description This article describes how RDP sessions are found in local traffic logs initiated by the firewall interface.
Scope FortiGate.
Solution

Setup:

  • SSL VPN web mode is enabled.
  • Bookmark configuration is not mandatory.

 

LAB (root) # config vpn ssl web portal
LAB (portal) # edit "web-access"
LAB (web-access) # show
config vpn ssl web portal
    edit "web-access"
        set web-mode enable
    next
end
LAB (web-access) #

 

Here, 'user1' is used to log in to SSL VPN web mode.

 

sslvpn auth mapping.png 

portal setting.png

 

When the user is connected to the SSL VPN through the browser, the option 'Quick connection' will be visible upon successful authentication to SSL VPN web mode. The logon event will be captured in the VPN event logs.

 

user1 authenticated.png

 

Upon selecting the quick connection, there will be multiple options to check the connectivity with the server.

 

quick connection.png

 

Here, the connection was initiated for the server 10.212.3.1 for port 3389.

 

LAB (root) # get router info routing-table details 10.212.3.1

Routing table for VRF=0
Routing entry for 10.212.3.0/24
Known via "connected", distance 0, metric 0, best
* is directly connected, dmz

LAB (root) #

 

config system interface
    edit "dmz"
        set vdom "root"
        set ip 10.212.3.101 255.255.255.0
        set allowaccess ping
        set type physical
        set explicit-web-proxy enable
        set description "INTERFACE CONNECTED TO DMZ SWITCH"
        set alias "DMZ-NW"
        role lan
        set snmp-index 1
    next
end

 

date=2024-09-24 time=18:07:07 eventtime=1727186827774232733 tz="+0400" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=10.212.3.101 srcport=16259 srcintf="Leasedline" srcintfrole="undefined" dstip=10.212.3.1 dstport=3389 dstintf="dmz" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=160893 proto=6 action="server-rst" policyid=0 service="RDP" trandisp="noop" app="RDP" duration=121 sentbyte=89711 rcvdbyte=1218169 sentpkt=987 rcvdpkt=1574 appcat="unscanned" dstosname="Windows" dstswversion="10 / 2016" masterdstmac="00:6d:65:72:2c:01" dstmac="00:6d:65:72:2c:01" dstserver=0

 

Since the traffic is generated by the firewall itself, it is expected that the policyid will be 0.  The session will be visible in the local traffic logs once it ends and is cleared from the session table.

 

In SSL VPN web mode, FortiGate functions as a reverse proxy, and the client is not assigned an SSL VPN IP address. When connecting to internal servers, ensure the FortiGate interface IP (used for the connection) is allowed on the server, as the connection originates from the FortiGate, in this case, from the DMZ interface

 

Note:

Starting from FortiOS v7.6.0, the SSL VPN feature is no longer available on FortiGate models with 2 GB RAM.
Starting from FortiOS v7.6.3, SSL VPN tunnel mode is no longer supported.

 

Related document:

SSL VPN tunnel mode replaced with IPsec VPN
1642
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.