Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff & Editor
Staff & Editor

Created on ‎04-22-2020 12:40 AM Edited on ‎01-05-2026 10:24 AM By Community Manager

Article Id 193479

Technical Tip: SSL VPN client-to-client communication

Description

 

This article describes the required configuration to allow SSL VPN clients to communicate with another SSL VPN client.

 

Scope

 

FortiGate.

Solution


This article assumes that the SSL VPN is already configured and functional. To allow client-to-client SSL VPN traffic, create a new policy as shown below.

Capture-3.PNG

 

  • Incoming Interface: ssl.root interface.
  • Outgoing Interface: ssl.root interface.
  • Source: All or SSL VPN client range (address object) and SSL VPN user group.
  • Destination: All or SSL VPN client range.
  • Schedule: Always.
  • Service: ALL.
  • Action: accept.
  • NAT: disabled.

If split tunnel is enabled in the SSL VPN, add the SSL-VPN client subnet to the routing address list in the respective SSL VPN portal.


After making the changes, test the SSL VPN client-to-client communication. Ensure the client windows firewall allows this communication or  disable or add exemption in windows firewall if not the communication between clients will not work

If the issue is not resolved , open a support ticket using the Fortinet Support Portal and include the following details:

 

  • FortiGate configuration file.
  • The output of the following commands from sslvpn clients machine(s).

ipconfig /all
route print
tracert <remote sslvpn client>

 

  • Run the following debug commands in FortiGate using an SSH session and share the output to the ticket as a text file.

diagnose debug reset
diagnose debug flow filter addr x.x.x.x    <----- Replace x.x.x.x with the source SSL VPN client IP.
diagnose debug flow filter proto 1
diagnose debug flow trace start 10000
diagnose debug enable

  • After running the commands, initiate the ping from the client PC to the other client PC.
  • After capturing the output, disable the debug processes with the following commands:

diagnose debug reset
diagnose debug disable

 

Note: 

In FortiOS v7.6.3 and above, SSL VPN tunnel mode is not supported for any FortiGate model. In these firmware versions, SSL VPN web mode is renamed to 'Agentless VPN'. If SSL VPN is in use for remote access, it is strongly recommended to migrate to IPsec VPN before upgrading to a firmware version that removes support for SSL VPN tunnel mode.

6051
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.