When FortiGate is operating in NGFW policy-based mode, SSL VPN may not work, although it is configured under SSL VPN settings with a security policy to allow traffic. When running the sniffer, the TCP three-way handshake is not completing:

It is also possible to see that the SSL VPN process is not listening when running 'diag sys tcpsock | grep ssl'.
This indicates some configuration is missing for the SSL VPN.

Here, SSL VPN debugs do not show any output. However, running debug flow for the public IP address of the test PC and SSL VPN port number, will show error 'iprope_in_check() check failed on policy 0, drop' in debugs:

Debug flow Commands:

diagnose debug reset

diag debug flow show function-name enable

diagnose debug flow filter addr x.x.x.x <----- Replace x.x.x.x with the Public IP address of the SSL VPN user PC.

diagnose debug flow filter port zzzz    <----- Replace zzzz with SSL VPN port number.

diagnose debug console timestamp enable

diagnose debug flow trace start 100

diagnose debug enable

To stop Debugs:

diagnose debug flow filter clear

diagnose debug disable

diagnose debug reset

Debug flow output:

2024-12-23 18:15:36 id=65308 trace_id=1 func=print_pkt_detail line=5862 msg="vd-root:0 received a packet(proto=6, x.x.x.x:55795->y.y.y.y:zzzz) tun_id=0.0.0.0 from port1. flag [S], seq 3180712052, ack 0, win 65535"

2024-12-23 18:15:36 id=65308 trace_id=1 func=init_ip_session_common line=6047 msg="allocate a new session-00a7d620"

2024-12-23 18:15:36 id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=80000000 gw-0.0.0.0 via root"

2024-12-23 18:15:36 id=65308 trace_id=1 func=fw_local_in_handler line=615 msg="iprope_in_check() check failed on policy 0, drop"

In Policy-based NGFW, it is also necessary to have an SSL inspection policy under Policy&Objects -> SSL Inspection&Authentication for the SSL VPN traffic otherwise the sslvpnd will not start. 

CLI:

firewall # config firewall policy
firewall # edit 1
firewall # set srcintf ssl.root
firewall # set dstintf port5
firewall # set srcaddr all
firewall # set dstaddr Internal
firewall # set service ALL

firewall # set groups "SSLVPN"
firewall # end

Note:

• The command 'config firewall policy' is different from 'config firewall security-policy'.
• Make sure that the user group for the SSL VPN is included in the SSL Inspection & Authentication Policy.
• Similarly, select the agentless VPN interface and SSL VPN group in the SSL inspection and authentication policy for agentless VPN, starting with FortiOS 7.6.3.

If the user or user group is included in the security policy but not the SSL Inspection & Authentication Policy, it will still show a 'Permission Denied' error while attempting to establish an SSL VPN connection.

The following debug logs are seen when the issue happens:

[309:root:39ff]sslvpn_authenticate_user:193 authenticate user: [testuser]
[309:root:39ff]sslvpn_authenticate_user:211 create fam state
[309:root:39ff]fam_auth_send_req:959 clear local user flag and do authentication again.
[309:root:39ff][fam_auth_send_req_internal:430] Groups sent to FNBAM:
[309:root:39ff]group_desc[0].grpname = SSLVPN
[309:root:39ff][fam_auth_send_req_internal:442] FNBAM opt = 0X300421
local auth is done with user 'testuser', ret=1
[309:root:39ff]fam_auth_send_req_internal:518 fnbam_auth return: 1
[309:root:39ff][fam_auth_send_req_internal:544] Authenticated groups (1) by FNBAM with auth_type (1):
[309:root:39ff]Received: auth_rsp_data.grp_list[0] = 0
[309:root:39ff]fam_auth_send_req:1019 task finished with 1
[309:root:39ff]login_failed:405 user[testuser],auth_type=1 failed [sslvpn_login_permission_denied]

Related document:

Profile-based NGFW vs policy-based NGFW