Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ekrishnan
Staff
Staff

Created on ‎03-10-2024 10:46 PM

Article Id 303767

Technical Tip: SSL VPN listening Port enablement in FortiGate with Policy Based NGFW Mode

Description This article describes how to allow an SSL VPN listening port in a policy-based NGFW Mode.
Scope FortiGate, Central SNAT, Policy-Based NGFW Mode.
Solution

In Policy Based FortiGate, to allow SSL VPN listening port the SSL Inspection and Authentication, rule should be in place.

Below is the example without SSL Inspection and Authentication rule :

 

  1. Security Policy is configured to allow VPN connection:
 

image.png

 

  1. The SSL VPN settings is using port 20443 as the listening port:
 

image.png

 

  • When checking the Local-in-policy for port 20433 this should be shown in the list but in the example below this is not seen:
 

image.png

 

  • Due to this, the SSL VPN login page will not show up if accessing via web mode or tunnel mode FortiClient VPN will not be established as the port is not in listening state/ Not allowed yet.

 

Solution:

Create a rule for SSL Inspection and Authentication for the SSL VPN interface and place it below the Default rule as per below:

 

image.png

  • It will be now possible to see the port being allowed in Local in Policy:

 

image.png

 

  • The SSL VPN login page listening on port 20443:
 

image.png
250
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.