Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Rosalyn
Staff
Staff

Created on ‎11-23-2022 10:08 PM Edited on ‎03-23-2025 10:22 PM By Staff

Article Id 230731

Troubleshooting Tip: Firewall policy is showing 0 bytes when using an SSL VPN web mode connection

Description

This article describes why the firewall policy shows 0 bytes when it is using an SSL VPN web mode connection.
Scope FortiGate.
Solution

After being connected to SSL VPN web mode, there is no traffic hitting the policy and it is showing 0 bytes.

 

Test case shows user RDP into window server via SSL VPN web mode successfully.

 

Rosalyn_0-1669268856196.png

 

However, the firewall policy ID 8 is showing 0 bytes.

 

Rosalyn_1-1669268910660.png

 

 

To view the sessions list:

 

diagnose sys session list

 

To enable SSL VPN debug:

 

diagnose debug application sslvpn -1

diagnose debug enable

 

The firewall session shows it is hitting policy 0 for the RDP connection traffic:

 

session info: proto=6 proto_state=01 duration=465 expire=3599 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255

state=log local

statistic(bytes/packets/allow_err): org=79720/1279/1 reply=888110/1581/1 tuples=2

tx speed(Bps/kbps): 171/1 rx speed(Bps/kbps): 1908/15

orgin->sink: org out->post, reply pre->in dev=0->5/5->13 gwy=0.0.0.0/10.211.1.237

hook=out dir=org act=noop 10.211.1.237:4782->10.211.1.157:3389(0.0.0.0:0)

hook=in dir=reply act=noop 10.211.1.157:3389->10.211.1.237:4782(0.0.0.0:0)

pos/(before,after) 0/(0,0), 0/(0,0)

misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0

serial=000193e0 tos=ff/ff app_list=0 app=0 url_cat=0

rpdb_link_id=00000000 ngfwid=n/a

npu_state=00000000

no_ofld_reason:  local

total session 1

 

 

This is an expected behavior. SSL VPN web mode works differently as the source will come from user public IP instead of the SSL VPN tunnel address.

When accessing to an intranet web page via SSL VPN web mode, traffic is being proxied.

The policy 8 requires the SSL VPN (ssl.root) to RDP destination 10.211.1.157 for connectivity and login purposes. 

 

On the SSL VPN debug it is possible find that:

 

[14132:root:155]sslvpn_policy_match:2626 checking web session

[14132:root:155]remote_ip=[192.168.244.16], user=[test], iif=3, auth=1, dsthost=[10.211.1.157], portal=[SSLvpn_web_mode] realm=[(null)], dst=10.211.1.157, dport=3389, service=[rdp]

 

As the SSL VPN login successfully, the FortiGate uses the LOCAL interface with IP address 10.211.1.237 to RDP connection, instead of the public IP 192.168.244.16.

 

Hence, the whole traffic will be 192.168.244.16 --> FortiGate (local interface) --> 10.211.1.157.
2474
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.