Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dbhavsar
Staff
Staff

Created on ‎12-05-2022 08:56 AM

Article Id 232277

Troubleshooting Tip: Fix 'Permission denied' error received by SSL VPN users while logging into FortiGate in web mode

Description

 

This article explains how to fix an issue where an SSL VPN user receives a 'Permission denied' error while trying to log in to FortiGate.

 

Scope

 

FortiGate v6 and later with an SSL VPN.

 

Solution

 

When logging in, a user may receive the following error:

 

dbhavsar_0-1670258088607.png

 

This occurs if the user has not been correctly added to the permission policy.

 

The following debug logs are seen when the user has not been added to the policy:

 

2022-12-05 08:40:26 [15453:root:82]sslvpn_authenticate_user:191 authenticate user: [dhrumit]

2022-12-05 08:40:26 [15453:root:82]sslvpn_authenticate_user:205 create fam state

2022-12-05 08:40:26 [15453:root:82]fam_auth_send_req:947 clear local user flag and do authentication again.

2022-12-05 08:40:26 [15453:root:82][fam_auth_send_req_internal:426] Groups sent to FNBAM:

2022-12-05 08:40:26 [15453:root:82][fam_auth_send_req_internal:438] FNBAM opt = 0X200401

2022-12-05 08:40:26 invalid auth params for user 'dhrumit'

2022-12-05 08:40:26 [15453:root:82]fam_auth_send_req_internal:514 fnbam_auth return: 5

2022-12-05 08:40:26 [15453:root:82]fam_auth_send_req:1007 task finished with 5

2022-12-05 08:40:26 [15453:root:82]login_failed:393 user[dhrumit],auth_type=1 failed [sslvpn_login_unknown_user]

2022-12-05 08:40:26 [15453:root:0]dump_one_blocklist:94 status=1;host=172.25.181.92;fails=1;logintime=1670247625

2022-12-05 08:40:26 [15453:root:82]req: /remote/login?&err=sslvpn_login_permissi

2022-12-05 08:40:26 [15453:root:82]rmt_web_auth_info_parser_common:504 no session id in auth info

 

The following debug logs are seen when the user has been added to the policy:

 

2022-12-05 08:43:41 [15453:root:96]deconstruct_session_id:716 decode session id ok, user=[dhrumit], group=[],authserver=[],portal=[full-access],host[172.25.181.92],rea

lm=[],csrf_token=[C7C6AFB79EE75B3FC3DA2B6EC447D9],idx=0,auth=1,sid=48b8ffbb,login=1670247821,access=1670247821,saml_logout_url=no,pip=no,grp_info=[yaeKsH],rmt_grp_info

=[]

2022-12-05 08:43:41 [15453:root:96]def: 0x30e22b0 /api/v2/static/fweb_build.json

2022-12-05 08:43:41 [15453:root:96]deconstruct_session_id:716 decode session id ok, user=[dhrumit], group=[],authserver=[],portal=[full-access],host[172.25.181.92],rea

lm=[],csrf_token=[C7C6AFB79EE75B3FC3DA2B6EC447D9],idx=0,auth=1,sid=48b8ffbb,login=1670247821,access=1670247821,saml_logout_url=no,pip=no,grp_info=[yaeKsH],rmt_grp_info

=[]

2022-12-05 08:43:41 [15453:root:93]req: /remote/portal?access=admin

2022-12-05 08:43:41 [15453:root:93]deconstruct_session_id:716 decode session id ok, user=[dhrumit], group=[],authserver=[],portal=[full-access],host[172.25.181.92],rea

lm=[],csrf_token=[C7C6AFB79EE75B3FC3DA2B6EC447D9],idx=0,auth=1,sid=48b8ffbb,login=1670247821,access=1670247821,saml_logout_url=no,pip=no,grp_info=[yaeKsH],rmt_grp_info

=[]

 

To solve this issue, allow the user in the SSL VPN policy:

 

dbhavsar_1-1670258104764.png

 

The login will succeed afterwards:

 

dbhavsar_2-1670258104767.png

23747
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.