FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
saleha
Staff
Staff
Article Id 339284
Description

SSL VPN connections can be blocked by the FortiGate for different reasons depending on config and restrictions.

This article describes recommendations on how to resolve cases where the SSL VPN connection is being attempted but gets blocked by the local-in policy even though the SSL VPN setup is configured and enabled. In this scenario, the FortiGate is supposed to open the port that is configured for the SSL VPN: either the default 443 or the port that gets defined on the SSL VPN settings by the admin.

Scope FortiGate, SSL VPN.
Solution
  • SSL VPN requires a firewall policy to allow traffic to complete the setup and allow the connection to VPN users to access resources, but this is not the only purpose.
  • FortiGate requires a firewall policy where the source interface is the ssl.root, or ssl.vdom name in the case of a different VDOM, to unblock the port that SSL VPN will use to establish the connection on the default 'local-in Policy'.
  • This can be detected by first enabling the local-in policy page in the GUI through the System -> Feature visibility page.
  • After enabling the option on that page, the option can be accessed from Policy & Objects -> Local-in policy where it will be visible if the SSL VPN port is listed or missing.
Another way to determine this is to check under the Log & report -> Local traffic page. Here, the traffic can be seen for the VPN connection requests being 'denied' by policy 0.

Running debug flow will also show that the SSL VPN connection is dropped by iprope check (local-in-policy).

local-in-policy.PNG