Troubleshooting Tip: SSL VPN is not working after configuring SSLVPN in Policy-based NGFW Mode FortiGate

Generally, SSL VPN is implemented in FortiGates as per the following documents:

SSL VPN full tunnel for remote user
https://video.fortinet.com/products/fortigate/7.2/ssl-vpn-full-tunnel-setup-for-remote-users

After the configuration of SSL VPN as shown below, FortiGate is expected to start running sslvpnd process.

The below command can be used to check whether sslvpnd is running or not.

xenon-kvm133 # dia sys process pidof sslvpnd
2474

However, in FortiGate running with Policy-based NGFW Mode, this configuration will not trigger sslvpnd, making users not able to connect to sslvpn.

xenon-kvm133 # dia sys process pidof sslvpnd

xenon-kvm133 #

This is because FortiGate with Policy-based NGFW Mode, has two kinds of policy:

1. Security policy (configurable from GUI).
2. Firewall policy (only configurable from CLI).

It is necessary to configure the firewall policy as well to make SSL VPN work in FortiGate running with Policy-based NGFW Mode.

config firewall policy
    edit 2
        set srcintf "ssl.root"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
        set groups "Ldap_auth_vpnusers"
    next
end

Either a general firewall policy with all the user groups called in SSL VPN authentication rule can be configured to match all the users or a specific user policy can also be created.

Post configuring the firewall policy for the SSL VPN user group, the sslvpnd process starts working.

xenon-kvm133 # dia sys process pidof sslvpnd
2832

Note:

From v7.6.0, FortiGate with 2GB of memory no longer supports SSL VPN.