|
The user Firewall policy is configured as below:
Split-tunnel in SSL VPN Portal is disabled to route user internet traffic forwarded via FortiGate:
The post VPN is connected, and the user PC routing table is updated with FortiGate as the internet gateway.
However, the user is not able to connect to the internet through FortiGate:
C:\Users\Administrator>ping 54.177.212.176
Pinging 54.177.212.176 with 32 bytes of data:
Request timed out.
Ping statistics for 54.177.212.176:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Validating flow filter and sniffer shows that traffic is egressing out of FortiGate via port1 by matching the policy ID 1, although FortiGate is allowing the traffic, there is no SNAT applied for the Internet traffic.
xenon-kvm133 # id=65308 trace_id=2 func=print_pkt_detail line=5862 msg="vd-root:0 received a packet(proto=1, 10.212.134.200:1->54.177.212.176:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=24."
id=65308 trace_id=2 func=init_ip_session_common line=6047 msg="allocate a new session-00020dfe"
id=65308 trace_id=2 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-10.5.191.254 via port1"
id=65308 trace_id=2 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=2"
id=65308 trace_id=2 func=fw_forward_handler line=990 msg="Allowed by Policy-1:" <----- Matching Policy ID 1 but SNAT is not applied.
id=65308 trace_id=2 func=ip_session_confirm_final line=3110 msg="npu_state=0x100, hook=4"
xenon-kvm133 # dia sniffer packet any "host 54.177.212.176" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 54.177.212.176]
2024-12-21 15:00:37.262697 ssl.root in 10.212.134.200 -> 54.177.212.176: icmp: echo request
2024-12-21 15:00:37.262720 port1 out 10.212.134.200 -> 54.177.212.176: icmp: echo request
As a result, the source IP of the packet that was forwarded by the FortiGate remains the SSL VPN client IP and it may not be routable by the ISP router. When Central SNAT is enabled, there should be SNAT mapping for the SSL VPN internet policy.
The post creating the SNAT rule as shown below, the SSL VPN client will be able to reach the internet via FortiGate.
config firewall central-snat-map
edit 3
set uuid 3c058f88-bfa5-51ef-ac7b-ba0a995c8816
set srcintf "ssl.root"
set dstintf "port1"
set orig-addr "all"
set dst-addr "all"
next
end
xenon-kvm133 # id=65308 trace_id=5 func=print_pkt_detail line=5862 msg="vd-root:0 received a packet(proto=1, 10.212.134.200:1->54.177.212.176:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=27."
id=65308 trace_id=5 func=init_ip_session_common line=6047 msg="allocate a new session-0002435f"
id=65308 trace_id=5 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-10.5.191.254 via port1"
id=65308 trace_id=5 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=2"
id=65308 trace_id=5 func=get_new_addr line=1213 msg="find DNAT: IP-10.5.144.165, port-60418"
id=65308 trace_id=5 func=fw_forward_handler line=990 msg="Allowed by Policy-1: SNAT" <----- Matching Policy ID 1 and SNAT is applied.
id=65308 trace_id=5 func=ip_session_confirm_final line=3110 msg="npu_state=0x100, hook=4"
id=65308 trace_id=5 func=__ip_session_run_tuple line=3442 msg="SNAT 10.212.134.200->10.5.144.165:60418"
xenon-kvm133 # dia sniffer packet any "host 54.177.212.176" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 54.177.212.176]
2024-12-21 15:11:21.703319 ssl.root in 10.212.134.200 -> 54.177.212.176: icmp: echo request
2024-12-21 15:11:21.703365 port1 out 10.5.144.165 -> 54.177.212.176: icmp: echo request
2024-12-21 15:11:21.857196 port1 in 54.177.212.176 -> 10.5.144.165: icmp: echo reply
2024-12-21 15:11:21.857253 ssl.root out 54.177.212.176 -> 10.212.134.200: icmp: echo reply
|
