Help
FortiSASE
FortiSASE delivers both a consistent security posture and an optimal user experience for users working from anywhere. Secure your hybrid workforce by closing security gaps, plus simplify operations.
Patterson
Staff
Staff

Created on ‎08-18-2024 12:33 AM Edited on ‎08-18-2024 12:34 AM By Moderator

Article Id 333974

Technical Tip: How to perform an SSL VPN debug on a specific Point of Presence (PoP) in FortiSASE

Description

 

This article describes how to perform an SSL VPN debug specific to a Point of Presence (PoP) in FortiSASE.

 

Scope

 

FortiSASE.

 

Solution

 

In FortiSASE, customer access to backend devices is limited, which restricts advanced troubleshooting capabilities. However, with the help of the 'FortiGate Support Tool,' some debugging tasks can still be performed. This guide focuses on SSL VPN debugging.

 

Prerequisite.

  1. Access to the FortiSASE portal.
  2. Chrome browser.
  3. Extension for the 'Fortigate Support Tool'.

 

Step 1:

Obtain the Turbo URL associated with the account. There are several ways to retrieve this URL:

  1. From the customer's FortiClient (FCT).
     

trubro-1.png

 

 

trubro-2.png

 

  1. Through the SASE Portal: navigate to Configuration -> Endpoints -> Profile -> Default.

     

    trubro-3.png

     

     

  2. By referring to this article: Technical Tip: How to select a specific POP for a FortiSASE VPN connection.

     

     

     

After obtaining the Turbo URL, perform an 'nslookup' on the client PC to get the CNAME, which indicates the specific PoP.

 

trubro-1.png

 

In the test case, the Turbo URL resolved to the Dubai PoP (referring SWG setting below in FortiSASE). Alternatively, it is also possible to refer to the VPN event logs for further verification.

 

trubro-4.png

 

 

VPN-Event.png

 

 

Step 2:

 

Log in to the FortiSASE portal, where it will show that the 'FortiGate Support Tool' option is active.

 

By default, the leader PoP name will be visible. Select 'New Capture' to proceed.

 

support-tool-1.png

 

Here, it is necessary to add the preferred PoP and enable Daemon logging for 'sslvpnd'. Then, select 'Start Capture'. Perform the SSL VPN connection attempt from the client PC and wait for the connection to complete or for an error to be displayed.

 

 

support-tool-2.png

 

Afterward, stop the capture. The file will then be downloaded to the local PC.

 

Note: Debug will be running on both PoPs (leader PoP is selected by default) and there is no source IP filtering for the user's public IP.

 

Next, select the 'FortiGate Support Tool' extension and select 'View Existing Capture'. Choose the file that was downloaded.

Once uploaded, there will be the option to select the PoP and view the debug logs, which will assist in further troubleshooting.

 

support-tool-4.png

 

 

Related documents: 

Troubleshooting FortiSASE

SSL VPN and RDP disconnects

366
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.