Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lokutus25
New Contributor

Unable to create a policy from ssl.root to a VIP Address in FOrtiOS 5.4

I have a VIP address that is available to my internal users. It's not linked to a specific interface (any) so the fortigate listen on all the interfaces.

From GUI I cant create a policy with source ssl.root and destination the vlan were the VIP belongs to, it give an error.

Does anyone noticed this behavior? I was able to create such policy in FortiOS 5.2.

Thanks for any feedback!

4 REPLIES 4
emnoc
Esteemed Contributor III

What is the error? Can you do it from the CLI ? Was it working b4  5.4 ?

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
lokutus25

Hi, the error is "Some changes failed to save". On FOrtiOS 5.2.X I can create policy like this.

Thanks!

 

emnoc
Esteemed Contributor III

Try it from the command line copy the  configuration to  this thread

 

e.g

 

config firewall policy     edit 2092         set uuid 4ba384b4-2acf-51e7-0625-d4a5431bbd04         set srcintf "ssl.root"         set dstintf "NETWORKRED01"         set srcaddr "SSLVPN_TUNNEL_ADDR1"         set dstaddr "VIP_WEBSERVER01         set action accept         set schedule "always"         set service "HTTP" "HTTPS" "PING"     next end

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
lokutus25

Hi, creating the policy via cli it works. The only problem is that I cant use the "set groups" command to restrict the access to the SSL VPN portal group and this permit the access to the VIP resource to all the SSL VPN portals (and users).

Anyway it works :)

 

Thanks

 

 

Labels
Top Kudoed Authors