Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rwdorman
New Contributor III

Created on ‎07-03-2014 12:16 PM

5.2 Upgrade and SSL VPN/FortiClient

The 5.2 upgrade materials talk specifically about the combining of VPN routing and user identification rules. I think this is a good thing... HOWEVER... in addition to reviewing the rule-sets make sure you look at the SSL VPN settings as well. I found that everything worked with my upgraded config until I made the first rule change to one of my SSL VPN rules then EVERYTHING broke. I had to go in and reset some things like what interface it listened on, default portal etc. One very nice part of this is that it seems to evaluate all VPN rules that have user groups in them and concatenate them into a single routing table download. Makes granular access rules much easier.

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
3532
0 Kudos
6 REPLIES 6
emnoc
Esteemed Contributor III

Created on ‎07-03-2014 07:14 PM

Yeah , the single SSLVPN page for configuration is a devil in disguised. I broke alot of things also mainly with the listen on tab and the default portal entry. I really do miss the older sslvpn method for pre5.2

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1365
0 Kudos
ilucas
New Contributor

Created on ‎07-04-2014 04:15 PM

Is this anything that could cause problems in a 5.0 -> 5.2 upgrade regarding the SSL VPN? Provided no changes are made prior? We have some telecommute employees that rely primarily on the SSL VPN to access internal systems.. can' t have them stuck!

----

FG 200B/30D/60D/80D/100D/200D/300D

FE 200D

---- FG 200B/30D/60D/80D/100D/200D/300D FE 200D
1365
0 Kudos
Baptiste
Contributor II

Created on ‎07-07-2014 05:38 AM

As far as I remember last week, I had to make some change on SSL VPN Settings On IPV4 Policy, there were sub-policy on SSLVPN Policy on 5.0.x, after upgrade thèses rules have been split on dedicated rules.

2 FGT 100D  + FTK200

3 FGT 60E  FAZ VM  some FAP 210B/221C/223C/321C/421E

2 FGT 100D + FTK200 3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
Preview file
102 KB
1365
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎07-07-2014 07:51 AM

That' s correct and it took me about 15-30mins of diagnostics. Make sure you review all portal configurations if your doing tunnel-mode.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1365
0 Kudos
anthony956
New Contributor

Created on ‎07-07-2014 02:25 PM

Hello, I just have a question : Is it normal that a client of a VPN SSL (tunnel mode) have an IP address with mask /32 ? Because my VPN SSL is configured, the client PC got an IP address on the LAN but with netmask /32. So it can' t reach other devices on the LAN (the routing table is falsified). It' s the first time which I configured a SSL VPN on FortiOS 5.2. I have already configured VPN SSL on FortiOS 4.3 but I have never check the netmask of a client (it' s worked correctly). Thank you very much in advance. Regards, Anthony.
FCNSA-P France
FCNSA-P France
1365
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎07-08-2014 12:05 AM

Q: What' s your cfg looking like and did you define a unique SSLVPN tunnel range? If you would have done the later ( I' m assuming you didn' t ) than your /32 interface would not be relevant towards the lan subnet

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1365
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.