Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
systemgeek
Contributor

Creating a policy route for SSL VPN

I have a fortigate vm in aws.  I have setup a ssl vpn to a host on the local subnet of the inside interface and that works.  Now I want to expand it to a host in a different VPC in AWS.  For this it will need to route over a transit gateway to the other VPC.  The transit gateway routing works and can be verified.  I can ping and even telnet to port 22 from the fortigate to the endpoint in the other VPC.

 

I am using browser based ssl vpn for testing.

 

I tried to setup the following policy based routing:

Incoming interface = ssl.root

Outgoing interface = port2 (private lan)

Source = ALL and SSLVPN

Destination = 10.0.0.0/8   (this CIDR will be routed over the transit gateway because of the attached tgw route)

Schedule = always

Service = ALL

Action = Accept

 

However, when I test this policy has no hits.  What am I doing wrong???

1 Solution
adimailig
Staff
Staff

Hi,

I strongly suggest to check first the routing on Fortigate.
Run "get router info routing-table details X.X.X.X" on FGT CLI (where X.X.X.X) is the destination IP on different VPC.
This will show you the next hop and interface where you learn the IP/subnet.
Then after that create new firewall policy with incoming interface ssl.root and outgoing interface will be the interface where you learn the route.

If issue still persist, please follow below guide on how to check the flow of the traffic.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

Best Regards,

Arnold Dimailig
TAC Engineer

View solution in original post

2 REPLIES 2
adimailig
Staff
Staff

Hi,

I strongly suggest to check first the routing on Fortigate.
Run "get router info routing-table details X.X.X.X" on FGT CLI (where X.X.X.X) is the destination IP on different VPC.
This will show you the next hop and interface where you learn the IP/subnet.
Then after that create new firewall policy with incoming interface ssl.root and outgoing interface will be the interface where you learn the route.

If issue still persist, please follow below guide on how to check the flow of the traffic.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

Best Regards,

Arnold Dimailig
TAC Engineer
systemgeek

I had kinda expected that the flow would go out the wan port but when I initally tried that it did not work.  Then I decided to change both the source and destination address to ALL just to make sure I capture all the traffic.  That was the final part.  Now that I have it working I can work on limiting the policy route.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors