I have a fortigate vm in aws. I have setup a ssl vpn to a host on the local subnet of the inside interface and that works. Now I want to expand it to a host in a different VPC in AWS. For this it will need to route over a transit gateway to the other VPC. The transit gateway routing works and can be verified. I can ping and even telnet to port 22 from the fortigate to the endpoint in the other VPC.
I am using browser based ssl vpn for testing.
I tried to setup the following policy based routing:
Incoming interface = ssl.root
Outgoing interface = port2 (private lan)
Source = ALL and SSLVPN
Destination = 10.0.0.0/8 (this CIDR will be routed over the transit gateway because of the attached tgw route)
Schedule = always
Service = ALL
Action = Accept
However, when I test this policy has no hits. What am I doing wrong???
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
I strongly suggest to check first the routing on Fortigate.
Run "get router info routing-table details X.X.X.X" on FGT CLI (where X.X.X.X) is the destination IP on different VPC.
This will show you the next hop and interface where you learn the IP/subnet.
Then after that create new firewall policy with incoming interface ssl.root and outgoing interface will be the interface where you learn the route.
If issue still persist, please follow below guide on how to check the flow of the traffic.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
Hi,
I strongly suggest to check first the routing on Fortigate.
Run "get router info routing-table details X.X.X.X" on FGT CLI (where X.X.X.X) is the destination IP on different VPC.
This will show you the next hop and interface where you learn the IP/subnet.
Then after that create new firewall policy with incoming interface ssl.root and outgoing interface will be the interface where you learn the route.
If issue still persist, please follow below guide on how to check the flow of the traffic.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
I had kinda expected that the flow would go out the wan port but when I initally tried that it did not work. Then I decided to change both the source and destination address to ALL just to make sure I capture all the traffic. That was the final part. Now that I have it working I can work on limiting the policy route.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.