- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Different SSL VPN Methods on Different VDOMs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Different SSL VPN Methods on Different VDOMs
Ahoy,
We are trialling out a multi-vdom approach to SSL VPN portals to allow us to have different host checking depending on the type of access required. I have setup a 100D with:
root vdom: all physical interfaces and normal operations (IPSec VPN, LAN access etc.) Tunnel vdom: ssl vpn setup for tunnel mode only with strict host checker Web vdom: ssl vpn for web access only low level host check (if any)
there are vdom links connecting root to tunnel and root to web.
web is working ok except with an issue with SSO for intranet URLs, and also on the version we're running (5.2.3) I can't limit the type of bookmarks people can create (i.e. only want them to have HTTP, HTTPS and RDP [not RDP Native]) as the config option is missing....
Tunnel is proving tricky. i have it mostly cracked now except for one slight snag - no traffic is flowing over it. Attached is a lovely MS Paint diagram of the config and setup with some rules (out of paranoia I have blanked out some stuff and changed our WAN IP).
i get this when i flow trace a connected ssl vpn tunnel client (10.220.16.10):
id=20085 trace_id=387 func=print_pkt_detail line=4378 msg="vd-Tunnel received a packet(proto=17, 172.16.11.11:53->10.220.16.10:49315) from RT1. " id=20085 trace_id=385 func=init_ip_session_common line=4527 msg="allocate a new session-00002cf3" id=20085 trace_id=387 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-00002cf2, reply direction" id=20085 trace_id=387 func=udp_rcv line=980 msg="No socket found. Drop."
172.16.11.11 is a DNS server.
Any thoughts?
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Edit: i've turned NAT off on all the rules except the lan/rt0/rw0 to wan rule at the top and added routes to our layer3 switch on the LAN.
get this when i flow trace:
id=20085 trace_id=387 func=print_pkt_detail line=4378 msg="vd-Tunnel received a packet(proto=17, 172.16.102.41:53->10.220.16.10:49315) from RT1. "
id=20085 trace_id=385 func=init_ip_session_common line=4527 msg="allocate a new session-00002cf3"
id=20085 trace_id=387 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-00002cf2, reply direction"
id=20085 trace_id=387 func=udp_rcv line=980 msg="No socket found. Drop."
172.16.102.41 is a device on our LAN and 10.220.16.10 is a client machine connected to the ssl vpn tunnel using the forticlient software (that IP is assigned by the tunnel).
Related Posts
- 2FA SSL VPN with LDAP authentication 232 Views
- FortiNAC Device Profile Rules - HTTP/HTTPS 228 Views
- How to ways of FortiProxy migration... 227 Views
- FortiClient VPN - program does not... 205 Views
- FortiNAC - Profiling Static IP Devices 320 Views
Labels
-
FortiGate
6,778 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
582 -
FortiAnalyzer
427 -
6.0
416 -
5.6
362 -
FortiSwitch
348 -
FortiAP
348 -
FortiClient EMS
275 -
FortiMail
265 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
163 -
6.4
128 -
FortiNAC
113 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
SSL-VPN
70 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
42 -
Fortivoice
41 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiDNS
34 -
SD-WAN
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
FortiAuthenticator
24 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
DNS
15 -
FortiMonitor
14 -
BGP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
LDAP
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.