Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ajtech
New Contributor

FG60E IPSECVPN StoS and Policy

Hi, we have 2 sites (FG60E) and the ipsec vpn tunnel between them, ipv4policy like on the screenshot.

Tunnel is working fine, but when i turn on fg1 NOT_ALLOWED policy (it's policy only for fg1), then people from fg2 cannot connect to remote machine via RDP in fg1 site, why? Should i choose HTTP/HTTPS from the "service" column for this policy?

2 REPLIES 2
FortiKoala
Staff
Staff

You could just create a new policy with RDP configured it before the NOT_ALLOWED policy, the RDP might sending HTTP requests before the RDP connection.

 

Or create a policy with the source /destination subnets from FG1 Site and FGT2 site and allow all before the NOT_ALLOWED policy. This means all trafiic in your private networks is allowed between sites and other traffic to the internet.with be blocked by the URL filter in NOT_ALLOWED policy.

 

For further troubleshooting of Fortigate firewall policy connections problems here is a useful KB http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31702

dmcquade
New Contributor III

It is a best practice to have your VPN policies towards the top. I also avoid using the "all" group. I recommend at a minimum, creating a group for your used address space. For public space, I use the group object RFC1918 and negate the source / destination field it resides in.

 

HTH

d

Top Kudoed Authors