FG60E IPSECVPN StoS and Policy

ajtech · ‎01-26-2018

Hi, we have 2 sites (FG60E) and the ipsec vpn tunnel between them, ipv4policy like on the screenshot.

Tunnel is working fine, but when i turn on fg1 NOT_ALLOWED policy (it's policy only for fg1), then people from fg2 cannot connect to remote machine via RDP in fg1 site, why? Should i choose HTTP/HTTPS from the "service" column for this policy?

FortiKoala · ‎01-26-2018

You could just create a new policy with RDP configured it before the NOT_ALLOWED policy, the RDP might sending HTTP requests before the RDP connection.

Or create a policy with the source /destination subnets from FG1 Site and FGT2 site and allow all before the NOT_ALLOWED policy. This means all trafiic in your private networks is allowed between sites and other traffic to the internet.with be blocked by the URL filter in NOT_ALLOWED policy.

For further troubleshooting of Fortigate firewall policy connections problems here is a useful KB http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31702

dmcquade · ‎01-28-2018

It is a best practice to have your VPN policies towards the top. I also avoid using the "all" group. I recommend at a minimum, creating a group for your used address space. For public space, I use the group object RFC1918 and negate the source / destination field it resides in.

HTH

d