Hi, we have 2 sites (FG60E) and the ipsec vpn tunnel between them, ipv4policy like on the screenshot.
Tunnel is working fine, but when i turn on fg1 NOT_ALLOWED policy (it's policy only for fg1), then people from fg2 cannot connect to remote machine via RDP in fg1 site, why? Should i choose HTTP/HTTPS from the "service" column for this policy?
You could just create a new policy with RDP configured it before the NOT_ALLOWED policy, the RDP might sending HTTP requests before the RDP connection.
Or create a policy with the source /destination subnets from FG1 Site and FGT2 site and allow all before the NOT_ALLOWED policy. This means all trafiic in your private networks is allowed between sites and other traffic to the internet.with be blocked by the URL filter in NOT_ALLOWED policy.
It is a best practice to have your VPN policies towards the top. I also avoid using the "all" group. I recommend at a minimum, creating a group for your used address space. For public space, I use the group object RFC1918 and negate the source / destination field it resides in.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.