- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FGT 30D: SSL-VPN in Forti OS 5.2 = Policy / VPN Cl...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FGT 30D: SSL-VPN in Forti OS 5.2 = Policy / VPN Client changes
Hi all,
i'm about to learn it the hard way, what there have been major changes in 5.2.
I'm following this guide: https://www.youtube.com/watch?v=lqYbNqZSPRA
I understand that there is only one policy needed now, allowing remote clients to connect to the corporate network. However, my client are now bound to the tunnel, and can not surf internet oder do email while beinig connected.
I believe this has somehting to do with "enable split tunneling" in SSL-Portal configuration. When i try to enable split tunneling, the forti unit checks and gives back:
Failed to save portal. Split tunneling cannot be enabled since IPv4 policy #3's destination address of "all" would be invalid for user/group "sslvpn" (as defined in the SSL-VPN Settings Authentication/Portal Mapping).
policy 3 is "ssl.root to lan"
to keep it simple:
how can i have my clients using fortclient to dial in (not the webaccess / webportal) and to connect to corporate network while being able to broesw the internet through their own internetconnection (and not using the corporates' one through the tunnel)?
thanks a lot in advance
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You are on the right track,
The policy you have created:
ssl.root -> LAN needs to have destination address other than "ALL".
ssl.root -> LAN -> Destination Address (for example 192.168.1.0/24)
Then you can set the split-tunneling in the ssl vpn settings.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice,
60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail
100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B,
11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Selective,
thanks, changing the destination did the trick to be able to enable split-tunnel.
However, i have still no internet accss on the client while connected through VPN. I have serious problems here :) Is there any documentation with "daily cases" like having remote works dial in and still let them stay online? documentation fortigate always had in the past? I miss creating a "firewall" or "SSL-VPN" policy for example, i'm totall lost. no routing, nothing works in 5.2, the way it was.
thank you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There could be a lot of things,
What network are you pushing out to your clients ?
DNS settings ?
best would be to post your config,
SSLVPN is a lot easier now in 5.2 ;)
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice,
60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail
100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B,
11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posting the config maybe a little too much i believe but thanks. The machine is naked but i will put it productive on thursday, with 5.0.10 i believe.
Yes i have heared that 5.2 should have made this and stuff easier. But if you did it the other way around for some years... err
What network? i use the given 10.2xx.x.x for the ssl-vpn clients
dns currently not important.
I found this here:
http://mirazon.com/fortios-5-2-update-ssl-vpn-configuration-on-fortigate/
If you may have a look? Is this the way to go?
I have no routing adress for example edited on my machine currently, like in this link pointed out. I believe a static route to ssl-root was in lower fortios 5.2 always given, too(?). I have no static route in 5.2. The one i created made things worse...
So status: VPN connection through Client works, i can ping the LAN but the client is VPN-Network-Only.
Thank you
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that looks like a good link.
Follow it and replace with you settings/network.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice,
60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail
100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B,
11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again,
ok, split tunnel is working and i can access protected lan through the tunnel (RDP), i just get no traffic back to the client (no ping answer from a server in corporate network coming back).
The static route points to the sslvpn clients' adress range and to the ssl.root device.
the attached policy-screenshot looks ****, but it's what results as i followed the manual on http://docs.fortinet.com/uploaded/files/1952/fortigate-sslvpn.pdf
page 27 (ssl-vpn-security policy and matching tunnel mode security policy)
i have no 2 networks like stated in this link http://mirazon.com/fortios-5-2-update-ssl-vpn-configuration-on-fortigate/
--> "Local subnets should be set to 10.32.250.0/24 and 10.32.251.0/24."
because i don't understand it.
i have one protected (corporate) network 192.168.2.x and the sslvpn-clients are in many different LAN
i guess the problem is all the policy: lan >> back to the vpn-client ?
anyone point out my mistake? thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can see that you have added the SSLVPN group to the policy LAN -> ssl.root and that is wrong.
The group should only be on your ssl.root -> LAN
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice,
60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail
100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B,
11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes you are right, i already deactivated this one. still same behaviour
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, solution:
(this really is a tough one)
it all came down to this bug here:
yet i did the upgrade path 100%:
Firmware upgrade: v5.0,build4225 (GA) FGT30D-5.00-build179 -->
FGT_30D-v500-build0228-FORTINET.out v5.0,build0228 (GA Patch 4) -->
FGT_30D-v500-build4459-FORTINET.out FGT30D-5.00-build271 -->
FGT_30D-v5-build0305-FORTINET.out FGT30D-5.00-build305 -->
FGT_30D-v5-build0642-FORTINET.out v5.2.2,build642 (GA)
annoying
Thanks for your help.
Related Posts
- Fortigate AD Connection for userbased policies 32 Views
- TLS 1.3 query 36 Views
- Solution for Article 239709 not working... 57 Views
- FortiAP 832 40 Views
- vivaldi browser wont reach any webpage 211 Views
Labels
-
FortiGate
6,710 -
FortiClient
1,334 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
344 -
FortiAP
341 -
FortiClient EMS
272 -
FortiMail
261 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
81 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
60 -
FortiProxy
46 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
SD-WAN
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiAuthenticator
21 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
Web profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
FortiAP profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.