Hi everyone,
We have a FortiGate VM setup for a client on which i have setup an SLL VPN for them to update some tablets which need to connect to a Program they have running on their server.
The VPN connects without a problem, but once connected the traffic on the tablet does not route through the VPN.
I was thinking of a problem with the config on the forticlient, but having tested it on a Samsung S10 the same thing happens, VPN connected but no traffic through it.
Is there a setting I may have missed somewhere in the SSL-VPN settings on the FortiGate?
Thanks for your time.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
well, it could be a number of factors.
1. Did you setup a ipv4 policy to allow traffic from sslvpn to lan interface
2. Does the program require internal DNS resolution? Did you set internal DNS server?
3. Did you set the client routing in the SSL VPN Portal so the client knows what subnets to route(if it's split tunnel)
Hey, thanks for the reply.
1 - Yep i have a policy setup to allow it on the lan interface
2 - The program requires no DNS resolution it's going straight to the internal IP of the server
3 - Split tunneling is deactivated as the tablet only needs to connect for 2mins to update the DB of the program then can be disconnected from the VPN.
So i just thought i would send it all through the vpn since internet access will not be needed while connected to the VPN
The only other thing I can think of would be verifying the client is getting a valid IP while connected.
Beyond that I'll need some screenshots/output of config
The client is getting an IP from the IP range I setup for the VPN.
I'm quite new with the fortigate, i'm guessing there is a CLI from which i can get the output, otherwise i can grab some screens, what would you need ? I'm guessing screens of the policies and SSL settings.
I'll post them tomorrow, thanks for the help
Yea, screens of the SSL settings, SSL Portal, and ipv4 policies
Hey sorry for getting back so late, had some work friday.
So here are the screenshots :
(GIMI is the name of the program/server)
The IPv4 Policy letting the VPN ip range to access the server subnet :
SSL Settings :
Portal settings :
Everything I see seems correct. The only things I guess I can think of, just because I can't see it, is verify the interfaces on the ipv4 policy are ssl.root to the correct interface the server is on.
As well, verify in the SSL Settings that the group VPN_GIMI is assigned to the correct portal.
Edit - I guess just for the sake of verifying everything. What are the objects SSL_ACCESS and GIMI_RANGE_SSL_VPN for? Based on the SSL Settings it's assigning IPs based on the default object SSLVPN_TUNNEL_ADDR1
Actually thinking about it a bit more, that may be the problem. If you remove SSL_ACCESS from the IP Pools(or remove the default one and add SSL_ACCESS to the ipv4 policy) it should work.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.