For lack of a better term, the SSL VPN policies are flapping. Sometimes they work and a users AD Group membership determines that they can access a certain website that is normally blocked. Then at a later time, or after a restart and zero changes to the firewall or their AD membership, they lose access to that site. Is anyone else experiencing this issue?
Hi
Could you please provide a more detailed description? What kind of policy? Do you enable UTM? What specific functions cannot be used normally? Is there a specific URL(web filter)? Can the operation steps be reproduced stably? Can you provide some more information for us to reproduce it in the lab, thank you.
Thanks
Kangming
When the issue happens, is the user traffic hitting the policy where the AD group is called?
Regards,
Vimala
Here's some more info on the firewall policies. We have four policies that I'm currently looking at with the same issue. One for access to dropbox.com services, box.com, egnyte.com and instagram.com, they're all setup in a similar fashion with access being determined by an AD group. The rules are using a web filter and app control that are set to allow that service specifically.
Name | From | To | Source | Destination | Schedule | Service | Action | NAT | Security Profile |
Dropbox.com Access - VPN | SSL-VPN tunnel interface | Outside | Dropbox.com access | all | Dropbox-DNS, etc. | Always | Internet Service | Accept | Enabled | Web Filter, App Control |
I'm able to reporduce this throughout the day on a test laptop; I'll try in the morning and it may not work, then try after lunch and it'll suddenly start working. I have a test domain user with access to each of the AD groups (dropbox, egnyte, etc). What I've noticed is the Authentication Server flips between our Forticlient FSSO VM ('SrvFortiClient') and our Duo-Radius server. Is there a way to always look to our SrvFortiClient when applying these policies, from what I've seen in the logs, when it hits SrvFortiClient, it applies the correct policy and gives the correct access.
I'm still wondering if there's a way to always look at our SrvFortiClient (FSSO) server to apply rules over VPN. is that even possible?
The issue you are encountering with the SSL VPN policies and the inconsistent behavior of user access to certain websites can be attributed to various factors within the network infrastructure. Flapping of VPN policies often indicates underlying problems with routing, load balancing, or configuration synchronization. It is possible that there are conflicts in the firewall rules or routing tables that result in intermittent access for users.
Would it be possible to request a senior level technician go over our Fortigate environment when I submit a ticket? I've chatted with support before on this and heard that this configuration isn't supported, but I'm not sure who else to configure firewall rules over our Forticlient VPN.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.