- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate 7.0.11 SSLVPN Policies Flapping
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 7.0.11 SSLVPN Policies Flapping
For lack of a better term, the SSL VPN policies are flapping. Sometimes they work and a users AD Group membership determines that they can access a certain website that is normally blocked. Then at a later time, or after a restart and zero changes to the firewall or their AD membership, they lose access to that site. Is anyone else experiencing this issue?
Labels:
- Labels:
-
FortiGate
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Could you please provide a more detailed description? What kind of policy? Do you enable UTM? What specific functions cannot be used normally? Is there a specific URL(web filter)? Can the operation steps be reproduced stably? Can you provide some more information for us to reproduce it in the lab, thank you.
Thanks
Kangming
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When the issue happens, is the user traffic hitting the policy where the AD group is called?
Regards,
Vimala
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's some more info on the firewall policies. We have four policies that I'm currently looking at with the same issue. One for access to dropbox.com services, box.com, egnyte.com and instagram.com, they're all setup in a similar fashion with access being determined by an AD group. The rules are using a web filter and app control that are set to allow that service specifically.
| Name | From | To | Source | Destination | Schedule | Service | Action | NAT | Security Profile |
| Dropbox.com Access - VPN | SSL-VPN tunnel interface | Outside | Dropbox.com access | all | Dropbox-DNS, etc. | Always | Internet Service | Accept | Enabled | Web Filter, App Control |
I'm able to reporduce this throughout the day on a test laptop; I'll try in the morning and it may not work, then try after lunch and it'll suddenly start working. I have a test domain user with access to each of the AD groups (dropbox, egnyte, etc). What I've noticed is the Authentication Server flips between our Forticlient FSSO VM ('SrvFortiClient') and our Duo-Radius server. Is there a way to always look to our SrvFortiClient when applying these policies, from what I've seen in the logs, when it hits SrvFortiClient, it applies the correct policy and gives the correct access.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm still wondering if there's a way to always look at our SrvFortiClient (FSSO) server to apply rules over VPN. is that even possible?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue you are encountering with the SSL VPN policies and the inconsistent behavior of user access to certain websites can be attributed to various factors within the network infrastructure. Flapping of VPN policies often indicates underlying problems with routing, load balancing, or configuration synchronization. It is possible that there are conflicts in the firewall rules or routing tables that result in intermittent access for users.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would it be possible to request a senior level technician go over our Fortigate environment when I submit a ticket? I've chatted with support before on this and heard that this configuration isn't supported, but I'm not sure who else to configure firewall rules over our Forticlient VPN.
Related Posts
- Fortigate AD Connection for userbased policies 68 Views
- Redundant dial-up VPN FG to FG 279 Views
- Assistance Required for FortiWeb in (Reverse... 250 Views
- Explicit Proxy on FGT - what... 166 Views
- Blockin Whatsapp Videocall only 140 Views
Labels
-
FortiGate
6,716 -
FortiClient
1,336 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
344 -
FortiAP
342 -
FortiClient EMS
272 -
FortiMail
261 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
82 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
61 -
FortiProxy
46 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
SD-WAN
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
22 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
Web profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.