I did set my service to ALL in firewall policy, but why still show problem "Denied by forward policy check (policy 0)" ? It show DNS resolved fail when I try to access to local system using SSL VPN.
My Firewall Policy
edit 1
set name "LAN-to-SDWAN"
set srcintf "lan"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "Clone of certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set voip-profile "default"
set nat enable
edit 4
set name "SSL VPN > LAN Access"
set srcintf "ssl.root"
set dstintf "lan"
set action accept
set srcaddr "SSL-VPN_Address"
set dstaddr "Local_LAN"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "Clone of certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set voip-profile "default"
set groups "Employees"
next
FortiGate FortiClient
Hi,
From the debug it looks like the DNS communication is to 8.8.4.4 IP address and incoming interface is SSL VPN interface. From the 2 rules which is shared does not look like it matches both of them. Is there any rule which allows the communication from SSL VPN interface to ppp2 interface as per the debug?
Regards,
Shiva
Hi,
I got another 3 policy but I think it does not related? Is there any thing I left?
edit 2
set name "vpn_IPSEC_STU-NDC_local"
set srcintf "lan"
set dstintf "IPSEC_STU-NDC"
set action accept
set srcaddr "IPSEC_STU-NDC_local"
set dstaddr "IPSEC_STU-NDC_remote"
set schedule "always"
set service "ALL"
set nat enable
set comments "IPSEC_STU-NDC"
next
edit 3
set name "vpn_IPSEC_STU-NDC_remote"
set srcintf "IPSEC_STU-NDC"
set dstintf "lan"
set action accept
set srcaddr "IPSEC_STU-NDC_remote"
set dstaddr "IPSEC_STU-NDC_local"
set schedule "always"
set service "ALL"
set nat enable
set comments "IPSEC_STU-NDC"
next
edit 7
set status disable
set name "lan > ssl vpn"
set srcintf "lan"
set dstintf "ssl.root"
set action accept
set srcaddr "all"
set dstaddr "SSL-VPN_Address"
set schedule "always"
set service "ALL"
next
I create a policy to comminute from ssl vpn to my virtual wan link which is ppp2. And now it didnt show the Denied by forward policy check (policy 0) problem but stil not able to ping my server ip in command prompt. TAT
Hi,
1. Please check what IP the DNS is resolving the FQDN to. Make sure the IP it resolve is the correct one.
2. Check if you have correct route in the firewall for the destination IP or the server IP address.
3. Check if you have the correct Security Policy to allow the communication from correct incoming interface to outgoing interface.
4. You can check the traffic log and see if traffic is going correctly or not. Make sure the logging is enabled in the policy for this. Do check the send bytes and received bytes value.
Regards,
Shiva
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.