Hi Everyone,
After hundred of hours and lots of troubleshooting, now I am forwarding the issue on this champ portal.
Scenario :
1. Fortigate 401E Configured as SSL VPN Tunnel Model Firewall Only.
2. A local user is set on Fortigate 401E Firewall.
3. An FQDN is set to resolved to a Public IP terminating on Fortigate 401E Interface.
4. A VIP which translate the Public IP to a Local IP on Which SSL VPN set to listen the requests.
5. A FortiClient VPN is set at Windows 10, 11 and Android Mobiles using multiple variants i.e Free and Commercial.
Testing :
1. When Forticlient VPN establish the connection, it got connected and working very very fine.
Tested thousands time and every time is working fine.
Changed the Scenario (Actual Business Requirements)
3. Changed the FQDN to resolve to Cloudflare IP and ask the Cloudflare team to enable WAF, inspect the traffic then forward the clients' request to the Public Interface of Fortigate.
Testing :
1. When Forticlient VPN tries to connect, tunnel established and all of a sudden in very next second, connection got shutdown.
Tried hundreds times too but get the same issue everytime. As soon as we bypass the cloudflare, client got connected and remain stable.
It has been figure out that there might need some changes at Cloudflare end but
1.What are the possible changes we required to resolve this issue ?
2. What might be the root cause (s) for this issue ?
3. What is the way out to complete this business requirement ?
Please kindly support.
Shariq Jamil
If any one would like to talk , please feel free on Whatsapp number "+92 322 2470551".
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Shariq Jamil,
Does it work if you disable the WAF feature on Cloudflare(like don't do reverse proxy, just receive and forward through Cloudflare if possible)?
It looks like others also encountered the same issue through Cloudflare proxy.
https://www.reddit.com/r/fortinet/comments/kmmv7i/ssl_vpn_gateway_proxied_using_cloudflare_not_able/
Based on my internal research a customer was saying in order for it to work with Cloudflare, we might need one of their enterprise products called Cloudflare Spectrum.
https://www.cloudflare.com/products/cloudflare-spectrum/
https://blog.cloudflare.com/spectrum-for-udp-ddos-protection-and-firewalling-for-unreliable-protocol...
https://developers.cloudflare.com/spectrum/protocols-per-plan/
Otherwise, please see below for more information about which network ports are compatible with Cloudflare.
https://developers.cloudflare.com/fundamentals/get-started/reference/network-ports/
https://community.cloudflare.com/t/openvpn-not-working-through-cloudflare-dns/5731/5
May be you can check with Cloudflare.
Regards,
Stephen
Hi Shariq Jamil,
Does it work if you disable the WAF feature on Cloudflare(like don't do reverse proxy, just receive and forward through Cloudflare if possible)?
>>> Yes, it works when we get disabled WAF on Cloudflare.
and after disabling, tunnels get established using Cloudflare as proxy.
Just would like to confirm if the CiscoAnyConnect / FortiClient VPN can be established on HTTP/HTTPS protocol ?
We are using the Protocol # 443.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.