Hello,
I aim to get all the traffic of my VPN users on the firewall, except meeting, YouTube, etc. traffic. I proceeded with the information I found on the internet, set my sslvpn portal settings to "Enabled for Trusted Destinations", and left the "routing address override" field blank. I created policies to manipulate the IPs through the policy for the traffic that I want users to not come to my firewall. I wrote youtube etc addresses with negate destination in the policies.
When I did these, I expected it to work correctly, it worked but it worked with problems. When I ask for a route to any IP address on the client, it enters the tunnel. When I ask for YouTube, the client uses its own internet output. The problem is that clients are starting to hear our company's 10.0.0.0/8 network from their own internet output. When the "routing address override" section is left blank, do these IPs appear by default? Is there a field to reset this area? No matter what I did I couldn't fix it, please help.
Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
'The problem is that clients are starting to hear our company's 10.0.0.0/8 network from their own internet output. '
This statement is a little unclear, are you saying that you are seeing some internal traffic (local to the firewall) be incorrectly routed to a VPN user? Maybe a sniffer output of what you are seeing would help.
Hi Johnathan,
I will try to explain the problem with screenshots.
Sslvpn portal; tunnel mode place
Firewall policy
This is the test1 from client pc(my pc)
test2
test3
test4
test5
192.168.1.1 => my home internet connection
10.109.204.1 => sslvpn tunnel
As you can see, I tried the fqdns I specified in the policy in test1 and test2 and accessed them from my home internet as it should.
As I expected in test3,4,5; Since I did not specify the IP addresses in the policy, it directed me to the tunnel.
-
Although I did not specify it, it also directs some of the company's networks to the home internet in my route table. I don't understand why it does this even though I haven't stated it anywhere. Since these networks are critical networks, people become unable to work.
I hope it was explanatory. By the way, the firewall version is 7.0.14
Why do we have those destinations in the policy negated?
Seems like as per this article, with that enabled it will send ALL traffic except for the ones in the policy to the tunnel:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Exclude-some-traffic-from-SSL-VPN-using-Tr...
So why do some 10.0.0.0/8 networks, which are not specified in the policy, provide access from the user's own internet as if it were written in the rule?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.