Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
spartan
New Contributor

Created on ‎11-07-2024 07:15 AM

Fortigate ssl-vpn portal "Enabled for Trusted Destinations" problem

Hello,

 

I aim to get all the traffic of my VPN users on the firewall, except meeting, YouTube, etc. traffic. I proceeded with the information I found on the internet, set my sslvpn portal settings to "Enabled for Trusted Destinations", and left the "routing address override" field blank. I created policies to manipulate the IPs through the policy for the traffic that I want users to not come to my firewall. I wrote youtube etc addresses with negate destination in the policies.

 

When I did these, I expected it to work correctly, it worked but it worked with problems. When I ask for a route to any IP address on the client, it enters the tunnel. When I ask for YouTube, the client uses its own internet output. The problem is that clients are starting to hear our company's 10.0.0.0/8 network from their own internet output. When the "routing address override" section is left blank, do these IPs appear by default? Is there a field to reset this area? No matter what I did I couldn't fix it, please help.

 

Thanks.

 

Labels:
515
0 Kudos
4 REPLIES 4
johnathan
Staff
Staff

Created on ‎11-07-2024 02:42 PM Edited on ‎11-07-2024 02:42 PM

'The problem is that clients are starting to hear our company's 10.0.0.0/8 network from their own internet output. '

This statement is a little unclear, are you saying that you are seeing some internal traffic (local to the firewall) be incorrectly routed to a VPN user? Maybe a sniffer output of what you are seeing would help.

"Never trust a computer you can't throw out a window."
477
0 Kudos
spartan
New Contributor

Created on ‎11-07-2024 10:59 PM

Hi Johnathan,

 

I will try to explain the problem with screenshots.

 

Sslvpn portal; tunnel mode place

sslvpn_portal.png

 

Firewall policy

policy.png

 

This is the test1  from client pc(my pc)

ping_ipchicken.png

 

test2

ping_youtube.png

test3

ping_8.8.8.8.png

 

test4

ping_microsoft.png

 

test5 

ping_instagram.png

 

192.168.1.1 => my home internet connection 

10.109.204.1 => sslvpn tunnel

 

As you can see, I tried the fqdns I specified in the policy in test1 and test2 and accessed them from my home internet as it should.

 

As I expected in test3,4,5; Since I did not specify the IP addresses in the policy, it directed me to the tunnel.

 

-

Although I did not specify it, it also directs some of the company's networks to the home internet in my route table. I don't understand why it does this even though I haven't stated it anywhere. Since these networks are critical networks, people become unable to work.

netstat.png

 

I hope it was explanatory. By the way, the firewall version is 7.0.14

 

 

 

 

 

 

443
0 Kudos
johnathan
Staff
Staff
In response to spartan

Created on ‎11-08-2024 09:26 AM

Why do we have those destinations in the policy negated?
Seems like as per this article, with that enabled it will send ALL traffic except for the ones in the policy to the tunnel:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Exclude-some-traffic-from-SSL-VPN-using-Tr...

"Never trust a computer you can't throw out a window."
416
0 Kudos
spartan
New Contributor

Created on ‎11-10-2024 11:21 PM

So why do some 10.0.0.0/8 networks, which are not specified in the policy, provide access from the user's own internet as if it were written in the rule?

351
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.