Hi,
We're now attempting internal scanning on our internal servers from FortiClient VPN, but our antivirus software is blocking us from doing so. We intend to exclude the SSL VPN internal IP address, but the antivirus software only detected the FGT IP address, not the internal IP address.
Is there a way to ensure that the SSL VPN IP address is detected by antivirus software but not our FGT IP internal address?
Thank you.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If the scan destination sees FGT's IP instead of the scan source (SSL VPN client) IP, your SSL VPN policy (ssl.root->internal_interface) is NAT(SNAT)ed. Just disable the NAT.
Toshi
Hi Mr Toshi,
Thank you for the reply. If i disable the SNAT, suddenly the VPN user unable to ping or remote to the server.
Thank you.
Hey mhrth,
if the VPN user can no longer reach the server with NAT disabled, that indicates that the SSLVPN client IPs are not routed in your network for some reason.
Does the server/its gateway have a route for the SSLVPN client range pointing back to the FortiGate, or at least a default route back to the FortiGate?
You could run a traceroute (CMD: tracert <destination IP>) from your SSLVPN client (with NAT disabled in the VPN policy) to see at what point the replies go missing.
That would tell you where the route back to the VPN client no longer exists and you need to provide it in some way.
Hi Debbie,
Will try to tracert and give you the feedback later. Just for info, by SSLVPN client (with NAT disabled in the VPN policy), I managed to ping my fortigate IP address and access to the GUI.
Thank you.
Of course, if the VPNs are on-going, the server will see packets from a different IP so the sessions would be dropped. I wouldn't make this kind of change in regular business hours.
But pinging the server should work if the ping request reaches the server and comes back from the server.
I would sniff those ping packets on the FGT interface connected to the server to see if the packets are going out and coming back. And again, do it after hours.
Toshi
Hi Mr Toshi,
What I mean is the VPN users are unable to ping or access the server after I disable the NAT after hours.
Thank you.
So the packet will come from SSL VPN client machine-------Fortigate -------The packet will go out of fortigate interface.
Take packet capture at next hop after fortigate firewall, it will help you understand whats happening with the packet.
May be there could be windows firewall rule which is allowing packets only from same network IP and it might not be allowing from different network IP address.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.