Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhrth
New Contributor III

IP Detected from Firewall

Hi,

 

We're now attempting internal scanning on our internal servers from FortiClient VPN, but our antivirus software is blocking us from doing so. We intend to exclude the SSL VPN internal IP address, but the antivirus software only detected the FGT IP address, not the internal IP address.

 

Is there a way to ensure that the SSL VPN IP address is detected by antivirus software but not our FGT IP internal address?

 

Thank you.

7 REPLIES 7
Toshi_Esumi
Esteemed Contributor III

If the scan destination sees FGT's IP instead of the scan source (SSL VPN client) IP, your SSL VPN policy (ssl.root->internal_interface) is NAT(SNAT)ed. Just disable the NAT.

 

Toshi

mhrth
New Contributor III

Hi Mr Toshi, 

 

Thank you for the reply. If i disable the SNAT, suddenly the VPN user unable to ping or remote to the server. 

 

Thank you.

Debbie_FTNT

Hey mhrth,

if the VPN user can no longer reach the server with NAT disabled, that indicates that the SSLVPN client IPs are not routed in your network for some reason.

Does the server/its gateway have a route for the SSLVPN client range pointing back to the FortiGate, or at least a default route back to the FortiGate?

You could run a traceroute (CMD: tracert <destination IP>) from your SSLVPN client (with NAT disabled in the VPN policy) to see at what point the replies go missing.

That would tell you where the route back to the VPN client no longer exists and you need to provide it in some way.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
mhrth
New Contributor III

Hi Debbie,

 

Will try to tracert and give you the feedback later. Just for info, by SSLVPN client (with NAT disabled in the VPN policy), I managed to ping my fortigate IP address and access to the GUI.

 

Thank you.

Toshi_Esumi
Esteemed Contributor III

Of course, if the VPNs are on-going, the server will see packets from a different IP so the sessions would be dropped. I wouldn't make this kind of change in regular business hours.

But pinging the server should work if the ping request reaches the server and comes back from the server.

I would sniff those ping packets on the FGT interface connected to the server to see if the packets are going out and coming back. And again, do it after hours.

 

Toshi

mhrth
New Contributor III

Hi Mr Toshi,

 

What I mean is the VPN users are unable to ping or access the server after I disable the NAT after hours.

 

Thank you.

seshuganesh

So the packet will come from SSL VPN client machine-------Fortigate -------The packet will go out of fortigate interface.

Take packet capture at next hop after fortigate firewall, it will help you understand whats happening with the packet.

May be there could be windows firewall rule which is allowing packets only from same network IP and it might not be allowing from different network IP address.

Labels
Top Kudoed Authors