Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

IPv4 Policy SSL.ROOT with no trafic

Good Morning,


there is a small problem and I can't get it right.


We use some small 61E for remote purposes and everything works well.

Except from the SSL VPN Web.


config firewall policy

edit 110

set name "SSL-Remote-AT12N4"

set uuid 96a7334c-8d0b-51e9-8017-d3f1cdbad98d

set srcintf "ssl.root"

set dstintf "wan2"

set srcaddr "SSLVPN_TUNNEL_ADDR1"

set dstaddr "RDSSX"

set action accept

set schedule "always"

set service "DNS" "HTTP" "HTTPS"

set utm-status enable

set groups "XA12N4"

set av-profile "default"

set ips-sensor "default"

set application-list "default"

set ssl-ssh-profile "certificate-inspection"




It is needed so that SSL VPN Webmode works.

If I disable it the SSL VPN does no longer work.

BUT this Policy does not get ANY traffic (0Bytes).

As a result the security rating show that a policy is not used.


Can somebody help me and tell what I have to do to make it work as intended?


New Contributor



dstintf "wan2"


Is it correct ?


So, what exactly is your intention?

I see this policy allows SSL VPN users to access a server on the net (RDSSX). Have you checked that NAT is enabled?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!

dstintf "wan2" is correct it is the hardware port but we configured it software wise as a lan port.


I tried NAT and without NAT without noticing any difference.


For my understanding of how SSL VPN Webmode works, is that the user connects to the fortigate, after he passes the authentication the FortiGate establishes a in my case RDP connection and displays the visual content to the user.

Is that correct? 

I this case it would not matter if NAT is Enable or Disable because the Fortigate has direct access to the wan2 interface



Yes, of course, if "wan2" is a LAN port there is no need to NAT the traffic.

In your example, the user's host connects to the FGT, autheticates, and receives an IP address from a static range. Then the host connects via RDP (or the RDP client in the web portal) to the server. The host's source address is from the range "SSLVPN_TUNNEL_ADDR1". The target should know how to route traffic to this subnet.


And yes, you're right, no traffic would suggest the policy is dispensable. You will know for sure after looking at the traffic with 'diag debug flow'.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors