Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
petertalen
New Contributor II

Created on ‎04-04-2023 02:53 AM

Is this possible?

Hi,

 

I want to connect thru the Fortinet Client (sslvpn) on my iPhone and direct all traffic thru the Fortinet 60E to the Internet. Is this possible? If so, is there somewhere a working example? The manual is not quite clear in this.

 

Thanks,

Peter.

Labels:
3643
0 Kudos
1 Solution
Yurisk
SuperUser
SuperUser
In response to petertalen

Created on ‎04-06-2023 07:59 AM

Config looks fine.  Worth enabling All Sessions log on the rule ssl.root -> wan1 to see if everything passes as expected and NAT is being done as well. Another thing to check is DNS - may be your resolving does not work with current config, worth setting Specify and say 8.8.8.8 .  If all this of no help, next is doing sniffer on FGT diagnose sni pa any 'host <IP of server on the Internet you are trying to reach>' 4, to see if packets are leaving via wan1. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.

View solution in original post

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
3572
15 REPLIES 15
Yurisk
SuperUser
SuperUser

Created on ‎04-04-2023 04:41 AM

Hi, yes, that’s possible 

  • do NOT enable Split Tunnel in VPN Settings
  • Create security rule:

src int: ssl.root

dst int: the one connecting your fortigate to internet 

src addr: you vpn pool

dst addr: all

service: all

nat: enable

 

i dont have example at hand. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
2766
0 Kudos
petertalen
New Contributor II

Created on ‎04-04-2023 07:39 AM

Thanks @Yurisk , I have done that, I am able to see the Fortinet login page and do a login over VPN from the Internet, but I am not able to surf from the VPN on my iphone to the Fortinet back to the Internet. In the forward traffic, I do only see accepted traffic, but nothing in Chrome on my iphone and it times out. Any clue?

2761
0 Kudos
gfleming
Staff
Staff
In response to petertalen

Created on ‎04-05-2023 09:56 PM

Just to confirm are you using the FortiClient VPN app on your phone or are you connecting to the Web SSL portal using a browser?

Cheers,
Graham
2733
0 Kudos
petertalen
New Contributor II
In response to gfleming

Created on ‎04-06-2023 12:29 AM

Thanks @gfleming, I didn't test it like this and it is working via the browser. However I am looking for another option, because I want to have all traffic from my phone thru the vpn, so network traffic from an app (not a browser :) ) is also going thru the vpn. Is this possible?

2731
0 Kudos
Yurisk
SuperUser
SuperUser
In response to petertalen

Created on ‎04-06-2023 01:33 AM

You will need to make sure that your user/group on the Fortigate is mapped to the Full Tunnel Mode portal in VPN SSL Settings. Then you should connect with the FortiClient (not via browser to the Web portal), and after establishing connection with Forticlient, all your traffic (browser or not) will be routed via VPN to the Fortigate. https://docs.fortinet.com/document/forticlient/7.0.0/ios-administration-guide/812478/running-forticl... 

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
2725
0 Kudos
petertalen
New Contributor II
In response to Yurisk

Created on ‎04-06-2023 05:58 AM

Hi @Yurisk , thanks again and thanks for your patience. I have exactly done as you stated, but there is no traffic in the browser (just a site). As soon as I disconnect the vpn, the site is responsive. Below are some screenprints, could you please take a look at it if these settings are ok? Thanks.1.png2.png3.png

2720
0 Kudos
Yurisk
SuperUser
SuperUser
In response to petertalen

Created on ‎04-06-2023 07:59 AM

Config looks fine.  Worth enabling All Sessions log on the rule ssl.root -> wan1 to see if everything passes as expected and NAT is being done as well. Another thing to check is DNS - may be your resolving does not work with current config, worth setting Specify and say 8.8.8.8 .  If all this of no help, next is doing sniffer on FGT diagnose sni pa any 'host <IP of server on the Internet you are trying to reach>' 4, to see if packets are leaving via wan1. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
3573
petertalen
New Contributor II
In response to Yurisk

Created on ‎04-06-2023 08:54 AM

You are the best, added DNS and it is working. So simple, too simple :-).  Thanks for the excellent help! 

2700
Yurisk
SuperUser
SuperUser
In response to petertalen

Created on ‎04-06-2023 08:57 AM

Glad to be of any help.

https://www.cyberciti.biz/humour/a-haiku-about-dns/: 

Its-not-DNS.-There-is-no-wayits-DNS.-It-was-DNS

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
2697
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.