I have a firewall fortigate 100D and a local application server 192.168.10.10 when to try to login to the application from the internet sometimes works and sometimes blocked by firewall policy !! how is that !! it should be blocked or allowed but sometimes blocked and sometimes allowed is a very strange , when it is allowed it used one of the policy rules ( Rule ID 5 ) , please let me know the reason for this , many customers complains that they cannot access the application and some of them can access , I checked the logs and can see the traffic is blocked from some customers and allowed for other ??
attach some pictures for the problem
please guide me to the solution .
Thanks again
my question in other words .. Why can I browse my application server from the internet when I use VPN software ( like VPN Express ) and I cannot browse the same server without this VPN connection from the same PC or mobile .
need help
I'm rather confused by the inconsistent behavior you're describing, but I think it's worth pointing out that the destination interface on the screenshots you shared are "ssl.root" so it seems like you have the firewall trying to route that traffic out to an SSL-VPN user instead of the proper interface where the server is located (you didn't mention if it was DMZ or LAN or what). Perhaps you have a policy route that makes it work sometimes?
Hi lobstercreed ,
Thanks for your answer, I noted what you are talking about that the firewall pointing out the destination interface as "SSL.root ", but the way the application server located in LAN and there is no DMZ, the firewall has only two interfaces connected to LAN and WAN.
as I mentioned above the traffic is accepted by the firewall when I'm using any VPN application like VPN Express or Urban VPN from my PC and when I disconnect the VPN then I'm not able to connect to my application and got the same message in the firewall logs, also the policy ID that was blocking the traffic id policy ID = 0 which I think this is the global deny policy which blocking any traffic not mentioned in the rules created.
please check the attached picture.
please give me your opinion, I can send you a screenshot of the firewall rules.
Thanks again...
Well whatever the case, it appears your firewall is trying to route traffic destined for 192.168.10.10 to your SSL VPN and there is no policy allowing that. You should be able to resolve the undesired behavior when you fix your incorrect routing.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.