Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hakim_okabe
New Contributor

Created on ‎06-07-2025 11:31 PM Edited on ‎06-08-2025 03:38 AM

[SOLVED] SSL VPN User can't ping spesific IP but the firewall policy is already created

I can't seems to get this working, I want if somebody connect to User SSLV VPN via FortiClient then they can connect to any local device at least by ping, but specifically for this I want them to connect to Synology NAS IP which is 192.168.110.81

 

I have added this policy

```===

config firewall policy
edit 7
set name "SSLVPN_FortiClient_Outgoing"
set uuid fb89aba2-f0f5-51ee-81b1-c690350fbb9d
set srcintf "ssl.root"
set dstintf "internal"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "MGMT_Device" "MGMT_DEVICE" "SYNOLOGI"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "Server-AV"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "Server-IPS"
set application-list "default"
set logtraffic all
set groups "SSLVPN_USER"
set nat enable
next
end

===```

 

but  still seems can't get it work

If I change [set srcintf "ssl.root" ] into other local VLAN like 192.168.60.xxx then it work perfectly and they can ping all device just fine. but for some reason this not work for forticlient user

 

Do I need to add any other additional config? any help is appreciated

 

for reference here is what each Destination means

MGMT Device

```===
edit "MGMT_Device"
set uuid 799bdc28-f2c1-51ee-e18a-f410c9f2a87f
set color 23
set subnet 192.168.110.0 255.255.255.0
next

```===

 

MGMT Device

```===
edit "MGMT_DEVICE"
set uuid 4762488c-f2c1-51ee-b4a8-82d1736beede
set associated-interface "internal"
set color 23
set subnet 192.168.110.0 255.255.255.0
next

```===

 

SYNOLOGI

```===
edit "SYNOLOGI"
set uuid 464e98ee-4012-51ef-8b30-ef0c39958e80
set associated-interface "internal"
set color 16
set subnet 192.168.110.81 255.255.255.255
next

```===

 

EDIT:

[SOLVED]

Sorry guys, it seems the problem is with my license, it only allow maximum of 25 users. so I just delete many old users and it works again now.

Labels:
483
0 Kudos
3 REPLIES 3
funkylicious
SuperUser
SuperUser

Created on ‎06-08-2025 01:30 AM Edited on ‎06-08-2025 01:32 AM

if you start a debug/packet capture while user is connected to the sslvpn, what do you see in the logs for the traffic ?

 

for testing purposes i would suggest to disable all security profiles like dns filter, web filter etc and would restrict only certain traffic/ports in SERVICES.

also, as destination addresses you have a duplicate of the subnet and would disable one or just leave the one with the NAS ip.

NAT is nice, but not mandatory unless you dont have a route/default back to the FGT.

 

the sslvpn setting and sslvpn portal config would be nice to see in order to help more.

"jack of all trades, master of none"
"jack of all trades, master of none"
457
hakim_okabe
New Contributor
In response to funkylicious

Created on ‎06-08-2025 01:53 AM

 

thanks for the reply. for now I make 2 firewall policy with only each ip address which is 

1. SSLVPN > Server [SERVER_ASCEND = subnet 192.168.110.17 255.255.255.255]

```====
set name "SSLVPN > Server"
set uuid fb887b5c-4436-51f0-a768-a37ee1ac460c
set srcintf "ssl.root"
set dstintf "internal"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "SERVER_ASCEND"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "Server-AV"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "Server-IPS"
set application-list "default"
set logtraffic all
set groups "SSLVPN_USER"
set comments " (Copy of SSLVPN > Synology)"
set nat enable
===```


2. SSLVPN > Server [Synology = subnet 192.168.110.81 255.255.255.255]

```====
set name "SSLVPN > Synology"
set uuid 3edf672e-4434-51f0-17d3-aa436fdc8fcb
set srcintf "ssl.root"
set dstintf "internal"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "Synology_IP"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set groups "SSLVPN_USER"
set nat enable
===```


with above configuration SSL Users now can ping and connect to 110.17, but still can't connect to IP other than 110.17 like 110.81 or 110.121, or other ip address even though I already put same firewall policy


below is my SSL-VPN Settings
ssl-vpn.png


and below is ssl-vpn portals

ssl portal.png

442
0 Kudos
funkylicious
SuperUser
SuperUser
In response to hakim_okabe

Created on ‎06-08-2025 03:41 AM

I would double check that in sslvpn settings under Authentication/Portal mapping you have the user group SSLVPN_USER mapped to the portal Okabe_Gallery.

then, I would make sure that the user that connects to it is part of the group

next, after connecting to the vpn i would check that you get the routes installed ( route print -4 in cmd if using windows ) you can see the IP addresses of the objects Admin_Station, SERVER_ASCEND and Synology_IP .

 

"jack of all trades, master of none"
"jack of all trades, master of none"
412
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.