Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SecurityPlus
Contributor II

SSL VPN Being Blocked as Newly Observed Domains

For some reason we could not establish an SSL VPN to other FortiGate firewalls when behind a FortiGate 60F, FortiOS 6.0.9. We are using FortiClient to initiate the VPN connection. The FortiClient response when trying to make the VPN connection was: Warning. Unable to establish the VPN connection. The VPN server may be unreachable. (14). When reviewing the 60F logs in FortiView, under Traffic From LAN/DMZ / Threats, I noticed a a listing of a treat with a Category Newly Observed Domain. This appears to be from the attempted SSL VPN connection. I set the Web Filter and DNS Filter Security Profiles from Block Newly Observed Domains to Allow Newly Observed Domains. Now we can make SSL VPN connections from behind the FortiGate 60F. I don't recall having to set the Web Filter and DNS Filter this way to allow SSL VPN connections before. The addresses we are trying to VPN in to are public IP addresses, and are not not domain names. This blockage happened with numerous SSL VPN connection addresses. Is there something that I am missing that Web Filter and DNS Filter Security Profiles would block VPN connections to public IP addresses?

2 REPLIES 2
TecnetRuss
Contributor

To me that sounds like the Web Filter and DNS filter are doing what they're suppose to.  To avoid this I usually try to point a real DNS name to the public IP and connect the FortiClient to the DNS name rather than the public IP directly.

 

Rather than loosen your Web Filter and DNS Filter security profiles, what you might want to do on the 60F is create a separate LAN to WAN policy with only these public IPs as the destination, with no Web or DNS filtering applied, and move that policy above the policy that this HTTPS traffic usually hits.

 

Russ

NSE7

emnoc
Esteemed Contributor III

Correct

 

 

1st matching rule so make a exception rule as required or put a real FQDN on the vpn-gw and trust that in your webfilter.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors