Hi! Maybe I found a bug in my Fortigate 300C, 5.0.5 A VPN User with the VPN IP 10.10.10.2 is able to ping 192.168.1.11 and that should be possible Here is the Debug Log: 2014-04-11 04:31:36 id=13 trace_id=127 msg=" allocate a new session-12345678" 2014-04-11 04:31:36 id=13 trace_id=127 msg=" find a route: gw-192.168.1.11 via port5" 2014-04-11 04:31:36 id=13 trace_id=127 msg=" use addr/intf hash, len=7" 2014-04-11 04:31:36 id=13 trace_id=127 msg=" find SNAT: IP-192.168.1.1, port-12345" 2014-04-11 04:31:36 id=13 trace_id=127 msg=" Allowed by Policy-81: SNAT" 2014-04-11 04:31:36 id=13 trace_id=127 msg=" SNAT 10.10.10.2->192.168.1.1:62464" 2014-04-11 04:31:37 id=13 trace_id=128 msg=" vd-root received a packet(proto=1, 10.10.10.2:1->192.168.1.11:8) from ssl.root." 2014-04-11 04:31:37 id=13 trace_id=128 msg=" Find an existing session, id-12345678, original direction" 2014-04-11 04:31:37 id=13 trace_id=128 msg=" enter fast path" Here is the policy edit 81 set srcintf " port9" set dstintf " port5" set srcaddr " all" set dstaddr " LAN3" set action ssl-vpn set identity-based enable config identity-based-policy edit 1 set schedule " always" set groups " GroupXY" set service " Costum Service TCP 12345" set sslvpn-portal " tunnel-access" next end next The Policy should only allow " Costum Service TCP 12345" , and nothing else, no ping!!! Whats the Problem?