I am looking to configure SSL VPN tunnel for web browsing while traveling on firmware v4.0 MR3 Patch 18. I am able to connect with FortiClient (confirmed in client and SSL-VPN Monitor), but when trying to reach any address (e.g. www.google.com), nothing gets through.
I have configured the following: 1) User Group Allow SSL-VPN Access= full-access (this is just selects web portal, right?) with Member(s) added.
2) Static Route Destination IP/Mask= 10.212.134.0/255.255.255.0 (SSLVPN_TUNNEL_ADDR1) Device= ssl.root
3a) Policy ssl.root -> wan1 Source= sslvpn tunnel interface/SSLVPN_TUNNEL_ADDR1 Destination= wan1/all Action= ACCEPT No NAT
3b) Policy wan1 -> ssl.root Source= wan1/all Destination= sslvpn tunnel interface/SSLVPN_TUNNEL_ADDR1 Action= SSL-VPN User Group= ssl-tunnel
What am I missing? Thank you in advance!
Need a NAT for ssl.root->wan1.
Same results if I "Enable NAT" with "Use Destination Interface Address" (cannot select Use Dynamic IP Pool). No traffic gets through.
It's been a while since we were using 4.3.18 (3 years ago) and SSL VPN config has changed quite a bit with 5.0 then 5.2 so I don't remember well. But I would start debugging with traceroute from the client and sniffing at FG, then eventually flow debugging at FG why it drops if it's reaching the FG. I would guess it's a simple policy or routing issue.
One more important tool I would use is "app debug", or "diag debug app sslvpn -1".
Are you trying to use split tunneling where Internet traffic goes out the remote Internet path, or do you want the Internet traffic to pass through the tunnel and out the HQ FGT?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Not looking to split tunnel, just pass all internet traffic through tunnel and out HQ FGT.
Not looking to split tunnel, just pass all internet traffic through tunnel and out HQ FGT.
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.