Hi there!
We are installing a new Fortigate 60F. It will be quite a basic configuration, we have 3 VLAN defined in a VLAN switch attached to a L2 switch port in trunk/tagged mode and have created several policy rules to allow traffic between them (working fine). We also have users connecting through SSL VPN (planning for IPsec in the near future), and also created the respective rules to allow traffic from the VPN network segments to the different VLANs.
We are not 100% sure if Fortigate is working as expected or we are missing some rule, since users connecting through SSL VPN can see/access only hosts directly connected to the Fortigate (fortigate as GW) and not all hosts in the VLAN.
Would appreciate if someone could shed some light on this.
Thanks in advance.
BR
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I think all that message means is that the specific flow doesn't match the criteria for your Policy 6 statement.
NAT isn't enabled on these rules is it?
Now that you know traffic is matching a rule and should be forwarded out the right port, are you able to confirm that the client on the L2 switch is/is not receiving the traffic (ie. through packet capture on the client)?
Could be an arp or L2 forwarding issue on the switch.
You could do a 'get system arp', and that should let you know if the FG is seeing clients on the switch.
Maybe arp request/replies are not making it through and that's why only locally connected clients are working.
I'd confirm what the client is seeing on it's nic. It could be a one-way issue of some sort, like packets make it to client, but then responses are not forwarded back.
Also, just to confirm, this is only affecting LAN (vlan 200,220) <-> VPN traffic, correct? LAN (200) <-> LAN (220) (inter-vlan) traffic is all forwarding properly, correct?
Hi @Pittstate.
NAT is not enabled on the SSLVPN - VLAN policies. I posted a few days ago, that if we enable NAT on this rules, we see al devices in the LAN, but somehow (probably NAT issue) internal servers (e.g. Exchange) can't reach Internet.
Regarding the packet capture (device on VLAN 200):
ARP, Request who-has 192.168.200.21 tell 192.168.200.253, length 46
ARP, Reply 192.168.200.21 is-at 00:0c:29:bc:2d:f9 (oui Unknown), length 28
IP 172.120.0.1 > 192.168.200.21: ICMP echo request, id 1, seq 376, length 40
IP 192.168.200.21 > 172.120.0.1: ICMP echo reply, id 1, seq 376, length 40
ICMP packets reach the device and it replies.
This is Fortigate's ARP table:
get system arp
Address Age(min) Hardware Addr Interface
10.1.1.13 0 00:0c:29:e6:b5:1d VLAN Est
10.1.1.2 1 50:c7:bf:82:71:fa VLAN Est
192.168.200.20 0 00:0c:29:8c:53:e0 VLAN Sup
192.168.100.1 0 98:97:d1:03:17:86 wan2
10.1.1.22 4 00:0c:29:6a:58:f5 VLAN Est
192.168.200.21 0 00:0c:29:bc:2d:f9 VLAN Sup
192.168.200.134 0 00:50:56:97:90:2a VLAN Sup
All good here, FG sees al VLANs and devices.
Problem is with the ssl.root interface.
All VLAN are in the same situation. Inter-VLAN is working fine, but "ssl.root-VLANx" or "VLANx-ssl.root" is not. I just posted one as example, but I guess the solution can be applied to all of them.
BR
Traffic was allowed by policy 3. You can enable NAT on the firewall policy and test.
Regards,
Created on 06-26-2024 02:37 AM Edited on 06-26-2024 02:49 AM
Hi @hbac:
NAT on this policies is messing things:
On 21/6 I posted:
Hi again.
We found out that when we configure the policy rule with NAT enabled, we can see al devices in the VLAN Est (not only those connected directly to FG). Same applies to other VLANs.
Surprisingly, with NAT enabled we lost communication to our Exchange server (VLAN Est, not connected to FG). So somehow this rule from ssl.root to VLAN Est is affecting traffic to WAN interface.
Will keep you posted if we find out something else.
BR
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.