Greetings to you
My problem in brief :
We have EMS server with 600 endpoint licenses, My computer is connected to EMS and getting update for AV
I want to use VPN from OUT Side to Company! I create user in fortigate user1,pass11$$$&^, I create policy to allow vpn to connect!
I tested via browser is working
but from forticlient software it will connect to VPN ! but I can't ping any subnet which I added, Although I can ping my subnet via VPN Browser
My question is ----> in fortigate 200D device i don't have license for VPN, but I have license in EMS 600 EndPoint
and my Forticlient software it showing registered to EMS but I'm not able to connect VPN! actually it will connect and I'm getting Alert --> Configuration update was received from FortiGate but I can't ping the subnet which I added ,Although I can ping my subnet via VPN Browser!
Thanks
Solved! Go to Solution.
The reason is that in Web Only mode your client doest not have an IP assigned from a FortiGate, so your request are proxyed by the FortiGate itself (no routes needed here).
If you use FortiClient, your PC receive an IP assigned from the FortiGate so you have to configure on the FortiGate a route in order to let the ICMP reply packet to be routed back to your PC.
In tunnel mode assigned IP is implied so you have to properly configure routing and firewall policies (specifically source subnet) in your FortiGate.
Dear Alby23
Why I need to add route ? while if i'm using VPN via Browser every thing working good !
I hope you understand my problem
The reason is that in Web Only mode your client doest not have an IP assigned from a FortiGate, so your request are proxyed by the FortiGate itself (no routes needed here).
If you use FortiClient, your PC receive an IP assigned from the FortiGate so you have to configure on the FortiGate a route in order to let the ICMP reply packet to be routed back to your PC.
To further understand ally reply, when your using web portal mode and one of the plugins the fortigate and one of it's address is doing the connection.
You can monitor this by launch a plugin from the web portal and monitor the target establish session table ( netstat -an ) and see what address is being sourced from the firewall
kenfelix
PCNSE
NSE
StrongSwan
Dear Alby23
I would like to thank you for efficient solution! as you suggested to add route for VPN Subnet ......
I just added it then I'm able to reach my subnet ......
Thank you man ... you help me !
Thanks for yor reply Ali, glad to help
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.