Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown1020
New Contributor III

configuration VPN SSL

friends a question:
Is it possible to configure a VPN client with the feature that they must browse the Internet with the public IP of the office?
In my FW the SSL VPN is already configured, what I did was create a portal, then create the policy as shown in the image below. But when I test the connection to the VPN I lose my internet

3.jpgScreenshot_2.jpg

 

 

9 REPLIES 9
dbu
Staff
Staff

Hi @unknown1020 
Have you enabled NAT on the firewall policy ? 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
unknown1020
New Contributor III

Hello, I already enabled the NAT policy and it works on my PC, that is, when I connect I do have internet. One question, how do I know that I am browsing with the office's public IP?

 

Would it be in this option?Screenshot_3.jpg

mpftnt
Staff
Staff

Hi @unknown1020 .

 

If you want to allow internet traffic of users to pass through your office FortiGate, you need to disable split tunneling. You must configure two policies: SSLVPN to Internal Interface and SSLVPN to WAN interface. You may refer to the following links:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Disabling-Split-Tunnel-configuration/ta-p/...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Disable-split-tunneling-to-specific-groups...

 

Regards,

 

MP

 

unknown1020
New Contributor III

that's OK?

Screenshot_4.jpg

One question, how do I know that I am browsing with the office's public IP?

Would it be in this option?

Screenshot_3.jpg

mpftnt

Hi @unknown1020

 

Basic checks that I would do are the following:

 

1. Check forward traffic logs will show that it matches the policy for SSLVPN to WAN
2. Check whatsmyip from your browser. You should be getting Fortigate's public IP address.
3. Trace route from PC
4. Run sniffer/debug on FortiGate.
5. Check session:

 

diag sys session filter <source IP address>
dia sys session list

 

Regards,

MP

unknown1020
New Contributor III

I ran a test on my PC and managed to connect to the VPN, however other users lost their internet. Why does that happen? Is it a VPN or computer issue?

mpftnt

Hi @unknown1020 .

 

1. Please check the web portal that they are assigned to.

2. Check the policy.

 

Regards,

MP

dbu

You can run on CMD of the Windows :

tracert www.bbc.com 

 

It will list the routing hops you need to traverse to reach the destination. 

You will understand what IP address is used to go out the internet and if this is the required one. 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
hbac

Hi @unknown1020

 

Please make sure you have a firewall policy to allow traffic from ssl.root to your wan interface. 

 

Regards 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors