Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown1020
New Contributor III

Created on ‎01-24-2024 03:40 PM

configuration VPN SSL

friends a question:
Is it possible to configure a VPN client with the feature that they must browse the Internet with the public IP of the office?
In my FW the SSL VPN is already configured, what I did was create a portal, then create the policy as shown in the image below. But when I test the connection to the VPN I lose my internet

3.jpgScreenshot_2.jpg

 

 

Labels:
552
0 Kudos
9 REPLIES 9
dbu
Staff
Staff

Created on ‎01-24-2024 03:47 PM Edited on ‎01-24-2024 03:47 PM

Hi @unknown1020 
Have you enabled NAT on the firewall policy ? 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
546
0 Kudos
unknown1020
New Contributor III
In response to dbu

Created on ‎01-24-2024 04:37 PM

Hello, I already enabled the NAT policy and it works on my PC, that is, when I connect I do have internet. One question, how do I know that I am browsing with the office's public IP?

 

Would it be in this option?Screenshot_3.jpg

535
0 Kudos
mpftnt
Staff
Staff

Created on ‎01-24-2024 04:24 PM

Hi @unknown1020 .

 

If you want to allow internet traffic of users to pass through your office FortiGate, you need to disable split tunneling. You must configure two policies: SSLVPN to Internal Interface and SSLVPN to WAN interface. You may refer to the following links:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Disabling-Split-Tunnel-configuration/ta-p/...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Disable-split-tunneling-to-specific-groups...

 

Regards,

 

MP

 

539
0 Kudos
unknown1020
New Contributor III
In response to mpftnt

Created on ‎01-24-2024 04:47 PM

that's OK?

Screenshot_4.jpg

One question, how do I know that I am browsing with the office's public IP?

Would it be in this option?

Screenshot_3.jpg

531
0 Kudos
mpftnt
Staff
Staff
In response to unknown1020

Created on ‎01-24-2024 05:26 PM

Hi @unknown1020

 

Basic checks that I would do are the following:

 

1. Check forward traffic logs will show that it matches the policy for SSLVPN to WAN
2. Check whatsmyip from your browser. You should be getting Fortigate's public IP address.
3. Trace route from PC
4. Run sniffer/debug on FortiGate.
5. Check session:

 

diag sys session filter <source IP address>
dia sys session list

 

Regards,

MP

508
0 Kudos
unknown1020
New Contributor III
In response to mpftnt

Created on ‎01-24-2024 07:00 PM

I ran a test on my PC and managed to connect to the VPN, however other users lost their internet. Why does that happen? Is it a VPN or computer issue?

491
0 Kudos
mpftnt
Staff
Staff
In response to unknown1020

Created on ‎01-24-2024 07:11 PM

Hi @unknown1020 .

 

1. Please check the web portal that they are assigned to.

2. Check the policy.

 

Regards,

MP

487
0 Kudos
dbu
Staff
Staff
In response to unknown1020

Created on ‎01-25-2024 12:18 AM

You can run on CMD of the Windows :

tracert www.bbc.com 

 

It will list the routing hops you need to traverse to reach the destination. 

You will understand what IP address is used to go out the internet and if this is the required one. 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
465
0 Kudos
hbac
Staff
Staff
In response to unknown1020

Created on ‎01-25-2024 06:53 AM

Hi @unknown1020

 

Please make sure you have a firewall policy to allow traffic from ssl.root to your wan interface. 

 

Regards 

450
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.