Friends good day a question.
I am trying to access a destination IP from the SSL VPN, however I have no response.
The segment and the destination IP have been added to the policy and I still cannot access it.
When I PING the destination IP from the firewall, I do get a response.
Performing a debug, it was observed that it is matching the ID0 policy (denial policy) when trying to access the destination IP.
msg="Denied by forward policy check (policy 0)"
However, I have access to other IPs on the same segment but I do not have access to this IP.
In addition, a static route for the segment has been created for a long time.
What could be happening?
Could you please help me.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @unknown1020
Please check do you have split tunneling enabled in the sslvpn portal, if yes, make sure destination IP and subnet is added in routing address override on the portal configuration.
Also make sure you can access destination IP from your internal network.
If you can not access this IP from your internal network, you will not be able to access it using VPN.
Greetings,
Since, you're seeing the traffic coming to Fortigate but getting denied via policy id 0, I would recommend to check whether proper user group is added in policy or not. also, please check source and destination interface and subnets/services.
Greeting,
1.Policy works from top to bottom.
2. First check the source interface should be sslvpn interface.
3.To find the destination interface for the Ip that you are trying to reach-:
get router info routing-table details x.x.x.x(destination ip)
4. If the destination interface in the policy is same as you are getting from previous commands. then let's move to 5th step.
5. Then check the group you have added in the source of the policy it should have that user. or you should have a user in the source of the policy. (user has preference as compared to group in the policies)
6. If all of the above is correct so, then please put your policy on the top just to see if now it's working.
if it's working may be there is some another policy blocking the traffic.
7.Also check the portal that your user is having under sslvpn setting. check if that portal has the ip in the routing address override.
8. Also, if all the above is correct please captured the packet to see what happing on FortiGate-:
diag sniffer packet any "host x.x.x.x and host x.x.x.x and icmp" 4 0 l
x.x.x.x = source ip
x.x.x.x = destination ip
9. also if the traffic is not for ping, then remove icmp from the sniifer and if the traffic is like for some specific port, then do sniffer like this-:
diag sniffer packet any "host x.x.x.x and host x.x.x.x and port 443" 4 0 l
Please share the firewall policy config and output of the following command
get router info routing-table details DESTINATION_IP
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1717 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.