Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

ssl.root interface

I am using the version 3 MR 6 on a Fortigate 200 A and am trying to setup ssl VPN. From reading the document for MR6, they mention a new interface ssl.root. Do I need to configure the firewall policies for ssl.root to get SSL VPN working.
4 REPLIES 4
rwpatterson
Valued Contributor III

Yes you do. The flow is as follows: Policy from outside to ssl.root policy from ssl.root to inside entity static route back to ssl.root for SSL user group IP range Good luck

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com

I have followed the above document for SSL VPN for setting the interfaces for ssl.root to get SSL VPN working but it does not work. When I browse to https://<fortigate IP>:10443/remote , I get page cannot be displayed. The wan 1 interface is 217.154.171.2 , the internal subnet is 172.16.0.0/21 and the SSL IP Range is 172.16.1.[240 -254]. I have enabled SSL VPN through VPN, SSL. Set the Tunnel IP Range. Set the certificate to self signed. Set the local user accounts. Set the user group and enabled for SSL_VPN Tunnel service. Added the local user account to the the user group. I created the following firewall policies: internal > ssl.root internal subnet > SSL IP Range ssl.root > internal SSL_IP_Range > all ssl.root > wan1 ssl_IP_Range > all wan1 > internal All > internal Subnet Action: SSL_VPN Allowed: User Group Also tried with and with out the below policy: wan1 > internal SSL_IP > internal Subnet Action:SSL_VPN When we browse to https://<fortigate IP>:10443/remote we get page cannot be displayed. We have tried for 2/3 weeks to get this solved but we have had no luck. Are you please able to help.
Not applicable

I forgot to mention that I have setup the static route as well for destination network is internal subnet and destination interface is ssl.root
laf
New Contributor II

Did you tried to look for 10443 on the equipment ? Use this: diag sniffer packet interface you want to sniff " tcp port 10443" Tell us what you found.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors