Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Roman_Gelfand
New Contributor

ssl-web-deny

the firewall is fortigate 50b My topology is as follows... 1. Virtual vlan 500 (internal interface) 192.168.15.0/24 network 2. Virtual vlan 550 (internal interface) 192.168.20.0/24 network I gave the rules and policies to vlan 500 as vlan 550. When I try to ssh to any machine in vlan 500, I am successful. However, when I try to ssh a machine in vlan 550, I get ssl-web-deny and SSL web application blocked. BTW... I could ssh to any machine from vlan 500 to any machine on vlan550. Also, when sshing from ssl-web portal to vlan 500, the source ip is that of vlan 500' s gateway on fortige. I am not sure what I am missing. Any help is appreciated.
6 REPLIES 6
rwpatterson
Valued Contributor III

What are you policies as far as SSL-VPN -> VLAN?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Roman_Gelfand
New Contributor

Thanks for the help. edit 15 set srcintf " wan2" set dstintf " VOIP" set srcaddr " ALL" set dstaddr " VOIP Lan" set action ssl-vpn set identity-based enable config identity-based-policy edit 1 set schedule " always" set groups " admin_SSL" set service " ANY" next end next
rwpatterson
Valued Contributor III

Well, is ' VOIP' interface VLAN 500 or VLAN 550 (or both)? Does " VOIP Lan" contain both subnets?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Roman_Gelfand

ORIGINAL: rwpatterson Well, is ' VOIP' interface VLAN 500 or VLAN 550 (or both)? Does " VOIP Lan" contain both subnets?
This is only VLAN 550 and VOIP lan is only VLAN 550 subnet. I have the same policy preceeding it except there it is VLAN 500 and virtual interface DATA. Thanks
ede_pfau
SuperUser
SuperUser

set identity-based enable
How do you authenticate prior to connecting to the SSL VPN portal??
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Roman_Gelfand

ORIGINAL: ede_pfau
set identity-based enable
How do you authenticate prior to connecting to the SSL VPN portal??
I login as a user belonging to admin_SSL group.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors