Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Roman_Gelfand
New Contributor

Created on ‎05-15-2012 12:56 PM

ssl-web-deny

the firewall is fortigate 50b My topology is as follows... 1. Virtual vlan 500 (internal interface) 192.168.15.0/24 network 2. Virtual vlan 550 (internal interface) 192.168.20.0/24 network I gave the rules and policies to vlan 500 as vlan 550. When I try to ssh to any machine in vlan 500, I am successful. However, when I try to ssh a machine in vlan 550, I get ssl-web-deny and SSL web application blocked. BTW... I could ssh to any machine from vlan 500 to any machine on vlan550. Also, when sshing from ssl-web portal to vlan 500, the source ip is that of vlan 500' s gateway on fortige. I am not sure what I am missing. Any help is appreciated.
5550
0 Kudos
6 REPLIES 6
rwpatterson
Valued Contributor III

Created on ‎05-15-2012 01:31 PM

What are you policies as far as SSL-VPN -> VLAN?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
3634
0 Kudos
Roman_Gelfand
New Contributor

Created on ‎05-15-2012 01:59 PM

Thanks for the help. edit 15 set srcintf " wan2" set dstintf " VOIP" set srcaddr " ALL" set dstaddr " VOIP Lan" set action ssl-vpn set identity-based enable config identity-based-policy edit 1 set schedule " always" set groups " admin_SSL" set service " ANY" next end next
3635
0 Kudos
rwpatterson
Valued Contributor III
In response to Roman_Gelfand

Created on ‎05-15-2012 07:22 PM

Well, is ' VOIP' interface VLAN 500 or VLAN 550 (or both)? Does " VOIP Lan" contain both subnets?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
3635
0 Kudos
Roman_Gelfand
New Contributor
In response to rwpatterson

Created on ‎05-16-2012 10:46 AM

ORIGINAL: rwpatterson Well, is ' VOIP' interface VLAN 500 or VLAN 550 (or both)? Does " VOIP Lan" contain both subnets?
This is only VLAN 550 and VOIP lan is only VLAN 550 subnet. I have the same policy preceeding it except there it is VLAN 500 and virtual interface DATA. Thanks
3635
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎05-15-2012 11:22 PM

set identity-based enable
How do you authenticate prior to connecting to the SSL VPN portal??
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3635
0 Kudos
Roman_Gelfand
New Contributor
In response to ede_pfau

Created on ‎05-16-2012 10:42 AM

ORIGINAL: ede_pfau
set identity-based enable
How do you authenticate prior to connecting to the SSL VPN portal??
I login as a user belonging to admin_SSL group.
3635
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.