Im configuring an ssl vpn tunnel with ips sensor enabled on it's policy.
ips sensor only monitor everything.
remote user can connect to the ssl vpn, but can not reach server behind ssl vpn.
everything worked fine if i remove the ips sensor.
Can somebody help me and tell what I have to do to make it work as intended?
or is it ssl vpn policy not suppose enable ips sensor?
So it works without the ips profile activated in the policy ?
When the IPS profile is active, do you see any logs in the:
In the IPS Sensor configuration do you have the signatures action in "Default" ? or changed to "Monitor" ?
You can try to do:
I think this should be enough, for you to get an idea of what's going on behind the scenes, and retrieve more information that can lead to the problem resolution.
yes it is work without ips profile activated..
there is no ips log for related policy.
all signature change to monitor
this is debug log:
id=20085 trace_id=21 func=print_pkt_detail line=5605 msg="vd-VPN:0 received a packet(proto=1, xxx.xxx.x.x:45079->yyy.yyy.y.y:2048) from ssl.VPN. type=8, code=0, id=45079, seq=0."id=20085 trace_id=21 func=init_ip_session_common line=5771 msg="allocate a new session-c29e00c6"id=20085 trace_id=21 func=vf_ip_route_input_common line=2598 msg="find a route: flag=04000000 gw-zzz.zzz.zz.z via port32"id=20085 trace_id=21 func=fw_forward_handler line=781 msg="Allowed by Policy-208: SNAT"id=20085 trace_id=21 func=ids_receive line=289 msg="send to ips"id=20085 trace_id=22 func=print_pkt_detail line=5605 msg="vd-VPN:0 received a packet(proto=1, xxx.xxx.x.x:45079->yyy.yyy.y.y:2048) from ssl.VPN. type=8, code=0, id=45079, seq=1."id=20085 trace_id=22 func=resolve_ip_tuple_fast line=5686 msg="Find an existing session, id-c29e00c6, original direction"id=20085 trace_id=22 func=npu_handle_session44 line=1139 msg="Trying to offloading session from ssl.VPN to port32, skb.npu_flag=00000000 ses.state=01003204 ses.npu_state=0x00041008"id=20085 trace_id=22 func=fw_forward_dirty_handler line=396 msg="state=01003204, state2=00000001, npu_state=00041008"
the rest of debug log just repetition of the 4 line of trace_id 22
from debug log, packet already find its route and allowed by policy.
but, from Log & Report > Forward Traffic, the packet is block by policy 0, means there is no matching policy.
In the SSL VPN policy do you have the SSL inspection in which mode ?
im using ssl inspection profile certificate-inspection the default one from fortigate.
when using this ssl inspection profile in the policy, without ips enabled, ssl vpn still working as expected.
Ok, do you have any hardware acceleration active ?
these 2 value found in config ips global
is it means hardware acceleration is active?
sorry, im new to this. don't know much about fortigate
It's ok no need to apologize, we are here to help and learn together.
Yes hardware acceleration is activated, its good for performance but its bad for debugging, since you offload traffic to other processors, you wont see anything in the debug.
So this two links will give you more information:
To have more information on the debug, you should disable both, but be careful if this is in production or not, and the impact it might have.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.