Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nai
New Contributor

SSL VPN Policy with IPS Sensor not working

Hi,

Im configuring an ssl vpn tunnel with ips sensor enabled on it's policy.

ips sensor only monitor everything.

remote user can connect to the ssl vpn, but can not reach server behind ssl vpn.

everything worked fine if i remove the ips sensor.

Can somebody help me and tell what I have to do to make it work as intended?

or is it ssl vpn policy not suppose enable ips sensor?

 

7 REPLIES 7
Vando_Pereira

Hello Nai,

 

So it works without the ips profile activated in the policy ?

When the IPS profile is active, do you see any logs in the:

  • Log & Report > Intrusion Prevention ?

In the IPS Sensor configuration do you have the signatures action in "Default" ? or changed to "Monitor" ?

 

You can try to do:

  • diag debug flow filter saddr <remote_user_ip>
  • diag debug flow trace start 10 (or a bigger number so you can see whats happening)
  • diag debug enable -> to activate the debug.

I think this should be enough, for you to get an idea of what's going on behind the scenes, and retrieve more information that can lead to the problem resolution.

 

Best regards. 

As you think, so shall you become.
nai
New Contributor

yes it is work without ips  profile activated..

there is no ips log for related policy.

all signature change to monitor

 

this is debug log:

id=20085 trace_id=21 func=print_pkt_detail line=5605 msg="vd-VPN:0 received a packet(proto=1, xxx.xxx.x.x:45079->yyy.yyy.y.y:2048) from ssl.VPN. type=8, code=0, id=45079, seq=0."
id=20085 trace_id=21 func=init_ip_session_common line=5771 msg="allocate a new session-c29e00c6"
id=20085 trace_id=21 func=vf_ip_route_input_common line=2598 msg="find a route: flag=04000000 gw-zzz.zzz.zz.z via port32"
id=20085 trace_id=21 func=fw_forward_handler line=781 msg="Allowed by Policy-208: SNAT"
id=20085 trace_id=21 func=ids_receive line=289 msg="send to ips"
id=20085 trace_id=22 func=print_pkt_detail line=5605 msg="vd-VPN:0 received a packet(proto=1, xxx.xxx.x.x:45079->yyy.yyy.y.y:2048) from ssl.VPN. type=8, code=0, id=45079, seq=1."
id=20085 trace_id=22 func=resolve_ip_tuple_fast line=5686 msg="Find an existing session, id-c29e00c6, original direction"
id=20085 trace_id=22 func=npu_handle_session44 line=1139 msg="Trying to offloading session from ssl.VPN to port32, skb.npu_flag=00000000 ses.state=01003204 ses.npu_state=0x00041008"
id=20085 trace_id=22 func=fw_forward_dirty_handler line=396 msg="state=01003204, state2=00000001, npu_state=00041008"

the rest of debug log just repetition of the 4 line of trace_id 22

from debug log, packet already find its route and allowed by policy.

 

but, from Log & Report > Forward Traffic, the packet is block by policy 0, means there is no matching policy.

Vando_Pereira

In the SSL VPN policy do you have the SSL inspection in which mode ?

 

 

 

As you think, so shall you become.
nai

hi Vando_Pereira,

im using ssl inspection profile certificate-inspection the default one from fortigate.

nai_0-1646409656220.png

when using this ssl inspection profile in the policy, without ips enabled, ssl vpn still working as expected.

 

Vando_Pereira

Ok, do you have any hardware acceleration active ?

As you think, so shall you become.
nai

hi Vando_Pereira,

these 2 value found in config ips global

cp-accel-mode advanced

np-accel-mode basic

is it means hardware acceleration is active?

sorry, im new to this. don't know much about fortigate

Vando_Pereira

Hello Nai,

 

It's ok no need to apologize, we are here to help and learn together.

Yes hardware acceleration is activated, its good for performance but its bad for debugging, since you offload traffic to other processors, you wont see anything in the debug.

 

So this two links will give you more information:

 

To have more information on the debug, you should disable both, but be careful if this is in production or not, and the impact it might have.

 

Best regards. 

As you think, so shall you become.