Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cyber
New Contributor

Experience blocked outbound SSL VPN traffic

Hello there!

 

Pardon me from asking, I am rather new to firewalls as recently my company has integrated a Fortigate 60E into a new infrastructure and most of the settings configured are the necessary ones to run the operation.

 

So just recently, one of my colleague try to SSL-VPN my vendor's network through the assigned credential to perform testing for a new system. When my colleague try to connect, FortiClient feedback "Cannot connect to VPN server" and I was wondering could it be our firewall (Fortigate 60E) that is blocking the outbound traffic?

 

I really need some assistance on this urgently, really hoping to get some answers soon.

 

Thank you guys in advance!

3 REPLIES 3
lobstercreed
Valued Contributor

Hi Tommy,

 

What port is the vendor's SSL-VPN running on?  If it's standard 443, then I would say no you're not blocking that or almost no websites would work for you.  You should be able to find pretty easily if you're blocking the traffic by searching the traffic from that user (assuming you're logging) and looking for traffic to that destination.  You'll need to check what host he is trying to connect to exactly (remoteaccess.companyxyz.com for instance) so you can identify the traffic.

 

- Daniel

cyber

Hi Daniel,

 

lobstercreed wrote:

What port is the vendor's SSL-VPN running on? 

 

The vendor is running on port 10443.

 

lobstercreed wrote:

You should be able to find pretty easily if you're blocking the traffic by searching the traffic from that user (assuming you're logging) and looking for traffic to that destination.  You'll need to check what host he is trying to connect to exactly (remoteaccess.companyxyz.com for instance) so you can identify the traffic.

 

Pardon me from asking but may I know how or where can I do so? on the firewall?

On the other hand, I was wondering could the anitvirus be blocking the connection?

 

-Tommy

lobstercreed
Valued Contributor

Hi Tommy,

 

Ah, yes you may be blocking it if it's 10443.  You will need to define a service for this under Policy & Objects and use it in the relevant outbound policies.

 

You can view logs on the firewall itself under Log & Report > Forward Traffic, but sometimes it is pretty limited as to what it will store.  We use a FortiAnalyzer or you can send your logs to FortiCloud.  Logging does have to be turned on for the relevant policies though (such as any deny policies), or you won't see what's happening.

 

I suppose the antivirus could be blocking the connection, but that depends on what you're using.  I don't have much experience with that.

 

- Daniel

Labels
Top Kudoed Authors