For some reason we could not establish an SSL VPN to other FortiGate firewalls when behind a FortiGate 60F, FortiOS 6.0.9. We are using FortiClient to initiate the VPN connection. The FortiClient response when trying to make the VPN connection was: Warning. Unable to establish the VPN connection. The VPN server may be unreachable. (14). When reviewing the 60F logs in FortiView, under Traffic From LAN/DMZ / Threats, I noticed a a listing of a treat with a Category Newly Observed Domain. This appears to be from the attempted SSL VPN connection. I set the Web Filter and DNS Filter Security Profiles from Block Newly Observed Domains to Allow Newly Observed Domains. Now we can make SSL VPN connections from behind the FortiGate 60F. I don't recall having to set the Web Filter and DNS Filter this way to allow SSL VPN connections before. The addresses we are trying to VPN in to are public IP addresses, and are not not domain names. This blockage happened with numerous SSL VPN connection addresses. Is there something that I am missing that Web Filter and DNS Filter Security Profiles would block VPN connections to public IP addresses?
To me that sounds like the Web Filter and DNS filter are doing what they're suppose to. To avoid this I usually try to point a real DNS name to the public IP and connect the FortiClient to the DNS name rather than the public IP directly.
Rather than loosen your Web Filter and DNS Filter security profiles, what you might want to do on the 60F is create a separate LAN to WAN policy with only these public IPs as the destination, with no Web or DNS filtering applied, and move that policy above the policy that this HTTPS traffic usually hits.
Russ
NSE7
Correct
1st matching rule so make a exception rule as required or put a real FQDN on the vpn-gw and trust that in your webfilter.
Ken Felix
PCNSE
NSE
StrongSwan
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.