FortiGate SSL-VPN with Central NAT

 Problem

When SSL VPN is set up as usual with Central NAT enabled, login from the client does not work. 
The following message appears in the SSL VPN settings:


What must be configured differently with Central-NAT enabled?

Solution

The only difference between enabled and disabled Central-NAT is the handling of the firewall rules.

Deactivated Central-NAT:

Traffic Control => config firewall policy
SSL-Inspection & Authentication => solved by default firewall rules


Enabled Central-NAT:

Traffic Control => config firewall security-policy
SSL-Inspection & Authentication => config firewall policy

This difference explains that when Central-NAT is enabled, one or more general rules for authentication and SSL inspection are defined in the "firewall policy". The actual traffic is filtered in the "security-policy".
However, the SSL VPN requires a valid firewall policy under "firewall policy" in both cases (activiated or deactivated Central-NAT). Thus, only one policy needs to be created for the SSL VPN under "SSL Inspection & Authentication". No policy is required under "Security Policy".



Comments

Popular posts from this blog

FortiGate BGP dual-home with multiple ISP

FortiGate as DNS Server or DNS Proxy

FortiGate and Windows L2TP / IPsec with Split Tunneling