Hi, I need assistance with Fortigate 81E
The problem is I created a ssl vpn connection but when I connect from forticlient on another network I cant ping the server or have access to the network resources that are configured on a wan1 with a 200.7 ip. I tried changing the ip pool to but I still cant ping the server. Do I need to make a new interface? Or did I mess up with my configuration such as policy’s, vpn ssl setting and ect. Any help is appreciated.
Hi
So… You provided zero informations on what your setup is…
Basically you need to route your internal network and you need to set up policies to allow the traffic you want from VPN to LAN.
But without informations about your setup it is impossible to give an advice
Well… only the advice that you should search for the Cookbook on how to set up a SSL VPN
Setup the SSL VPN, create the policy assigning the correct interfaces.
That’s how you do it
Don’t know what you’ve done config wise as you have shared little to nothing
With absolutely zero firewall / vpn experience, this video gave me all the info I needed to set our SSLVPN up from scratch. It’s about 30 minutes long, but very well worth it - https://youtu.be/gUJ8zR6XXqI
Not nearly enough info provided…
Do you see appropriate routes on the client computer?
Have you configured appropriate policies on the FW to allow comms between the SSLVPN interface and the interface where the server is connected? (Generally not WAN1…)
As well as echoing what others have said about lack of info, what firmware are you on and what troubleshooting have you done already - a diag debug flow for example
From VPN to LAN, generally no NAT is required, just routing.
If you can already authenticate to VPN, then just make sure you have policies in place.
Also, logs are your friend 
Here is our Setup
Interfaces: We have 2 port12 (Physical interface) with a 10.10.x.x.x. ip
And a Wan1(Physical interface) which is has a 200.x.x.x.x ip (This is our ip in the office)
User Groups: I have 1 For SSLVPN
And user definition : 1 dummy account to test
VPN: My ssl vpn settings are undefined at this point, because I was trying to tinker with it. So I’m not sure what to put in Listen on interface , Address range and ect
Address arrange is set to Default SSL VPN TUNNEL
Ip ranges: I have no clue what to put there.
Auth/Portal maapping: Blank
Now moving on to SSL VPN PORTAL: I have to full access and web access
I dont know if I need to create a new Portal for Forticlient.
In full access tunnel mode is enabled, I dont know if that is suppose to be selected.
Source Ip pools is set to Default SSL VPN_TUNNEL_ADDRESS1
For some reason I have Ip of fortigate in the Predefined bookmark, not sure if that needs to be there,
In IPV4 Policy and Objects:
I created one that is called SSL-VPN-IN
Incoming interface as default ssl vpn interface (ssl.root)
Outgoing interface as the WAN1 (physical interface) thats our network for our office and server.
Source as SSL VPN_TUNNEL_ADDRESS1 and SSLVPN firewall Group
Destination: I dont know what to put there I have some internal Ip selected (192.168.x.x.x
Always
all
Nat disabled
I think thats all the, if you need more info let me know.
The goal is to just be able to use forticlient to access the network here at work so users can remote in and access and map network drives and ect. I am able to connect to fortigate via forticlient but cannot access the network resources or ping the Server here.
Can you share the video ?
im using a second computer as to test, we have 2 wifi connections configured one for guest’s one for employee, the employee’s are configured to have access to the server’s drives and ect. I just cant seem to make ssl vpn see my server at all. my ssl portal setting are
Enabled split tunneling
Routing address: Internal network
source Ip pool’s : sslpv_tunnel_addr1
and yea thats it.
I honestly dont know where I messed up.
I think the kind of configuration I’m looking for is specific.
What im trying to do is set up a ssl vpn to connect to our wan1 connection which is linked to our server, then we can access mapped drives and such…idk why fortigate is giving us a hard time.
Read the documentation: SSL VPN split tunnel for remote user | FortiGate / FortiOS 6.2.9 | Fortinet Document Library
Didn’t check it all, but ignore step 4c (change your management port instead).
https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/371626/ssl-vpn
Read that … Switch to 7.0 if you use that
You need to set up a “ssl vpn portal” If you want Split tunnel, enable it. Most ppl prefer that one . If you use Splittunnel you have to define which internal networks you want to have routed. So: Set your internal LAN range at the routing address.
Without split tunnel, EVERYTHING is getting sent into the tunnel, even the normal web traffic the user has. So your Internet connection should be big enough to handle that.
Then SSL-VPN Setting:
You can use Address Range Automatic or define your own range. Thats the iprange the VPn Clients get their IPs into. You dont need to worry about that if you set it to auto.
Policy:
Incoming interface: default ssl vpn interface (ssl.root)
Outgoing interface : Port12 (or whatever your internal LAN is sitting on. Ping from your client and check the log entry ((Enable Logging for the DENY ALL rule!)). It tells you which Destination Interface is getting used to transmit package. Use that one, if you are not sure)
For testing, Source and desti can be left to ALL. Of course you should define your ClientVPn Network as source and Internal network Range as Desti
But: Read the guide!
Your policy is incorrect. Needs to be sslvpn int to Lan or whatever internal int your server is on. Not wan1 and a internal subnet/address
Also if you haven’t. Go into cli and go as follows
Config vpn ssl settings
Set domain-suffix “yourdomain.local”
Wow… I forgot the link,. Sorry 
https://youtu.be/gUJ8zR6XXqI
I read the guide, problem is still there. Only thing I didnt do is configure the wan interface because that already has a configuration that was put there before I came, in SSL PORTAL what should the source Ip pools be, SSLPV_TUNNEL_ADDRESS1?
ill prob have to go into cli and make ssl see the server or something and establish a connection or something.
my policy is now as follows incoming interface: SSL vpn
Outgoing: Lan
source: sslvpn_tunnel_address1
sslvpn (group)with client)
Destination : Internal network (i tried all but because I have split tunneling enabled in my portal it wont let me save with all
always
all
In ssl vpn settings I changed the listening port to wan1
Im able to log in on the sslvpn from forticlient but I still cant ping the server or have access to the server. I followed the cookbook guide to and still no dice.
Maybe this will help we have a port12 (mgm port) which has a 10.10 ip
and a wan 1 interface which is the gateway of the fortigate.
our server has a Ip of 192.168.x.x.x
I’ll keep trying and see what works.
The next step then will be that your address object for your internal network matches your your used subnet 192.168.x.x/24 (if your on a 255.255.255.0 subnet)
So internal interface must be on this range. Your saver should be on this rang to. Are you trying to ping by name or by IP of the server as well? To start with, use the IP. Just encase your DNS isn’t configured correctly for the sslvpn tunnel
Actually, just rereading your updates. Is interface12 what your internal network is on? As you mentioned you have this and the wan1 connected but your interface IP on 12 and your server subnet don’t match. Do you have tagged vlans on this network that the server resides on and then switching are doing intervlan routing?
I think there might be a bit of confusion somewhere. Can you run the following commands and give the outputs here. You can get to the cli by clicking the cli button at the top of the Firewall interface marked as “>_”. Take out any info that isn’t to do with your setup in question. Such as extra interfaces and policy’s not relating to to your VPN. Leave internal subnets in but take out your wan address.
show system interface
show firewall policy
show firewall address
show vpn ssl settings
show vpn ssl web portal
also just encase something has been entered in that shouldn’t be
show router static
By Ip
But I get no packets sent on cmd and it fails to ping.
While im connected to fortigate via forticlient.