Category Archives: FortiGate

FortiAP Management – Deploying WPA2-Enterprise SSID to FortiAP units

Deploying WPA2-Enterprise SSID to FortiAP units

The guide provides simple configuration instructions for developing WPA2-Enterprise SSID with FortiAP. The steps include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.

The following shows a simple network topology for this recipe:

To deploy WPA2-Enterprise SSID to FortiAP units on the FortiOS GUI:

  1. Create an SSID as WPA2-Enterprise. Do one of the following:
  2. Create an SSID as WPA2-Enterprise with authentication from a RADIUS server:
  3. Create a RADIUS server:
  4. Go to User& Device > RADIUS Servers, then click Create New.
  5. Enter a server name. In the Primary Server> IP/Name field, enter the IP address or server name. iv. In the Primary Server> Secret field, enter the secret key.
    1. Click Test Connectivity to verify the connection with the RADIUS server.
    2. Click Test UserCredentials to verify that the user account can be authenticated with the RADIUS server.
  • Click OK.
  1. Create a WPA2-Enterprise SSID:
  1. Go to WiFi & Switch Controller> SSID, select SSID, then click Create New.
  2. Enter the desired interface name. For Traffic mode, select Tunnel.
  • In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
  1. In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
  2. In the Authentication field, select RADIUS Server. From the dropdown list, select the RADIUS server created in step i.
  3. Click OK.
  4. Create an SSID as WPA2-Enterprise with authentication from a user group:
  5. Create a user group:
    1. Go to User& Device > UserGroups, then click Create New.
    2. Enter the desired group name. For Type, select Firewall.
    3. For Remote Groups, click the + button. In the dropdown list, select the desired RADIUS server. Click OK.
    4. Click OK.
  6. Create a WPA2-Enterprise SSID:
    1. Go to WiFi & Switch Controller> SSID, select SSID, then click Create New.
    2. Enter the desired interface name. For Traffic mode, select Tunnel.
    3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
    4. In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
    5. In the Authentication field, select RADIUS Server. From the dropdown list, select the RADIUS server created in step i.
    6. Click OK.
  7. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C. Do one of the following: Select the SSID by editing the FortiAP:
  8. Go to WiFi & Switch Controller> Managed FortiAPs. Select the FortiAP-320C and click Edit. ii. Ensure that Managed AP Status is Connected.
    • Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.
  1. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
  2. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
  3. Click OK.
  4. Select the SSID by editing the FortiAP profile:
  5. Go to WiFi & Switch Controller> FortiAP Profile. Select the FAP320C-default profile, then click Edit.
  6. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
  • To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
  1. Click OK.
  1. Create the SSID-to-Internet firewall policy:
    1. Go to Policy & Objects > IPv4 Policy, then click Create New.
    2. Enter the desired policy name.
    3. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
    4. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
    5. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
    6. Click OK.

To deploy WPA2-Enterprise SSID to FortiAP units using the FortiOS CLI:

  1. Create a RADIUS server:

config user radius edit “wifi-radius” set server “172.16.200.55” set secret fortinet

next

end

  1. Create a user group:

config user group edit “group-radius” set member “wifi-radius”

next

end

  1. Create a WPA2-Enterprise SSID:
    1. Create an SSID with authentication from the RADIUS server:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Ent-Radius” set security wpa2-only-enterprise set auth radius

set radius-server “wifi-radius”

next

end

  1. Create an SSID with authentication from the user group:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Ent-Radius” set security wpa2-only-enterprise set auth usergroup set usergroup “group-radius”

next

end

  1. Configure an IP address and enable DHCP:

config system interface edit “wifi-vap” set ip 10.10.80.1 255.255.255.0

next end config system dhcp server

edit 1 set dns-service default set default-gateway 10.10.80.1 set netmask 255.255.255.0 set interface “wifi-vap” config ip-range edit 1 set start-ip 10.10.80.2 set end-ip 10.10.80.254

next

end

set timezone-option default

next

end

  1. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C:

config wireless-controller wtp edit “FP320C3X14000640” set admin enable

set wtp-profile “FAP320C-default”

next

end

config wireless-controller wtp-profile edit “FAP320C-default” config radio-1 set vap-all disable set vaps “wifi-vap”

end config radio-2 set vap-all disable set vaps “wifi-vap”

end

next

end

  1. Create the SSID-to-Internet firewall policy: config firewall policy

edit 1 set name “WiFi to Internet” set srcintf “wifi-vap” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set fsso disable set nat enable

next end

FortiAP Management – Deploying WPA2-Personal SSID to FortiAP units

Deploying WPA2-Personal SSID to FortiAP units

The guide provides simple configuration instructions for developing WPA2-Personal SSID with FortiAP. The steps include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.

The following shows a simple network topology for this recipe:

To deploy WPA2-Personal SSID to FortiAP units on the FortiOS GUI:

  1. Create a WPA2-Personal SSID:
    1. Go to WiFi & Switch Controller> SSID, select SSID, then click Create New.
    2. Enter the desired interface name. For Traffic mode, select Tunnel.
    3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
    4. In the SSID field, enter the desired SSID name. For Security, select WPA2 Personal.
    5. In the Pre-Shared Key field, enter the password. The password must be 8 to 63 characters long, or exactly 64 academical digits.
    6. Click OK.
  2. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C. Do one of the following: Select the SSID by editing the FortiAP:
  3. Go to WiFi & Switch Controller> Managed FortiAPs. Select the FortiAP-320C and click Edit. ii. Ensure that Managed AP Status is Connected.
    • Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.
  1. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
  2. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
  3. Click OK.
  4. Select the SSID by editing the FortiAP profile:
  5. Go to WiFi & Switch Controller> FortiAP Profile. Select the FAP320C-default profile, then click Edit.
  6. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
  7. Click OK.
  1. Create the SSID-to-Internet firewall policy:
  2. Go to Policy & Objects > IPv4 Policy, then click Create New.
  3. Enter the desired policy name.
  4. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
  5. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
  6. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
  7. Click OK.

To deploy WPA2-Personal SSID to FortiAP units using the FortiOS CLI:

  1. Create a WPA2-Personal SSID:
  2. Create a VAP interface named “wifi-vap”:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet

next

end

  1. Configure an IP address and enable DHCP:

config system interface edit “wifi-vap” set ip 10.10.80.1 255.255.255.0

next

end

config system dhcp server edit 1 set dns-service default set default-gateway 10.10.80.1 set netmask 255.255.255.0 set interface “wifi-vap” config ip-range edit 1 set start-ip 10.10.80.2 set end-ip 10.10.80.254

next

end

set timezone-option default

next

end

  1. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C:

config wireless-controller wtp edit “FP320C3X14000640” set admin enable

set wtp-profile “FAP320C-default”

next

end

config wireless-controller wtp-profile edit “FAP320C-default” config radio-1 set vap-all disable

set vaps “wifi-vap”

end config radio-2 set vap-all disable set vaps “wifi-vap”

end

next

end

  1. Create the SSID-to-Internet firewall policy: config firewall policy edit 1 set name “WiFi to Internet” set srcintf “wifi-vap” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set fsso disable set nat enable

next

end

FortiAP Management – Set up a mesh connection between FortiAP units

Set up a mesh connection between FortiAP units

To set up a WiFi mesh connection, a minimum of three devices are required:

  1. A FortiGate as the AP Controller (AC)
  2. A FortiAP as the Mesh Root AP (MRAP)
  3. A FortiAP as a Mesh Leaf AP (MLAP).

Configuring the AC

These instructions assume that the MRAP is already being managed by the AC (see Configuring the FortiGate interface to manage FortiAP units on page 639 and Discovering, authorizing, and deauthorizing FortiAP units on page 640).

To configure the AC:

  1. Go to WiFi & Switch Controller> SSID and create a mesh SSID.
  2. Go to WiFi & Switch Controller> Managed FortiAPs, edit the MRAP, and assign the mesh SSID to the MRAP, and wait for a connection.

Configuring the MLAP

The MLAP can be configured to use the mesh link as its Main uplink or a Backup link for Ethernet connections.

To configure the MLAP:

  1. On the FortiAP, go to Connectivity.
  2. Set Uplink to Mesh or Ethernet with mesh backup support.
  3. Enter a mesh SSID and password.
  4. Optionally, select Ethernet Bridge (see Main uplink on page 646). This option is not available if Uplink is set to Ethernet with mesh backup support.

Once the MLAP has joined the AC, it can be managed in the same way as a wired AP.

A mesh SSID can also be assigned to an MLAP for other downstream MLAPs, creating a multi-hop WiFi mesh network. The maximum hop count has a default value of 4, and can be configured in the FAP console with the following commands:

cfg -a MESH_MAX_HOPS=n cfg -c

Main uplink

When a mesh link is set as the main uplink of the MLAP, the Ethernet port on the MLAP can be set up as a bridge to the mesh link. This allows downstream wired devices to use the mesh link to connect to the network.

To enable a mesh Ethernet bridge, select Ethernet Bridge in the FortiAP Connectivity section in the GUI, or use the following console commands:

cfg -a MESH_ETH_BRIDGE=1 cfg -c

Backup link for Ethernet connections

When a mesh link is set to be the backup link for an Ethernet connection, the mesh link will not be established unless the Ethernet connection goes offline. When a mesh link is in this mode, the Ethernet port cannot be used as a bridge to the mesh link.

FortiAP Management – Discovering, authorizing, and deauthorizing FortiAP units

Discovering, authorizing, and deauthorizing FortiAP units

AC actions when a FortiAP attempts to get discovered

Enable the ap-discover setting on the AC for the interface designed to manage FortiAPs:

config system interface edit “lan” set ap-discover enable

next

end

The set ap-discover enable setting allows the AC to create an entry in the Managed FortiAPs table when it receives the FortiAP’s discovery request. The ap-discover setting is enabled by the factory default settings. When the FAP entry is created automatically, it is marked as discovered status, and is pending for administrator’s authorization, unless the following setting is present.

config system interface edit “lan” set auto-auth-extension-device enable

next

end

The above set auto-auth-extension-device enable setting will allow AC authorize an new discovered FAP automatically without administrator’s manual authorization operation. The auto-auth-extension-device setting is disabled by factory default.

Authorize a discovered FAP

Once the FAP discovery request is received by AC, an FAP entry will be added to Managed FAP table, and shown on GUI > Managed FortiAP list page.

To authorize the specific AP, click to select the FAP entry, then click Authorize button on the top of the table or Authorize entry in the pop-out menu.

Through GUI, authorization can also be done in FAP detail panel, under Action menu.

The authorization can also be done through CLI with follow commands.

config wireless-controller wtp edit “FP423E3X16000320” set admin enable

next

end

De-authorize a managed FAP

To de-authorize a managed FAP, click to select the FAP entry, then click Deauthorize button on the top of the table or Deauthorize entry in the pop-out menu.

Through GUI, de-authorization can also be done in FAP detail panel, under Action menu.

The de-authorization can also be done through CLI with follow commands.

config wireless-controller wtp edit “FP423E3X16000320” set admin discovered

next

end

FortiAP Management – Discovering a FortiAP unit

Discovering a FortiAP unit

For a FortiGate acting as an AP controller (AC) to discover a FortiAP unit, the FortiAP must be able to reach the AC. A FortiAP with the factory default configuration has various ways of acquiring an AC’s IP address to reach it.

AC discovery type Description
Auto The FortiAP attempts to be discovered in the below ways sequentially within an endless loop.
Static The FortiAP sends discover requests to a preconfigured IP address that an AC owns.
DHCP The FortiAP acquires the IP address of an AC in DHCP option 138 (the factory default) of a DHCP offer, which the FortiAP acquires its own IP address from.
DNS The FortiAP acquires the AC’s IP address by resolving a preconfigured FQDN.
FortiCloud FortiCloud discovers the FortiAP.
Broadcast FortiAP is discovered by sending broadcasts in its local subnet.
Multicast FortiAP is discovered by sending discovery requests to a multicast address of 224.0.1.140, which is the factory default.

FortiAP Management – Configuring the FortiGate interface to manage FortiAP units

Configuring the FortiGate interface to manage FortiAP units

This guide describes how to configure a FortiGate interface to manage FortiAPs.

Based on the above topology, this example uses port16 as the interface used to manage connection to FortiAPs.

  1. You must enable a DHCP server on port16:
    1. In FortiOS, go to Network > Interfaces.
    2. Double-click port16.
    3. In the IP/Network Mask field, enter an IP address for port16.
    4. Enable DHCP Server, keeping the default settings.
  2. If desired, you can enable the VCI-match feature using the CLI. When VCI-match is enabled, only devices with a VCI name that matches the preconfigured string can acquire an IP address from the DHCP server. To configure VCI-match, run the following commands:

config system dhcp server edit 1 set interface port16 set vci-match enable set vci-string “FortiAP”

next

end

  1. As it is a minimum management requirement that FortiAP establish a CAPWAP tunnel with the FortiGate, you must enable CAPWAP access on port16 to allow it to manage FortiAPs: Go to Network > Interfaces.
    1. Double-click port16.
    2. Under Administrative Access, select CAPWAP.
    3. Click OK.
  2. To create a new FortiAP entry automatically when a new FortiAP unit is discovered, run the following command. By default, this option is enabled. config system interface edit port16 set allow-access capwap set ap-discover enable|disable

next

end

  1. To allow FortiGate to authorize a newly discovered FortiAP to be controlled by the FortiGate, run the following command. By default, this option is disabled.

config system interface edit port16 set allow-access capwap

set auto-auth-extension-device enable|disable

next

end

FortiGate multiple connector support

FortiGate multiple connector support

This guide shows how to configure Fabric connectors and resolve dynamic firewall addresses through the configured Fabric connector in FortiOS.

FortiOS supports multiple Fabric connectors including public connectors (AWS, Azure, GCP, OCI, AliCloud) and private connectors (Kubernetes, VMware ESXi, VMware NSX, OpenStack, Cisco ACI, Nuage). FortiOS also supports multiple instances for each type of Fabric connector.

This guide uses an Azure Fabric connector as an example. The configuration procedure for all supported Fabric connectors is the same. In the following topology, the FortiGate accesses the Azure public cloud through the Internet:

This process consists of the following:

  1. Configure the interface.
  2. Configure a static route to connect to the Internet.
  3. Configure two Azure Fabric connectors with different client IDs.
  4. Check the configured Fabric connectors.
  5. Create two firewall addresses.
  6. Check the resolved firewall addresses afterthe update interval.
  7. Run diagnose commands.

To configure the interface:

  1. In FortiOS, go to Network > Interfaces.
  2. Edit port1:
    1. From the Role dropdown list, select WAN.
    2. In the IP/Network Mask field, enter 10.6.30.4/255.255.255.0 for the interface connected to the Internet.

To configure a static route to connect to the Internet:

  1. Go to Network > Static Routes. Click Create New.
  2. In the Destination field, enter 0.0.0.0/0.0.0.0.
  3. From the Interface dropdown list, select port1.
  4. In the Gateway Address field, enter 10.60.30.254.

To configure two Azure Fabric connectors with different client IDs:

  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New. Configure the first Fabric connector:
    1. Select Microsoft Azure.
    2. In the Name field, enter azure1.
    3. In the Status field, select Enabled.
    4. From the Server region dropdown list, select Global.
    5. In the Tenant ID field, enter the tenant ID. In this example, it is 942b80cd-1b14-42a1-8dcf-4b21dece61ba.
    6. In the Client ID field, enter the client ID. In this example, it is 14dbd5c5-307e-4ea4-8133-68738141feb1.
    7. In the Client secret field, enter the client secret.
    8. Leave the Resource path
    9. Click OK.
  3. Click Create New. Configure the second Fabric connector:
    1. Select Microsoft Azure.
    2. In the Name field, enter azure2.
    3. In the Status field, select Enabled.
    4. From the Server region dropdown list, select Global.
    5. In the Tenant ID field, enter the tenant ID. In this example, it is 942b80cd-1b14-42a1-8dcf-4b21dece61ba.
    6. In the Client ID field, enter the client ID. In this example, it is 3baf0a6c-44ff-4f94-b292-07f7a2c36be6.
    7. In the Client secret field, enter the client secret.
    8. Leave the Resource path
    9. Click OK.

To check the configured Fabric connectors:

  1. Go to Security Fabric > Fabric Connectors.
  2. Click the Refresh icon in the upper right corner of each configured Fabric connector. A green up arrow appears in the lower right corner, meaning that both Fabric connectors are connected to the Azure cloud using different client IDs.

To create two firewall addresses:

This process creates two Fabric connector firewall addresses to associate with the configured Fabric connectors.

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address. Configure the first Fabric connector firewall address:
    1. In the Name field, enter azure-address-1.
    2. From the Type dropdown list, select Fabric Connectoraddress.
    3. From the SDN Connector dropdown list, select azure1.
    4. For SDN address type, select Private.
    5. From the Filter dropdown list, select the desired filter.
    6. For Interface, select any.
    7. Click OK.
  3. Click Create New > Address. Configure the second Fabric connector firewall address:
    1. In the Name field, enter azure-address-1.
    2. From the Type dropdown list, select Fabric Connectoraddress.
    3. From the SDN Connector dropdown list, select azure2.
    4. For SDN address type, select Private.
    5. From the Filter dropdown list, select the desired filter.
    6. For Interface, select any.
    7. Click OK.

To check the resolved firewall addresses after the update interval:

By default, the update interval is 60 seconds.

  1. Go to Policy & Objects > Addresses.
  2. Hover over the created addresses. The firewall address that the configured Fabric connectors resolved display.

To run diagnose commands:

Run the show sdn connector status command. Both Fabric connectors should appear with a status of connected.

Run the diagnose debug application azd -1 command. The output should look like the following:

Level2-downstream-D # diagnose debug application azd -1 …

azd sdn connector azure1 start updating IP addresses azd checking firewall address object azure-address-1, vd 0 IP address change, new list: 10.18.0.4 …

To restart the Azure Fabric connector daemon, run the diagnose test application azd 99 command.

Access a cloud server using an AWS SDN connector via SSL VPN

Access a cloud server using an AWS SDN connector via SSL VPN

This example provides a sample configuration so that a local client PC can access an FTP server deployed inside an AWS cloud using an AWS SDN connector via SSL VPN.

The FortiGate VM64-AWS is deployed inside an AWS Cloud, and can dynamically resolve the private IP address of the FTP server in the cloud with an AWS SDN connector. The local client PC, with FortiClient installed, can establish an SSL-VPN tunnel to the FortiGate, and then access the FTP server through the tunnel.

To configure the FortiGate VM64-AWS:

  1. Configure an AWS SDN connector:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click Create New.
    3. Click Amazon Web Services (AWS).
    4. Configure the following:
Name aws1
Status Enabled
Update Interval Use Default
Access key ID <AWS access key ID>
Secret access key <AWS secret access key>
Region name us-east-1
VPC ID disabled
  1. Click OK.
  1. Check the connector status:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click the refresh icon on the configured SDN connector.

A green arrow in the bottom right corner of the connector means that it is connected.

  1. Create a firewall address:
    1. Go to Policy & Objects > Addresses and click Create New > Address.
    2. Configure the following:
Name dynamic-aws
Type Fabric Connector Address
SDN Connector aws1
SDN address type Private
Filter Tag.Name=publicftp

(the name of the FTP server in the AWS cloud)

Interface any
  1. Click OK.
  1. Check the resolved firewall address after the update interval (60 seconds, by default):
    1. Go to Policy & Objects > Addresses.
    2. Hover the cursor over the dynamic-aws

The firewall address resolved by the configured SDN connector is shown (172.331.31.101).

  1. Configure SSL VPN to access the FTP server:
    1. Configure a user and user group:
      1. Go to User& Device > UserDefinition and create a new local user named usera.
      2. Go to User& Device > UserGroups, create a group named sslvpngroup, and add usera to it. Configure SSL VPN:
      3. Go to VPN > SSL-VPN Settings.
      4. Set the Listen on Interface(s) to port1 and the Listen on Port to 10443. Set ServerCertificate to your own certificate, or Fortinet_Factory.
      5. In the Authentication/Portal Mapping section, set the default All OtherUsers/Groups to full-access, and create a new Authentication/Portal Mapping for the sslvpngroup also with full-access. v. Click Apply.
      6. Configure an SSL VPN firewall policy:
    2. Go to Policy & Objects > IPv4 Policy and click Create New.
    3. Configure the following:
Name sslvpn-aws
Incoming interface ssl.root

(the SSL VPN tunnel interface)

Outgoing Interface port1
Source all

sslvpngroup

Destination dynamic-aws
Schedule always
Service ALL
Action Accept
  • Click OK.

To connect an SSL VPN tunnel from the local client PC:

  1. Download FortiClient from forticlient.com and install it.
  2. Open the FortiClient console and go to Remote Access.
  3. Add a new connection
  4. Set VPN to SSL-VPN, and enter a Connection Name and Description.
  5. Set the Remote Gateway to 26.32.219, which is the FortiGate’s port1 public IP address that is configured as the listening interface.
  6. Enable Customize port, and set the port number to 10443.
  7. Click Save.
  8. Use the credentials configured for usera to connect to the tunnel.

Traffic to the SDN connector’s resolved IP address (dynamic-aws, 172.31.31.101) will go through the tunnel, and other traffic will go through the local gateway.

The client PC shows the routing entry for the tunnel:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         172.16.200.1    0.0.0.0         UG    0      0        0 eth1

172.31.31.101 10.212.134.200 255.255.255.255 UGH 0        0        0 ppp0

The FortiGate shows the logged in user and the assigned SSL VPN tunnel virtual IP address :

execute vpn sslvpn list

SSL VPN Login Users:

Index User      Auth Type Timeout         From      HTTP in/out    HTTPS in/out

0        usera 1(1)           284      208.91.115.10     0/0            0/0

SSL VPN sessions:

Index User     Source IP     Duration I/O Bytes     Tunnel/Dest IP

0         usera 208.91.115.10 76        1883/1728     10.212.134.200

Diagnose commands

Show SDN connector status:

FGT-AWS# diagnose sys sdn status

SDN Connector                       Type        Status

————————————————————aws1      aws    connected

Debug the AWS SDN connector to resolve the firewall address:

FGT-AWS-3 # diagnose debug application awsd -1 …

awsd checking firewall address object dynamic-aws, vd 0

address change, new ip list:

172.31.31.101 awsd sdn connector aws1 finish updating IP addresses …

Restart the AWS SDN connector daemon:

FGT-AWS-3 # diagnose test application awsd 99