SSL VPN Configuration and Address Matching Priority

Hey everyone,

We’ve recently configured SSL VPN settings and need some clarification on address matching in our setup. Here’s what we’ve done so far:

1. Configured SSL VPN settings.
2. Created a Negate Address group for SSL VPN connections.
3. Set up a security policy from the Outside interface to the SSL VPN interface, allowing specific addresses.

Now, my question is: Which address will match first—the Negate Address group or the allowed address in the security policy?

I’m trying to understand how the firewall prioritizes these matches during the connection process.

Any insights or clarifications would be greatly appreciated! Thanks in advance.

Traffic to the Fortigate is not the same as traffic through the Fortigate.

Firewall Policies only look at traffic passing through the Fortigate. Since the SSLVPN establishment session is terminated on the Fortigate, it’s traffic to the Fortigate, not through it.

Once the SSLVPN tunnel is established though, traffic from the client will then arrive on the SSLVPN interface on the Fortigate and pass through to reach some other resource, say a website on the Internet or similar.

So SSLVPN-tunnel establishment == traffic to the fortigate

Traffic from an established SSLVPN tunnel to some resource == traffic through the fortigate

→ <ssl.root> is for controlling access from to connected SSL-VPN clients. It does not control the ability to connect to SSL-VPN.

If you want a firewall policy that restricts access to SSL-VPN, you’ll need to bind SSL-VPN to loopback (typically), and then permit/restrict access via a → firewall policy.

There is no meaningful “priority” in the source-filtering. An incoming connection attempt must pass both filters. (accepted by policy + accepted by SSL-VPN address restrictions => can attempt login; denied by either => denied from access attempts)