Technical Tip: How to match the SSL-VPN user to all the groups when it is authenticated

- 'sslvpntest1' has been used as a sample SSL-VPN user.

- The 'sslvpntest1' is a member of 'sslvpngrp1', 'sslvpngrp2', 'sslvpngrp3', 'sslvpngrp4' and 'sslvpngrp5'.

- Make sure that to have configured IPV4 POLICY for all those group that the 'sslvpntest1' is part of.

- Once the 'sslvpntest1' authenticates on SSL-VPN, all the groups that the 'sslvpntest1' is part of under FIREWALL USER MONITOR are visible.

- And in CLI by running this command # get vpn ssl monitor.

- For debugging, run this command.

# diag debug app fnbamd -1

# diag debug en

- Then here is a sample log that would show how the FortiGate matches the 'sslvpntest1' to all the group that it is part of after it authenticates on SSL-VPN.

[624:root:18]add user sslvpntest1 in group sslvpngrp5

[624:root:18]Will add auth policy for policy 7 for user sslvpntest1:sslvpngrp1

[624:root:18]add user sslvpntest1 in group sslvpngrp4

[624:root:18]Will add auth policy for policy 6 for user sslvpntest1:sslvpngrp1

[624:root:18]add user sslvpntest1 in group sslvpngrp3

[624:root:18]Will add auth policy for policy 5 for user sslvpntest1:sslvpngrp1

[624:root:18]add user sslvpntest1 in group sslvpngrp2

[624:root:18]Will add auth policy for policy 4 for user sslvpntest1:sslvpngrp1

[624:root:18]add user sslvpntest1 in group sslvpngrp1

[624:root:18]Will add auth policy for policy 3 for user sslvpntest1:sslvpngrp1

[624:root:18]Add auth logon for user sslvpntest1:sslvpngrp1, matched group number 6

[624:root:18]fsv_associate_fd_to_ipaddr:1910 associate 10.212.134.200 to tun (ssl.root:37)

[624:root:18]proxy arp: scanning 6 interfaces for IP 10.212.134.200

[624:root:18]Cannot determine ethernet address for proxy ARP

[624:root:17]sslvpn_read_request_common,679, ret=-1 error=-1, sconn=0x7feb1b378900.

[624:root:17]Destroy sconn 0x7feb1b378900, connSize=1. (root)