Technical Tip: Restrict specific user access to one interface on a multi-interface SSLVPN
Description
In some scenario, there are two listen on interfaces for sslpvn.
This article explains how to give access to specific user to specific interface.
Solution
Note: On the following configuration, there are two source-interface port13 and wan1 and the authentication rule id 1 and 2 does not specify the source-address or interfaces.
In that case, both users can have access with both listen on interfaces port13 and wan1.
In some scenario, there are two listen on interfaces for sslpvn.
This article explains how to give access to specific user to specific interface.
Solution
Note: On the following configuration, there are two source-interface port13 and wan1 and the authentication rule id 1 and 2 does not specify the source-address or interfaces.
In that case, both users can have access with both listen on interfaces port13 and wan1.
# config vpn ssl settingsIf it is required to restrict that user (Example: “arifnoor” has access only wan1 and user “chowdhury” has access on port13), do the following:
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set source-interface "port13" "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set users "arifnoor"
set portal "full-access"
next
edit 2
set users "chowdhury"
set portal "full-access"
next
end
end
# FG201E-1 (settings) # sh
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set source-interface "port13" "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set source-interface "wan1"
set source-address "all"
set users "arifnoor"
set portal "full-access"
next
edit 2
set source-interface "port13"
set source-address "all"
set users "chowdhury"
set portal "full-access"
next
end
end