Troubleshooting Tip: FortiSASE Traffic Policy Limitation: Unable to Enforce Specific Source IP and VPN SSO User in FortiSASE

Description

This article describes a limitation in FortiSASE traffic policy configuration, where it is not possible to enforce both a specific source IP address and a specific VPN SSO user within the same policy. The system prioritizes the VPN SSO group match, causing the source IP condition to be overridden.

Scope

FortiSASE.

Solution

When a traffic policy includes both a specific VPN SSO group and a source IP address, the policy matches only the VPN SSO group. The source IP condition is not enforced.
It is not possible to configure a policy for an individual VPN SSO user. In scenarios where access needs to be limited to a single user within a VPN SSO group, this results in undesired policy matching.

In the FortiSASE private access policy named 'private', the user group 'test1' and source IP 172.31.0.5 are configured to allow traffic from a specific source address.

The intended use case for this policy is to allow access only when the user belongs to the VPN group 'test1' and has the source IP 172.31.0.5. However, the policy is matched by all users in the group 'test1', regardless of the defined source IP.

As a workaround, changing the Source Scope of the policy to Edge Device and specifying the desired source IP allows the policy to function as expected. This method correctly enforces the source IP condition.

The issue is fixed in v25.3.a which is schedule to be released on August.