Skip to main content
raffaeledp
raffaeledp
Explorer III
October 17, 2024
Solved

Can't filter firewall policy based on user group

  • October 17, 2024
  • 2 replies
  • 2284 views

Hello everybody, 

I have a firewall policy regarding an IPSEC tunnel.

 

Screenshot 2024-10-17 alle 20.26.24.png

This policy is saying that all the addresses that belong to ipsec_range can reach the internal destinations.

This policy, if I connect, is working fine:

Screenshot 2024-10-17 alle 20.26.43.png

I can reach on of â€ƒmy VMs:

Screenshot 2024-10-17 alle 20.27.21.png

 

Everything is all right.

What's the problem?

The user that has connected to the tunnel, belongs to a group:

Screenshot 2024-10-17 alle 20.27.43.png 

Let's suppose I â€ƒwant to say:

I want to filter the source not only by ip address, but also by user group.

Screenshot 2024-10-17 alle 20.33.35.png

the same user has an address in ipsec_range and also belongs to IPSEC_USER.

Everything should be okay, right?

No! I can't reach my VM anymore. What am I doing wrong?

Screenshot 2024-10-17 alle 20.28.11.png

 

 

Best answer by HiralShah

Hello @raffaeledp 

Thank you for sharing your configuration.

 

Then this is your expected behavior, if you want to use user group in the policy just select option inherit from policy in the XAUTH user group

2 replies

HiralShah
Staff
HiralShah
Staff
October 17, 2024

Hello @raffaeledp 

 

Can you please provide screenshot of your tunnel configuration? is it set to IKE mode  1 or 2?

That is expected behavior if you have xauth set to Auto server and User group mentioned in the ipsec dialup tunnel.

You can check below document: 

https://community.fortinet.com/t5/FortiGate/Technical-Note-FortiClient-Dialup-IPsec-VPN-Split-Tunneling/ta-p/192207

 

raffaeledp
raffaeledpAuthor
Explorer III
October 17, 2024

This is my configuration:

 

Screenshot 2024-10-17 alle 22.03.00.png

 

Screenshot 2024-10-17 alle 22.03.07.png 

Screenshot 2024-10-17 alle 22.03.12.png

 

HiralShah
Staff
HiralShahAnswer
Staff
October 17, 2024

Hello @raffaeledp 

Thank you for sharing your configuration.

 

Then this is your expected behavior, if you want to use user group in the policy just select option inherit from policy in the XAUTH user group

    rsondal
    Staff
    rsondal
    Staff
    October 17, 2024

    Hi,

     

    are you using the same group under vpn tunnel configuration. you can follow below document for that. you need to use group either on policy or on tunnel configuration.

    Using group based firewall policy for Dia... - Fortinet Community

     

    Regards

    Rakesh

      raffaeledp
      raffaeledpAuthor
      Explorer III
      October 18, 2024

      Thank you very much!

      Terms & ConditionsAccessibility statement