Skip to main content
muhammadsaad
muhammadsaad
New Member
July 12, 2025
Solved

Request for Guidance on Configuring Per-User Firewall Policies for SSL VPN Access

  • July 12, 2025
  • 5 replies
  • 1452 views

Hello Team,

We are currently working on configuring per-user firewall policies for SSL VPN access using both LDAP and Azure IdP (with MFA) to restrict access to specific destinations for individual users.

Our FortiGate firewall is successfully integrated with Microsoft Azure IdP for SSL VPN authentication using token-based MFA. Additionally, we have integrated our on-premises Active Directory with the FortiGate firewall for SSL VPN access.

However, when creating firewall policies, we are encountering a limitation where policies are applied at the group level, rather than allowing us to define policies for individual users.

Can someone advise on the best workaround for this scenario? Specifically:

  • Do we need to create individual user groups in Active Directory and Azure IdP for each user to achieve per-user control?

  • Alternatively, is there a method to configure this directly on the FortiGate firewall?

We are also utilizing FortiClient EMS for managing remote access VPN policies. If there's a way to allow or restrict specific destinations for individual users through EMS, please advise that as well.
Thanks

Best answer by sjoshi

Hi @muhammadsaad,

 

You go to user definition on FortiGate:-

 

12.PNG

 

You will get option of importing LDAP,Radius user directly on FGT but there is no option to import SAML Azure IDP user directly on FGT. This feature is yet not present on FGT

5 replies

muhammadsaad
muhammadsaadAuthor
New Member
July 14, 2025

Hi,

Someone can provide assistance on this?

RBA
Staff
RBA
Staff
July 14, 2025

This article should help Configuring user-based policy for LAN use... - Fortinet Community

muhammadsaad
muhammadsaadAuthor
New Member
July 14, 2025

Hi Thanks for your reply.
The provided article is based on local fortinet users, whereas currently we are working with on-prem Active directory and Microsoft Azure IdP for MFA authentication.
So it is requested to please advise us.

sjoshi
Staff
sjoshi
Staff
July 14, 2025

Hi @muhammadsaad,

 

It is possible to enable MFA and also create per user policy for LDAP user
Refer
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-FortiGate-to-use-an-LDAP-server/ta-p/196141
You need to import the LDAP user on the FGT post that you can create per user based policy

For Azure IDP it is not possible to create per user based policy as you cant import per user like LDAP and only group based policy needs to be created.

Thanks, Salon
    muhammadsaad
    muhammadsaadAuthor
    New Member
    July 14, 2025

    Hi @sjoshi ,

    Many thanks for the help. Could you please let me know what's the reason that user based policy can't be imported in case of Azure IdP.

    (Just because FortiClient EMS is only integrated with On-Prem Active Directory)

    or something else?

    sjoshi
    Staff
    sjoshiAnswer
    Staff
    July 14, 2025

    Hi @muhammadsaad,

     

    You go to user definition on FortiGate:-

     

    12.PNG

     

    You will get option of importing LDAP,Radius user directly on FGT but there is no option to import SAML Azure IDP user directly on FGT. This feature is yet not present on FGT

    Thanks, Salon
    muhammadsaad
    muhammadsaadAuthor
    New Member
    July 16, 2025

    Hi @sjoshi ,

    Thank you for the help and support.

      Terms & ConditionsAccessibility statement