Skip to main content
plejon
plejon
New Member
August 4, 2015
Question

[SOLVED] VPN policys for specific user/group

  • August 4, 2015
  • 1 reply
  • 4567 views

I'm trying to get the ssl vpn policys working based on groups.

 

I'm using

fortigate 200d cluster

v5.0,build0318 (GA Patch 12).

5-8 different groups on the Firewall.

Each group is polling a RADIUS server (Fortiauthentication) and asking for users in a specified group on that server.

FortiAuthentication is polling my Active Directory server for members of various groups for it's own groups.

 

I know it sounds messy, but everything works. I'm just having some problems on the actual SSLvpn on the firewall.

I just can't get it working with applying the SSLvpn policys.

 

From what i know. I should do the following.

 

Policy type: SSL-VPN

Incoming Interface: Outside(wan)

Remote Address: All

Local Interface: Inside_srv

Local Protected Subnet: 192.168.85.0/24

 

Configure SSL-VPN Authentication Rules

Group(s): just a test group that i'm a member of.

User(s): none

Schedule: always

SSL-VPN Portal: full-access(only one that excists)

Action: Accept

 

 

But, this does not work. in order for it to work i have to apply another normal policy that say from ssl.root --> inside_srv in order for traffic to pass. And in the SSL-VPN policy, i can pretty much specify any network, and traffic stil passes with the "normal" policy.

    1 reply

    plejon
    plejonAuthor
    New Member
    August 20, 2015

    Alright, solved this.

    apparently, you need to set the VPN policys to the ssl.root if you're using interfaces in zones.

     

    If i do not have zones

    then i can just create a VPN rule that states

    outside --> inside (vpn policy)

     

    but, if you have interfaces in a zone you'll need

    outside --> ssl.rool (vpn policy)

    ssl.root --> inside (firewall policy)

     

    i actually got help from our forti partner to figure it out.

    kinda random really, because i want to use vpn policys based on users, not networks and lots of different ssl portals.

    atm, the vpn policy is authing users, so i cannot place more authbased normal firewall policys because users have already been authed by the first rule.

    Terms & ConditionsAccessibility statement