Skip to main content
jvarouxis
jvarouxis
New Member
October 14, 2014
Question

Source User in Policy

  • October 14, 2014
  • 11 replies
  • 16723 views
Dear All, I have a forticlient ipsec users. I need 1 user to be able to use RDP throught the same vpn tunnel and others not. Vpn Tunnel is working great. When i create a rule and using the Source User(s) the user i need to have rdp allow, the traffic for RDP stops. If i leave empty the Source User(s) in the policy then it works the rdp but for all. Do you have any idea why this is happening? Thanks in advance.

    11 replies

    jvarouxis
    jvarouxisAuthor
    New Member
    October 14, 2014
    Forgot to mention that i use FG100D 5.2.1 and the forticlient is 5.2.1 as well
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 14, 2014
    If the user is not matched in the policy, the policy is not applied. So the only way I can imagine what is happening is that you only have one policy towards the tunnel. There need to be at least 2 policies: the first specific to that one user, and the second for all users. Maybe you could post a screenshot of the policy table for clarification.
    jvarouxis
    jvarouxisAuthor
    New Member
    October 15, 2014
    Dear Ede , thank you for your reply, I have two firewall policies. Please see the sreenshot. And see the output form the Debug in CLI.The " msg=" Denied by forward policy check (policy 205)" " This 205 policy is the one that has the user inside and is the first in the priority. id=20085 trace_id=10 func=print_pkt_detail line=4368 msg=" vd-root received a packet(proto=6, X.X.X.X:51221-X.X.X.X:3389) from VPN_PeerA_0. flag , seq 197828979, ack 0, win 8192" id=20085 trace_id=10 func=init_ip_session_common line=4517 msg=" allocate a new session-004b429f" id=20085 trace_id=10 func=vf_ip4_route_input line=1596 msg=" find a route: flags=00000000 gw-x.x.x.x via port1" id=20085 trace_id=10 func=fw_forward_handler line=554 msg=" Denied by forward policy check (policy 205)"
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 15, 2014
    Could you put policy 171 first, and for service specify " NOT RDP" ? Then traffic should fall through to policy 170. The negation option is new to v5.2.
    jvarouxis
    jvarouxisAuthor
    New Member
    October 15, 2014

    Dear Ede, i did this but the results are the same. the log from the Cli : id=20085 trace_id=1011 func=print_pkt_detail line=4368 msg=" vd-root received a packet(proto=6, x.x.x.x:51913->x.x.x.x:3389) from VPN_PeerA_0. flag Still cannot understand !!! Does this has to do because i use peer id for the vpn ? Thanks in Advanced.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 15, 2014
    No, the VPN has nothing to do with this. It' s a policy issue. I think we both need to read up on fall-through mechanism in FOS 5.2.
    jvarouxis
    jvarouxisAuthor
    New Member
    October 16, 2014
    Dear Ede, i have never used in the past identity policy. The vpn has split enabled so the traffic for web goes through local gateway of pc connection and not through the tunnel. How the user will authentigate to the fortigate ? I thought that as he authenticate by entering the user name and password on the vpn tunnel. The only firewall policy that i have is from Vpn to lan. Do you have any example to help ? Thanks in Advanced
    TuncayBAS
    TuncayBAS
    Explorer
    October 20, 2014
    The user must log on before the RDP rule are run. Login sending information protocols, HTTP, FTP, TELNET, etc.
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 21, 2014

    You have 2 different things here:

    - authentication for a VPN connection

    - authentication through a policy (Identity based policy)

     

    First, VPN. To establish a VPN connection the user has to enter his credentials in a dialog presented by the FortiClient application. Either username and password are pre-set in the config, or the user enters them interactively.

     

    So, when a VPN connection is established, traffic arrives at an IB policy.

    Now the user has to open a session first which allows him to enter username and password. There are only a few tools and services to do so: a browser (using HTTP(S)), a telnet app (using telnet), or a ftp client (using ftp). FortiOS does not support any other service for policy authentication!

    Once the user starts up a browser to access some host behind the tunnel, the firewall will intervene and present a replacement page on which the user can enter his username and password.

    Once authenticated, the user can use any service which is allowed (additionally) in the policy, like ssh, RDP or whatever.

     

    So I think you missed the policy authentication step. IB policies work independent of VPNs - you could use one to have authenticated access within your LAN if you wish. So, the policy doesn't know about the VPN credentials, the user has to enter them explicitely.

    Hope this helps in explaining. Just give it a try please.

    Nihas
    Nihas
    New Member
    October 24, 2014

    Can't use captive portal for this?

    Show more replies
    Terms & ConditionsAccessibility statement