FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the behavior of the certificate setting for PKI users
Scope
FortiGate.
Solution
By default, Certificate authentication matches, and the user can log in to SSL VPN if the account subject string on FortiGate matches part of the information in the certificate subject. If the requirement is that the PKI user's subject should fully match the certificate subject, the following settings can be adjusted:
config vpn certificate setting
set subject-match substring|value set cn-match substring|value
end
The matching is substring-based by default, but this is configurable using the above CLI commands. 'value' means the exact match.
