Description
This article describes how the firewall is allocating the SSL VPN portal to the authenticated user.
Solution
1) SSL VPN authentication and portal selection.
- A user tries to connect to the FortiGate SSL VPN (using web browser or FortiClient) supplying the login credentials.
- FortiOS firmware performs Authentication/Portal Mapping lookup and selects possible matches (for local or remote credential verification).
- Once the credentials are verified the firewall perform the firewall policy lookup from top to bottom for SSL VPN policies based on:
'srcint' which must be SSL VPN interface (ssl.<VDOM_name>).
'user/group' field where the user authorization is defined.
Note.
User based Authentication/Portal Mapping and firewall policies have priority in portal selection over group based allocation.
- The first SSL VPN firewall policy matching the user/group is defining what SSL VPN portal would be selected for the login.
2) SSL VPN access.
Once a user is authenticated and granted access to the SSL VPN, the traffic from the user's VPN session is not limited to the SSL VPN policy that was used for portal selection but each flow generated by user is matched against SSL VPN firewall policies.
Note.
If the user is a member of multiple groups, all groups the user is a member of are going to be processing VPN traffic of this user (not only the group used for VPN portal matching).
