Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
_mribwan
Staff
Staff

Created on ‎08-20-2025 12:55 AM Edited on ‎08-26-2025 04:02 AM By Moderator

Article Id 405872

Technical Tip: How FortiGate selects the portal for a user belonging to multiple group on SSL VPN

Description This article describes how FortiGate selects the portal for a user belonging to multiple groups on SSL VPN.
Scope FortiGate.
Solution

Screenshot 2025-08-11 163159.png

 

User Fortinet belongs to both GroupA and GroupB. The portal of GroupA will assign ip in subnet 10.0.3.0/24, while the portal of GroupB will assign IP in subnet 10.0.6.0/24:

 

Lab-FGT (portal) # show
config vpn ssl web portal
    next
    edit "GroupA-Portal"
        set tunnel-mode enable
        set web-mode enable
        set ip-pools "10.0.3.0/24"
        set split-tunneling disable
            config bookmark-group
                edit "gui-bookmarks"
                next
            end
    next
    edit "GroupB-Portal"
        set tunnel-mode enable
        set web-mode enable
        set ip-pools "10.0.6.0/24"
        set split-tunneling disable
            config bookmark-group
                edit "gui-bookmarks"
                next
            end
    next
end

 

SSLVPN setting, Portal sequenceSSLVPN setting, Portal sequence

 

config vpn ssl settings
    set ssl-min-proto-ver tls1-1
    set banned-cipher SHA1 SHA256 SHA384
    set servercert "Fortinet_Factory"
    set login-attempt-limit 0
    set tunnel-ip-pools "10.0.3.0/24" "10.0.6.0/24"
    set port 4433
    set source-interface "port3"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
        config authentication-rule
            edit 1
                set groups "GroupB"
                set portal "GroupB-Portal"
            next
            edit 2
                set groups "GroupA"
                set portal "GroupA-Portal"
            next
        end 
end

 

FortiGate will prefer the selection of the portal based on the sequence of firewall policies. In case the policy has multiple groups, then the order of selection would be from left to right for the policy that has multiple groups.

 

In the current setup, as GroupA is higher, the user will be getting the source IP from the subnet 10.0.3.0/24 of the GroupA portal, although on the SSL VPN portal sequence, the GroupA portal is lower than the GroupB portal :

 

Screenshot 2025-08-11 163300.png

 

If none of the user’s groups match any SSL VPN policy, FortiGate falls back to the default portal.

Result:

 

Screenshot 2025-08-11 163359.png

 

Note: 

Starting from v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN'.
182
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.