FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff
Description This article describes how we to match the SSL-VPN user to all the group once it is authenticated on SSL-VPN. 
Scope FortiGate
Solution

- 'sslvpntest1' has been used as a sample SSL-VPN user.

 

- The 'sslvpntest1' is a member of 'sslvpngrp1', 'sslvpngrp2', 'sslvpngrp3', 'sslvpngrp4' and 'sslvpngrp5'.

 

acvaldez_0-1660949867054.png

 

- Make sure that to have configured IPV4 POLICY for all those group that the 'sslvpntest1' is part of.

 

acvaldez_1-1660949867059.png

 

- Once the 'sslvpntest1' authenticates on SSL-VPN, all the groups that the 'sslvpntest1' is part of under FIREWALL USER MONITOR are visible.

 

acvaldez_2-1660949867061.png

 

- And in CLI by running this command # get vpn ssl monitor.

 

acvaldez_3-1660949867067.png

 

- For debugging, run this command.

 

# diag debug app fnbamd -1

# diag debug en

 

- Then here is a sample log that would show how the FortiGate matches the 'sslvpntest1' to all the group that it is part of after it authenticates on SSL-VPN.

 

[624:root:18]add user sslvpntest1 in group sslvpngrp5

[624:root:18]Will add auth policy for policy 7 for user sslvpntest1:sslvpngrp1

[624:root:18]add user sslvpntest1 in group sslvpngrp4

[624:root:18]Will add auth policy for policy 6 for user sslvpntest1:sslvpngrp1

[624:root:18]add user sslvpntest1 in group sslvpngrp3

[624:root:18]Will add auth policy for policy 5 for user sslvpntest1:sslvpngrp1

[624:root:18]add user sslvpntest1 in group sslvpngrp2

[624:root:18]Will add auth policy for policy 4 for user sslvpntest1:sslvpngrp1

[624:root:18]add user sslvpntest1 in group sslvpngrp1

[624:root:18]Will add auth policy for policy 3 for user sslvpntest1:sslvpngrp1

[624:root:18]Add auth logon for user sslvpntest1:sslvpngrp1, matched group number 6

[624:root:18]fsv_associate_fd_to_ipaddr:1910 associate 10.212.134.200 to tun (ssl.root:37)

[624:root:18]proxy arp: scanning 6 interfaces for IP 10.212.134.200

[624:root:18]Cannot determine ethernet address for proxy ARP

[624:root:17]sslvpn_read_request_common,679, ret=-1 error=-1, sconn=0x7feb1b378900.

[624:root:17]Destroy sconn 0x7feb1b378900, connSize=1. (root)

Contributors