FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
matanaskovic
Staff
Staff
Description This article describes a per-VDOM administrator can only access the FortiGate through a network interface that is assigned to the VDOM that the administrators are assigned to. The interface must also be configured to allow management access. Users can also connect to the FortiGate using the console port.
Scope FortiGate v7.2.1
Solution

Under the 'Global' VDOM, allocate the LAN interface to new VDOM ‘South’, which is already created.

 

matanaskovic_0-1660231922256.png

 

In ‘South’ VDOM, it is possible to see that there is a new allocated interface to specific VDOM.

 

matanaskovic_1-1660231953128.png

 

Then it is necessary to create LDAP remote server and LDAP User Group under the 'South' VDOM, which will be used for user authentication while logging to FortiGate.

 

matanaskovic_2-1660231981698.png

 

matanaskovic_3-1660231988385.png

 

In 'Global' VDOM, create a wildcard LDAP administrator that will have access the FortiGate only over the network interface (port9) which belongs to VDOM ‘South’.

 

matanaskovic_4-1660232032535.png

 

Testing FortiGate GUI access from remote workstation that is on same subnet as network interface port9 that is assigned to the VDOM ‘South’.

 

matanaskovic_5-1660232073710.png

 

LDAP remote authentication is working.

 

Troubleshooting:

 

# diagnose debug console timestamp enable
# diagnose debug application fnbamd -1
# diagnose debug enable

 

Related KB article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Radius-administrator-authentication-with-m...

 

https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/32293/general-configurations...