Description

This article describes that there is a mix of firewall policies using users and groups, the priority is to check users first, then groups for SSL VPN authentication.

Scope

FortiGate.

Solution

 In the example below, a 'test' user in the group 'testgroup' and a policy using the group 'testgroup' and another one using the user 'test'.

config user local
    edit "test"
        set type password
        set passwd 123456

   next
end

config user group
    edit "testgroup"
        set member "test"
    next
end

Firewall policies:

config firewall policy
    edit 1
        set name "FW-POLICY-A"
        set srcintf "ssl.root"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
        set groups "testgroup"
    next
    edit 2
        set name "FW-POLICY-B"
        set srcintf "ssl.root"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
        set users "test"
    next
end

SSL VPN configuration:

config vpn ssl settings
    set servercert "certtest"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set port 11443
    set source-interface "port1"
    set source-address "all"
    set default-portal "tunnel-access"
        config authentication-rule
            edit 1
                 set groups "testgroup"
                 set portal "web-access"
            next
        end
end

If the user was authenticated from the web VPN portal, FortiGate will check if there is a firewall policy having the user as the source. If yes (policy 2 in this case), it will check the SSL VPN authentication rules having the user's test (not the group). In this case, only one rule with a group and will not hit any configured authentication rule (even if the user is in the group 'testgroup', it will hit policy 0 (which means the default: Tunnel-access).

When the user tries to authenticate, at the same time, enable the debug commands below:

diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug enable

...

[16658:root:182]group_desc[0].grpname = test
[16658:root:182]group_desc[1].grpname = testgroup
[16658:root:182][fam_auth_send_req_internal:441] FNBAM opt = 0X201400
local auth is done with user 'test', ret=0
[16658:root:182]fam_auth_send_req_internal:517 fnbam_auth return: 0
[16658:root:182][fam_auth_send_req_internal:543] Authenticated groups (2) by FNBAM with auth_type (1):
[16658:root:182]Received: auth_rsp_data.grp_list[0] = 16777218
[16658:root:182]Received: auth_rsp_data.grp_list[1] = 2
[16658:root:182]fam_auth_send_req_internal:567 found node testgroup:0:, valid:1, auth:0
[16658:root:182]Validated: auth_rsp_data.grp_list[1] = testgroup
[16658:root:182][fam_auth_send_req_internal:657] The user test is authenticated.
[16658:root:182]fam_do_cb:682 fnbamd return auth success.
[16658:root:182]SSL VPN login matched rule (0).  <----- It will match SSL VPN authentication rule 0.