FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ethomollari
Staff
Staff
Description
This article describes how to resolve the issue when user being part of multiple groups in AD, is not matching SSL-VPN firewall policy which contains the LDAP user group  of which the user is a part of.

1) Username 'user1' membership, part of groups A1,A2.




2) LDAP user groups.




3) SSL-VPN Firewall Policy with user 'user1' being part of A1 Group.




4) SSL VPN Setting  where A2 is mapped to portal.User 'user1' is also part of A2 Group.





Solution
To overcome the issue of the user not matching the SSL-VPN firewall policy we add the user group 'A1' to the same portal mapping where user group 'A2' is mapped.




From CLI.
# config vpn ssl settings
set servercert "self-sign"
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set source-interface "port2"
        set source-address "all"
        set source-address6 "all"
        set default-portal "web-access"
        # config authentication-rule
            edit 1
set groups "A1" "A2"
                set portal "full-access"
                set realm "Realm1"
            next
        end
    end  

Note.
In this scenario realms and full tunnel are used.
Internal Notes
Forticare ticket: 5327022.

Related Articles

Technical Tip: Creating sslvpn with multiple realms

Contributors