FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
npaiva
Staff
Staff
Article Id 334830
Description

 

When an Administrator creates a Remote Access IPsec tunnel by using the IPsec Wizard, the XAUTH section will have the User Group to be authenticated by default. In this example, it is the User Group 'RemoteUsers', as shown below:

 

default-ipsec-config.png

 

IPsec policies will not have the user group on the source - only the source address:

 

default-policies.png

 

And on the logs matching these policies, it will not show any user information: only the source and destination IP address, making it hard to identify and correlate to the actual user:

 

logs-no-user-info.png

 

Solution

 

This behavior can be changed by editing the Tunnel configuration. In the XAUTH section, change the Default 'Choose' (to choose the group to be authenticated) to 'Inherit from Policy':

 

ipsec-config-inherit-from-policy.png

 

The policies will now have to be changed to include the user group to be authenticated on the source field:

 

policy-with-user-group.png

 

After this change, the user information will now be on the logs, providing much more granularity for auditing and security purposes:

 

logs-with-user-information.png

 

Specifying the user group on the policy instead of the XAUTH section on the Tunnel configuration also has other benefits: it allows having the user and user groups with different levels of permissions on the same IPsec tunnel.

Contributors