When an Administrator creates a Remote Access IPsec tunnel by using the IPsec Wizard, the XAUTH section will have the User Group to be authenticated by default. In this example, it is the User Group 'RemoteUsers', as shown below:
IPsec policies will not have the user group on the source - only the source address:
And on the logs matching these policies, it will not show any user information: only the source and destination IP address, making it hard to identify and correlate to the actual user:
This behavior can be changed by editing the Tunnel configuration. In the XAUTH section, change the Default 'Choose' (to choose the group to be authenticated) to 'Inherit from Policy':
The policies will now have to be changed to include the user group to be authenticated on the source field:
After this change, the user information will now be on the logs, providing much more granularity for auditing and security purposes:
Specifying the user group on the policy instead of the XAUTH section on the Tunnel configuration also has other benefits: it allows having the user and user groups with different levels of permissions on the same IPsec tunnel.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.