Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ddeguzman
Staff
Staff

Created on ‎02-06-2024 09:09 PM Edited on ‎07-22-2025 01:16 AM By Moderator

Article Id 297903

Troubleshooting Tip: SSL VPN User is matching the wrong Portal/Authentication rule

Description

This article describes the reason why SSL VPN users are matched to the incorrect portal/authentication rule.

 

In this example, 2 local users (denice and rejean) are members of the 'SSLVPNGROUP' local user group, but there is additional access provided to the user 'denice'. The behavior is user 'denice' matches the web-access portal, but user 'rejean' matches the expected portal 'full-access' despite being a member of the same group.

 

Under the SSL VPN setting, the 'full-access' portal is mapped to this group. While the default (All Other Users/Groups) is mapped to 'web-access'. 


Usergroup.JPG

 

Authentication-ruleAuthentication-rule

 

By default, the 'All Other Users/Group' is authentication rule # 0, while the SSLVPNGROUP is authentication rule # 1. This can also be confirmed via the CLI.

 

Fortigate # show vpn ssl settings
config vpn ssl settings
    set banned-cipher SHA1 SHA256 SHA384
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set source-interface "port5"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"  <--
        config authentication-rule
            edit 1
                set groups "SSLVPNGROUP"
                set portal "full-access"
            next
        end
end

 

As shown below, user 'denice' is added directly to policy #4 since additional access was allocated, while the user group 'SSLVPNGROUP' is added to policy #3.

 

Policy.JPG

 

When the user initiates a connection to the SSL VPN, the following two lists will be compiled:

List 1: All users and groups used in all SSL VPN firewall policies.

List 2: All users and groups used in the matching SSL VPN authentication rules.

The user will be authenticated based on the intersection of List 1 and List 2.

 

User 'rejean' tries to authenticate, it matches the 'authentication-rule' # 1 as expected because she is a member of the SSL VPN group.


rejean_authenticationrejean_authentication

 

But when user 'denice' tries to authenticate and connect via SSL VPN, it matches the authentication-rule #0 and gets mapped to the 'web-mode' portal even if being a member of 'SSLVPNGROUP'.

 

denice_authenticationdenice_authentication
Scope FortiGate.
Solution

To override this behavior, it is recommended to have a matching 'users/group' on both 'firewall policies' and 'authentication-rule'.

 

In this case, it is either possible to create a new authentication-rule for user 'denice' specifically, or create a separate user group for the user and specify it on the new authentication rule.

 

denice_new-rule.JPG

 

Fortigate # show vpn ssl settings
config vpn ssl setting

    set banned-cipher SHA1 SHA256 SHA384
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set source-interface "port5"
    set source-address "all"
    set source-address6 "all"
    set default-portal "no-access"
        config authentication-rule

            edit 1

                set groups "SSLVPNGROUP"
                set portal "full-access"

            next

            edit 2 <-----

                set users "denice"

                set portal "full-access"

            next

        end

end

 

denice-auth-workingdenice-auth-working
2891
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.