Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ShawnZA
Contributor II

How to check if SSL VPN Authentication rule is in use

I am busy setting up a second interface for SSL VPN access, and was wondering if there is a way to see which of the authentication rules are in use as we have a few, and some looks wrong in any case.

 

Following this guide:

https://kb.fortinet.com/k....do?externalID=FD36218

 

So it lists 7 ID's, but some has almost nothing in, one is empty and some even specifying ports that has not been in use for years....

 

So I want to know which is actually in use.... any easy way to check?

 

(authentication-rule) # get == [ 1 ] id: 1    == [ 2 ] id: 2    == [ 3 ] id: 3    == [ 4 ] id: 4    == [ 5 ] id: 5    == [ 6 ] id: 6    == [ 7 ] id: 7  

2 REPLIES 2
Toshi_Esumi
Esteemed Contributor II

I assume you didn't configure this. Then if you found out that many auth rules are configured, you need to understand why they were created at the first place. Then I would recommend clean them up first (probably that's what you're trying now).

To do that, you need to take look at inside of those rules, or just "show" under "config vpn ssl settings" to dump all config including auth rules. They might have different interface like in the KB, or have different realms. Below is an example from one of our FGTs we use for SSL VPN with a realm after some modifications.

 

xxx-fg2 (settings) # show config vpn ssl settings     --<snip>---     set source-interface "Internet"     --<snip>--

    set default-portal "g2-users"     config authentication-rule         edit 1             set groups "user-g1"             set portal "g1-users"             set realm "g1"         next         edit 2             set groups "user-g2"             set portal "g2-users"         next     end end

As you can see the first auth rule is for "g1" realm, and the second one is without realm. Then neighbor of them have source-interface specified. Means both use "Internet" zone configured directly under settings. Also pay attention to the "groups" configured in each auth rule. This is the key you can use to search in policy if they're actually used like below:

 

la-fg2 (policy) # show | grep -f user-g2 config firewall policy     edit 6         --<snip>--         set srcintf "ssl.root"              set dstintf "InternalNetworks"         set srcaddr "all"         set dstaddr "Internal-routes"

        --<snip>--         set groups "user-g2" <--- the group used

        --<snip>--     next end

 

Then you now know the policy 6 is using the second auth-rule without realm.

In your case, I would just change source-interface to "any" wherever in the settings that has an interface configured.

 

 

 

 

ShawnZA

Yes I did config it but through the web interface and was just wondering why there are 8 shown in the CLI and we only have 3 authentication SSL VPN rules.

 

I did clean them up yesterday and deleted old ones, seems some were carried over with a config from 4 years ago.

 

Was wondering if there was not a easy way of showing which one is tied to which rule but ended up doing what you suggested as that seems to have been the only way, thanks.