Hi
We are tying to setup the following: Autoconnect to IPsec VPN using Entra ID logon session information
We have the Client configured in EMS and able to connected to the IPSEC VPN, but how can you then control which logged in users have access via firewalls policies? I was thinking about using usergroups on firewall policies but this just doesnt seem to work, does any one have any experience of restricting the FW policies based on which users are in which groups in Entra??
Many Thanks
Solved! Go to Solution.
OK so just an update to this for other peoeple who want to get this working:
1. Your Fortigate needs to be running at least 7.2.10 as there was a bug in earlier versions.
2. You need to remove the config option "set authusrgrp msgraph" on the ipsec phase1-interface
3. You then need to create groups for each user group that you want to apply to firewall policies
config user group
edit "group1"
set member "msgraph"
config match
edit 1
set server-name "msgraph"
set group-name "363a72ce-d2c7-4758-9d25-5485789e4043"
next
end
next
edit "group2"
set member "msgraph"
config match
edit 1
set server-name "msgraph"
set group-name "38f658d9-c3c2-4a8c-b4d0-d809d42fc31e"
next
end
next
end
4. Then just apply the groups to the relevant FW policies.
Hope this helps :)
You can make multiple User Groups in the Firewall, but when selecting the SAML server you have the option to specify a group ID that will correlate with a group ID in Azure. This is how you can match different Entra ID groups to different Firewall Groups.
See: https://docs.fortinet.com/document/fortigate-public-cloud/7.6.0/azure-administration-guide/584456/co...
Thanks but that is using SAML with SSL-VPN. We are using always on IPSEC with Entra.
following this link to do the authentication is what we are using, but its just not playing ball.
https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/33053
Seeing constant certificate warnings when trying pass user traffic through the firewall policies.
I have attached a screenshot of what I am referring to (group name is the group ID in Entra ID). This is on the Firewall Group itself.
I don't think the document you shared is applicable for our situation (we are VPN, that .document is for on-prem)
OK so just an update to this for other peoeple who want to get this working:
1. Your Fortigate needs to be running at least 7.2.10 as there was a bug in earlier versions.
2. You need to remove the config option "set authusrgrp msgraph" on the ipsec phase1-interface
3. You then need to create groups for each user group that you want to apply to firewall policies
config user group
edit "group1"
set member "msgraph"
config match
edit 1
set server-name "msgraph"
set group-name "363a72ce-d2c7-4758-9d25-5485789e4043"
next
end
next
edit "group2"
set member "msgraph"
config match
edit 1
set server-name "msgraph"
set group-name "38f658d9-c3c2-4a8c-b4d0-d809d42fc31e"
next
end
next
end
4. Then just apply the groups to the relevant FW policies.
Hope this helps :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.