Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
raffaeledp
Contributor

Created on ‎10-17-2024 11:38 AM

Can't filter firewall policy based on user group

Hello everybody, 

I have a firewall policy regarding an IPSEC tunnel.

 

Screenshot 2024-10-17 alle 20.26.24.png

This policy is saying that all the addresses that belong to ipsec_range can reach the internal destinations.

This policy, if I connect, is working fine:

Screenshot 2024-10-17 alle 20.26.43.png

I can reach on of  my VMs:

Screenshot 2024-10-17 alle 20.27.21.png

Everything is all right.

What's the problem?

The user that has connected to the tunnel, belongs to a group:

Screenshot 2024-10-17 alle 20.27.43.png

Let's suppose I  want to say:

I want to filter the source not only by ip address, but also by user group.

Screenshot 2024-10-17 alle 20.33.35.png

the same user has an address in ipsec_range and also belongs to IPSEC_USER.

Everything should be okay, right?

No! I can't reach my VM anymore. What am I doing wrong?

Screenshot 2024-10-17 alle 20.28.11.png

 

RDP
RDP
489
0 Kudos
2 Solutions
rsondal
Staff
Staff

Created on ‎10-17-2024 01:00 PM

Hi,

 

are you using the same group under vpn tunnel configuration. you can follow below document for that. you need to use group either on policy or on tunnel configuration.

Using group based firewall policy for Dia... - Fortinet Community

 

Regards

Rakesh

View solution in original post

463
HiralShah
Staff
Staff
In response to raffaeledp

Created on ‎10-17-2024 01:09 PM

Hello @raffaeledp 

Thank you for sharing your configuration.

 

Then this is your expected behavior, if you want to use user group in the policy just select option inherit from policy in the XAUTH user group

Hiral

View solution in original post

447
6 REPLIES 6
HiralShah
Staff
Staff

Created on ‎10-17-2024 12:51 PM

Hello @raffaeledp 

 

Can you please provide screenshot of your tunnel configuration? is it set to IKE mode  1 or 2?

That is expected behavior if you have xauth set to Auto server and User group mentioned in the ipsec dialup tunnel.

You can check below document: 

https://community.fortinet.com/t5/FortiGate/Technical-Note-FortiClient-Dialup-IPsec-VPN-Split-Tunnel...

 

Hiral
467
0 Kudos
raffaeledp
Contributor
In response to HiralShah

Created on ‎10-17-2024 01:05 PM

This is my configuration:

 

Screenshot 2024-10-17 alle 22.03.00.png

Screenshot 2024-10-17 alle 22.03.07.png

Screenshot 2024-10-17 alle 22.03.12.png

RDP
RDP
455
0 Kudos
HiralShah
Staff
Staff
In response to raffaeledp

Created on ‎10-17-2024 01:09 PM

Hello @raffaeledp 

Thank you for sharing your configuration.

 

Then this is your expected behavior, if you want to use user group in the policy just select option inherit from policy in the XAUTH user group

Hiral
448
raffaeledp
Contributor
In response to HiralShah

Created on ‎10-17-2024 11:37 PM

Thank you so much, you helped me a lot!

RDP
RDP
405
0 Kudos
rsondal
Staff
Staff

Created on ‎10-17-2024 01:00 PM

Hi,

 

are you using the same group under vpn tunnel configuration. you can follow below document for that. you need to use group either on policy or on tunnel configuration.

Using group based firewall policy for Dia... - Fortinet Community

 

Regards

Rakesh

464
raffaeledp
Contributor
In response to rsondal

Created on ‎10-17-2024 11:38 PM

Thank you very much!

RDP
RDP
401
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.