Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
raffaeledp
Contributor

Can't filter firewall policy based on user group

Hello everybody, 

I have a firewall policy regarding an IPSEC tunnel.

 

Screenshot 2024-10-17 alle 20.26.24.png

This policy is saying that all the addresses that belong to ipsec_range can reach the internal destinations.

This policy, if I connect, is working fine:

Screenshot 2024-10-17 alle 20.26.43.png

I can reach on of â€ƒmy VMs:

Screenshot 2024-10-17 alle 20.27.21.png

 

Everything is all right.

What's the problem?

The user that has connected to the tunnel, belongs to a group:

Screenshot 2024-10-17 alle 20.27.43.png 

Let's suppose I â€ƒwant to say:

I want to filter the source not only by ip address, but also by user group.

Screenshot 2024-10-17 alle 20.33.35.png

the same user has an address in ipsec_range and also belongs to IPSEC_USER.

Everything should be okay, right?

No! I can't reach my VM anymore. What am I doing wrong?

Screenshot 2024-10-17 alle 20.28.11.png

 

 

RDP
RDP
2 Solutions
rsondal
Staff
Staff

Hi,

 

are you using the same group under vpn tunnel configuration. you can follow below document for that. you need to use group either on policy or on tunnel configuration.

Using group based firewall policy for Dia... - Fortinet Community

 

Regards

Rakesh

View solution in original post

HiralShah

Hello @raffaeledp 

Thank you for sharing your configuration.

 

Then this is your expected behavior, if you want to use user group in the policy just select option inherit from policy in the XAUTH user group

Hiral

View solution in original post

6 REPLIES 6
HiralShah
Staff
Staff

Hello @raffaeledp 

 

Can you please provide screenshot of your tunnel configuration? is it set to IKE mode  1 or 2?

That is expected behavior if you have xauth set to Auto server and User group mentioned in the ipsec dialup tunnel.

You can check below document: 

https://community.fortinet.com/t5/FortiGate/Technical-Note-FortiClient-Dialup-IPsec-VPN-Split-Tunnel...

 

Hiral
raffaeledp

This is my configuration:

 

Screenshot 2024-10-17 alle 22.03.00.png

 

Screenshot 2024-10-17 alle 22.03.07.png 

Screenshot 2024-10-17 alle 22.03.12.png

 

RDP
RDP
HiralShah

Hello @raffaeledp 

Thank you for sharing your configuration.

 

Then this is your expected behavior, if you want to use user group in the policy just select option inherit from policy in the XAUTH user group

Hiral
raffaeledp

Thank you so much, you helped me a lot!

RDP
RDP
rsondal
Staff
Staff

Hi,

 

are you using the same group under vpn tunnel configuration. you can follow below document for that. you need to use group either on policy or on tunnel configuration.

Using group based firewall policy for Dia... - Fortinet Community

 

Regards

Rakesh

raffaeledp

Thank you very much!

RDP
RDP
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors