Hello everybody,
I have a firewall policy regarding an IPSEC tunnel.
This policy is saying that all the addresses that belong to ipsec_range can reach the internal destinations.
This policy, if I connect, is working fine:
I can reach on of my VMs:
Everything is all right.
What's the problem?
The user that has connected to the tunnel, belongs to a group:
Let's suppose I want to say:
I want to filter the source not only by ip address, but also by user group.
the same user has an address in ipsec_range and also belongs to IPSEC_USER.
Everything should be okay, right?
No! I can't reach my VM anymore. What am I doing wrong?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
are you using the same group under vpn tunnel configuration. you can follow below document for that. you need to use group either on policy or on tunnel configuration.
Using group based firewall policy for Dia... - Fortinet Community
Regards
Rakesh
Hello @raffaeledp
Thank you for sharing your configuration.
Then this is your expected behavior, if you want to use user group in the policy just select option inherit from policy in the XAUTH user group
Hello @raffaeledp
Can you please provide screenshot of your tunnel configuration? is it set to IKE mode 1 or 2?
That is expected behavior if you have xauth set to Auto server and User group mentioned in the ipsec dialup tunnel.
You can check below document:
This is my configuration:
Hello @raffaeledp
Thank you for sharing your configuration.
Then this is your expected behavior, if you want to use user group in the policy just select option inherit from policy in the XAUTH user group
Thank you so much, you helped me a lot!
Hi,
are you using the same group under vpn tunnel configuration. you can follow below document for that. you need to use group either on policy or on tunnel configuration.
Using group based firewall policy for Dia... - Fortinet Community
Regards
Rakesh
Thank you very much!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.