We configured the VPN SSL authentication using SAML (Azure AD) successfully for some groups.
To distinguish profiles, we mapped different groups with specific realm+portal.
Firewall group A = default realm + portal A
Firewall group B = realm B + portal B
Firewall group C = realm C + portal C
Both groups A & B mapping work perfectly, allowing users to connect to multiple realms depending on the device they are using (portal A for workstation, portal B for mobile device, portal C for limited users)
The firewall policies work for firewall group A and group B however, users which are in group C are blocked whenever they are correctly connected to the SSL-VPN with their group.
The ACL for group C is nearly the same as the groups A & B :
- Source IP : Group C pool IP
- Source group : Group C
The result is packets are dropped because the implicit firewall rule.
We found out that there is a difference when we check the group membership on VPN SSL and Firewall user part.
On the VPN SSL monitor :
get vpn ssl monitor SSL-VPN Login Users: Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth 0 user_fromgroup_C Group_C 256(1) 3596 27949 X.X.X.X 0/0 0/0 0 SSL-VPN sessions: Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP 0 user_fromgroup_C Group_C X.X.X.X 850 126/86 Y.Y.Y.Y
From the FW user list
diagnose firewall auth list
Y.Y.Y.Y, user_fromgroup_C type: fw, id: 0, duration: 952, idled: 952 expire: 27847, allow-idle: 28799 flag(80): sslvpn server: AzureAD packets: in 0 out 0, bytes: in 0 out 0
When we compare with the other user from group A or group B, it seems to be missing the "group_id" and "group_name" parts.
We tested with a new group D, new realm D, new portal D, same authentication/Portal mapping we did for Group A & Group B and we are facing the same issue.
Is there any kind of limitation or a missing parameter on our portal / realm / ACL / VPN SSL settings configuration ?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.