FortiGate VPN Web Filtering

julianhaines · ‎01-26-2024

Good day

I am trying to setup web filtering for VPN users that use 2-Factor DUO as well but having a issues, I am running firmware 7.2 and using Active Directory groups to choose the correct Firewall policy to apply, the issue is the users are bypassing the correct filter.

The "VPN-Group DUO Radius Servers" is the server group with the DUO servers in to do the 2-factor, the "CN=" is the users group and "SSLVPN_Tunnel_ADDR1" is the DHCP pool assigned to the VPN users computer.

I am quite new to FortiGate and hop someone can help as totally confised.

Thanks

AEK · ‎01-26-2024

Hi Julian

What do you mean by they bypassing the filter?

Which rule do they match?

AEK

julianhaines · ‎01-26-2024

I am not sure, all I know is for example, when I enable the "VPN - General" firewall rule I don't see the data going up and the user appears to be blocked from lots or sites they should have access to which are allowed. do I have the Firewall Rules setup correctly with the three sources.

AEK · ‎01-26-2024

Hi Julian

First, please explain what you want to achieve.

Also try follow the steps described in this document.

https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/115783/ssl-vpn-with-ldap-use...

Try follow it first just to achieve a simple ssl vpn connection, and then you can go to the next step.

AEK

hbac · ‎01-26-2024

Hi @julianhaines,

Can you check the logs to see which policy was matched? From you screenshot, the policy is greyed out which means it is disabled.

Regards,