- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate FortiVPN
Hello,
We have virtual FortiGate, deployed in Azure. We activated Remote Access VPN (FortiVPN) and integrated it with SAML Azure. Authentication don based Group. And I have question regarding these groups.
For example:
If i Have group_1 which have access to server_1 and server_2, also i have user_A which is member of group_1.
Also I have group_2 which has access to Server_3, and user_B.
And User_A can access to servers which is provided be group_1
And User_B can access to servers which is provided be group_2
But If I then need to provide for User_A access to the Server_3 what do I need to do? Do I need to add this user also to Group_2? or I need to create Group_3, provide for this group accesss to server_1, server_2, server_3 and then add to this group User_A?
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@1mm,
Both group A and B must be mapped under SSL-VPN Settings. You also need firewall policy to allow group B.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @hbac
As I understood there is no possibility when user can be member of several groups?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @1mm
That's completly up to you.
You can create a new group and add that user or you can add that user to multiple groups.
Regards,
Fortinet TAC Senior Engineer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @mauromarme
I did some tests:
I created on Azure 2 groups. Group_A and Group_B. I mapped it to fortigates. Group_A I selected as group for authentication (When you can select group in VPN settings and then map it to the portal) and provided some type of accesses. I added user to the Group_A and this user had access to the servers which were accepted for Group_A. Then I addess several rules for where I select as source also Group_B and added useres additionally to this group but he didnot recieve access to servers for Group_B (I didnot map this group to the portal in VPN settings). Where is the issue or misconfiguration?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are there any ideas?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey 1mm,
in principle, as long as SAML server returns all group memberships in the assertions, then FortiGate should know the user is member of multiple groups, and allow access to policies accordingly.
Please ensure you have the following set up:
- user groups with remote SAML server as member, and filtering on the group name sent by SAML
- in the SAML server settings, ensure FortiGate is set up with correct assertions:
config user saml
edit <SAML server>
set group-name <group assertion>
end
As an example:
- SAML server sends the group name in an assertion called "group", then in FortiGate you need 'set group-name "group"'
- SAML server sends the group name in an assertion called "group-id" then in FortiGate you need 'set group-name "group-id"'
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@1mm,
Both group A and B must be mapped under SSL-VPN Settings. You also need firewall policy to allow group B.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @1mm
Both groups should be mapped on the SSL VPN configuration.
If you only map Group_A to SSL, the only rules that are going to work are the ones for Group_A.
Fortinet TAC Senior Engineer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks friends for help!