Fortigate FortiVPN

1mm · ‎10-26-2023

Hello,

We have virtual FortiGate, deployed in Azure. We activated Remote Access VPN (FortiVPN) and integrated it with SAML Azure. Authentication don based Group. And I have question regarding these groups.

For example:

If i Have group_1 which have access to server_1 and server_2, also i have user_A which is member of group_1.

Also I have group_2 which has access to Server_3, and user_B.

And User_A can access to servers which is provided be group_1

And User_B can access to servers which is provided be group_2

But If I then need to provide for User_A access to the Server_3 what do I need to do? Do I need to add this user also to Group_2? or I need to create Group_3, provide for this group accesss to server_1, server_2, server_3 and then add to this group User_A?

hbac · ‎10-27-2023

@1mm,

Both group A and B must be mapped under SSL-VPN Settings. You also need firewall policy to allow group B.

Regards,

View solution in original post

1mm · ‎10-30-2023

One Additional question.

How I can select which group must be used for Authentication and which for Accesses?

I would like to do in such way.

If user is member of Group A - User can do Authentication and will have some basic access (for example, dns, AD and so on).

When user will be added to the Group B - User will receive additional accesses.

It will be better for logic and fast troubleshooting. Right now when user is member of Group A and Group B, in fortigate in monitoring I see that he is member of Group A and then when he will do reconnection he will be member of Group B and so on.

hbac · ‎10-30-2023

@1mm,

You can map groups under SSL-VPN Settings > Authentication/Portal Mapping.

Regards,

1mm · ‎10-30-2023

How Fortigate choose which group it will check firstly?

Fortigate FortiVPN

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website