I am busy setting up a second interface for SSL VPN access, and was wondering if there is a way to see which of the authentication rules are in use as we have a few, and some looks wrong in any case.
Following this guide:
https://kb.fortinet.com/k....do?externalID=FD36218
So it lists 7 ID's, but some has almost nothing in, one is empty and some even specifying ports that has not been in use for years....
So I want to know which is actually in use.... any easy way to check?
(authentication-rule) # get == [ 1 ] id: 1 == [ 2 ] id: 2 == [ 3 ] id: 3 == [ 4 ] id: 4 == [ 5 ] id: 5 == [ 6 ] id: 6 == [ 7 ] id: 7
I assume you didn't configure this. Then if you found out that many auth rules are configured, you need to understand why they were created at the first place. Then I would recommend clean them up first (probably that's what you're trying now).
To do that, you need to take look at inside of those rules, or just "show" under "config vpn ssl settings" to dump all config including auth rules. They might have different interface like in the KB, or have different realms. Below is an example from one of our FGTs we use for SSL VPN with a realm after some modifications.
xxx-fg2 (settings) # show config vpn ssl settings --<snip>--- set source-interface "Internet" --<snip>--
set default-portal "g2-users" config authentication-rule edit 1 set groups "user-g1" set portal "g1-users" set realm "g1" next edit 2 set groups "user-g2" set portal "g2-users" next end end
As you can see the first auth rule is for "g1" realm, and the second one is without realm. Then neighbor of them have source-interface specified. Means both use "Internet" zone configured directly under settings. Also pay attention to the "groups" configured in each auth rule. This is the key you can use to search in policy if they're actually used like below:
la-fg2 (policy) # show | grep -f user-g2 config firewall policy edit 6 --<snip>-- set srcintf "ssl.root" set dstintf "InternalNetworks" set srcaddr "all" set dstaddr "Internal-routes"
--<snip>-- set groups "user-g2" <--- the group used
--<snip>-- next end
Then you now know the policy 6 is using the second auth-rule without realm.
In your case, I would just change source-interface to "any" wherever in the settings that has an interface configured.
Yes I did config it but through the web interface and was just wondering why there are 8 shown in the CLI and we only have 3 authentication SSL VPN rules.
I did clean them up yesterday and deleted old ones, seems some were carried over with a config from 4 years ago.
Was wondering if there was not a easy way of showing which one is tied to which rule but ended up doing what you suggested as that seems to have been the only way, thanks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.