I'm trying to setup a 200F so that multiple AD groups can connect to the site using FortiClient (IPsec not SSL) for VPN access. Group1 should be allowed to a subset of ips, group2 a different set of ips, etc. Should I just create the groups on the FGT and then make multiple rules from the VPN zone to LAN and just call the respective group in the source for each 1? Or will that match all users regardless since they will have the same source up(from the DHCP pool)?
You can do it both ways. Have a different VPN portal with unique IP Pool for users based on different AD group membership. Or, put everyone in the same portal with the same IP Pool and use Firewall Policies to restrict access using AD group membership.
On a Firewall Policy if you define two rules each with the same source and dest IP but different source user groups, then you will only match the policy that has the correct user.
Then, create different portals for each respective group with the relevant restrictions in place.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.