Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
muhammadsaad
Contributor

Created on ā€Ž07-12-2025 04:50 AM

Request for Guidance on Configuring Per-User Firewall Policies for SSL VPN Access

Hello Team,

We are currently working on configuring per-user firewall policies for SSL VPN access using both LDAP and Azure IdP (with MFA) to restrict access to specific destinations for individual users.

Our FortiGate firewall is successfully integrated with Microsoft Azure IdP for SSL VPN authentication using token-based MFA. Additionally, we have integrated our on-premises Active Directory with the FortiGate firewall for SSL VPN access.

However, when creating firewall policies, we are encountering a limitation where policies are applied at the group level, rather than allowing us to define policies for individual users.

Can someone advise on the best workaround for this scenario? Specifically:

  • Do we need to create individual user groups in Active Directory and Azure IdP for each user to achieve per-user control?

  • Alternatively, is there a method to configure this directly on the FortiGate firewall?

We are also utilizing FortiClient EMS for managing remote access VPN policies. If there's a way to allow or restrict specific destinations for individual users through EMS, please advise that as well.
Thanks

658
0 Kudos
2 Solutions
sjoshi
Staff
Staff
In response to muhammadsaad

Created on ā€Ž07-13-2025 11:31 PM

Hi @muhammadsaad,

 

It is possible to enable MFA and also create per user policy for LDAP user
Refer
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-FortiGate-to-use-an-LDAP-...
You need to import the LDAP user on the FGT post that you can create per user based policy

For Azure IDP it is not possible to create per user based policy as you cant import per user like LDAP and only group based policy needs to be created.

If you have found a solution, please like and accept it to make it easily accessible to others.
Fortinet Certified Expert (FCX) | #NSE8-003459
Salon Raj Joshi

View solution in original post

573
sjoshi
Staff
Staff
In response to muhammadsaad

Created on ā€Ž07-14-2025 03:31 AM

Hi @muhammadsaad,

 

You go to user definition on FortiGate:-

 

12.PNG

 

You will get option of importing LDAP,Radius user directly on FGT but there is no option to import SAML Azure IDP user directly on FGT. This feature is yet not present on FGT

If you have found a solution, please like and accept it to make it easily accessible to others.
Fortinet Certified Expert (FCX) | #NSE8-003459
Salon Raj Joshi

View solution in original post

529
0 Kudos
7 REPLIES 7
muhammadsaad
Contributor

Created on ā€Ž07-13-2025 10:31 PM

Hi,

Someone can provide assistance on this?

605
0 Kudos
RBA
Staff
Staff

Created on ā€Ž07-13-2025 10:43 PM

This article should help Configuring user-based policy for LAN use... - Fortinet Community

597
0 Kudos
muhammadsaad
Contributor

Created on ā€Ž07-13-2025 10:52 PM

Hi Thanks for your reply.
The provided article is based on local fortinet users, whereas currently we are working with on-prem Active directory and Microsoft Azure IdP for MFA authentication.
So it is requested to please advise us.

588
0 Kudos
sjoshi
Staff
Staff
In response to muhammadsaad

Created on ā€Ž07-13-2025 11:31 PM

Hi @muhammadsaad,

 

It is possible to enable MFA and also create per user policy for LDAP user
Refer
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-FortiGate-to-use-an-LDAP-...
You need to import the LDAP user on the FGT post that you can create per user based policy

For Azure IDP it is not possible to create per user based policy as you cant import per user like LDAP and only group based policy needs to be created.

If you have found a solution, please like and accept it to make it easily accessible to others.
Fortinet Certified Expert (FCX) | #NSE8-003459
Salon Raj Joshi
574
muhammadsaad
Contributor

Created on ā€Ž07-14-2025 02:13 AM

Hi @sjoshi ,

Many thanks for the help. Could you please let me know what's the reason that user based policy can't be imported in case of Azure IdP.

(Just because FortiClient EMS is only integrated with On-Prem Active Directory)

or something else?

550
0 Kudos
sjoshi
Staff
Staff
In response to muhammadsaad

Created on ā€Ž07-14-2025 03:31 AM

Hi @muhammadsaad,

 

You go to user definition on FortiGate:-

 

12.PNG

 

You will get option of importing LDAP,Radius user directly on FGT but there is no option to import SAML Azure IDP user directly on FGT. This feature is yet not present on FGT

If you have found a solution, please like and accept it to make it easily accessible to others.
Fortinet Certified Expert (FCX) | #NSE8-003459
Salon Raj Joshi
530
0 Kudos
muhammadsaad
Contributor

Created on ā€Ž07-16-2025 04:54 AM

Hi @sjoshi ,

Thank you for the help and support.

474
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.