Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

[SOLVED] VPN policys for specific user/group

I'm trying to get the ssl vpn policys working based on groups.


I'm using

fortigate 200d cluster

v5.0,build0318 (GA Patch 12).

5-8 different groups on the Firewall.

Each group is polling a RADIUS server (Fortiauthentication) and asking for users in a specified group on that server.

FortiAuthentication is polling my Active Directory server for members of various groups for it's own groups.


I know it sounds messy, but everything works. I'm just having some problems on the actual SSLvpn on the firewall.

I just can't get it working with applying the SSLvpn policys.


From what i know. I should do the following.


Policy type: SSL-VPN

Incoming Interface: Outside(wan)

Remote Address: All

Local Interface: Inside_srv

Local Protected Subnet:


Configure SSL-VPN Authentication Rules

Group(s): just a test group that i'm a member of.

User(s): none

Schedule: always

SSL-VPN Portal: full-access(only one that excists)

Action: Accept



But, this does not work. in order for it to work i have to apply another normal policy that say from ssl.root --> inside_srv in order for traffic to pass. And in the SSL-VPN policy, i can pretty much specify any network, and traffic stil passes with the "normal" policy.

New Contributor

Alright, solved this.

apparently, you need to set the VPN policys to the ssl.root if you're using interfaces in zones.


If i do not have zones

then i can just create a VPN rule that states

outside --> inside (vpn policy)


but, if you have interfaces in a zone you'll need

outside --> ssl.rool (vpn policy)

ssl.root --> inside (firewall policy)


i actually got help from our forti partner to figure it out.

kinda random really, because i want to use vpn policys based on users, not networks and lots of different ssl portals.

atm, the vpn policy is authing users, so i cannot place more authbased normal firewall policys because users have already been authed by the first rule.

Top Kudoed Authors