I'm trying to get the ssl vpn policys working based on groups.
I'm using
fortigate 200d cluster
v5.0,build0318 (GA Patch 12).
5-8 different groups on the Firewall.
Each group is polling a RADIUS server (Fortiauthentication) and asking for users in a specified group on that server.
FortiAuthentication is polling my Active Directory server for members of various groups for it's own groups.
I know it sounds messy, but everything works. I'm just having some problems on the actual SSLvpn on the firewall.
I just can't get it working with applying the SSLvpn policys.
From what i know. I should do the following.
Policy type: SSL-VPN
Incoming Interface: Outside(wan)
Remote Address: All
Local Interface: Inside_srv
Local Protected Subnet: 192.168.85.0/24
Configure SSL-VPN Authentication Rules
Group(s): just a test group that i'm a member of.
User(s): none
Schedule: always
SSL-VPN Portal: full-access(only one that excists)
Action: Accept
But, this does not work. in order for it to work i have to apply another normal policy that say from ssl.root --> inside_srv in order for traffic to pass. And in the SSL-VPN policy, i can pretty much specify any network, and traffic stil passes with the "normal" policy.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Alright, solved this.
apparently, you need to set the VPN policys to the ssl.root if you're using interfaces in zones.
If i do not have zones
then i can just create a VPN rule that states
outside --> inside (vpn policy)
but, if you have interfaces in a zone you'll need
outside --> ssl.rool (vpn policy)
ssl.root --> inside (firewall policy)
i actually got help from our forti partner to figure it out.
kinda random really, because i want to use vpn policys based on users, not networks and lots of different ssl portals.
atm, the vpn policy is authing users, so i cannot place more authbased normal firewall policys because users have already been authed by the first rule.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.