Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
plejon
New Contributor

[SOLVED] VPN policys for specific user/group

I'm trying to get the ssl vpn policys working based on groups.

 

I'm using

fortigate 200d cluster

v5.0,build0318 (GA Patch 12).

5-8 different groups on the Firewall.

Each group is polling a RADIUS server (Fortiauthentication) and asking for users in a specified group on that server.

FortiAuthentication is polling my Active Directory server for members of various groups for it's own groups.

 

I know it sounds messy, but everything works. I'm just having some problems on the actual SSLvpn on the firewall.

I just can't get it working with applying the SSLvpn policys.

 

From what i know. I should do the following.

 

Policy type: SSL-VPN

Incoming Interface: Outside(wan)

Remote Address: All

Local Interface: Inside_srv

Local Protected Subnet: 192.168.85.0/24

 

Configure SSL-VPN Authentication Rules

Group(s): just a test group that i'm a member of.

User(s): none

Schedule: always

SSL-VPN Portal: full-access(only one that excists)

Action: Accept

 

 

But, this does not work. in order for it to work i have to apply another normal policy that say from ssl.root --> inside_srv in order for traffic to pass. And in the SSL-VPN policy, i can pretty much specify any network, and traffic stil passes with the "normal" policy.

1 REPLY 1
plejon
New Contributor

Alright, solved this.

apparently, you need to set the VPN policys to the ssl.root if you're using interfaces in zones.

 

If i do not have zones

then i can just create a VPN rule that states

outside --> inside (vpn policy)

 

but, if you have interfaces in a zone you'll need

outside --> ssl.rool (vpn policy)

ssl.root --> inside (firewall policy)

 

i actually got help from our forti partner to figure it out.

kinda random really, because i want to use vpn policys based on users, not networks and lots of different ssl portals.

atm, the vpn policy is authing users, so i cannot place more authbased normal firewall policys because users have already been authed by the first rule.

Labels
Top Kudoed Authors