Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CodeTron
New Contributor III

SSL VPN network access segregation based on user vpn groups

Is if possible to Create Multiple SSL VPN Groups that have limited access to different Networks

 

AdminVPN Users able to get to systems and management

StandardVPN Users able to get to what systems they need but limited

and so on

 

Thanks

1 Solution
Durga_Ashwath

Hello CodeTron,

Yes, it is possible to create multiple SSL VPN groups that have limited access to different networks. Here's a general approach to achieving this:

  1. User Groups: First, you need to create different user groups in FortiGate for each category of VPN users, such as AdminVPN Users and StandardVPN Users.

  2. SSL VPN Configuration: Configure SSL VPN settings on the FortiGate appliance, including authentication methods (such as username/password, client certificates, etc.) and SSL VPN settings (IP address range, encryption settings, etc.).

  3. VPN Portal Configuration: Set up VPN portals for each user group. VPN portals are customized web pages where users can log in and access VPN services. Each portal can have its own authentication settings and access controls.

  4. Access Policies: Define access policies based on user groups. You can create firewall policies that allow or restrict traffic based on the source user group, destination networks, and services. For example:

    • For AdminVPN Users, create policies allowing access to systems and management resources.
    • For StandardVPN Users, create policies allowing access to specific systems they need but limiting access to other resources.
    • Repeat this process for other user groups as necessary.
  5. User Authentication: Configure authentication methods for each user group. FortiGate supports various authentication methods, including local user database, LDAP, RADIUS, and more. You can assign different authentication methods to each user group based on your requirements.

  6. Network Segmentation: Ensure that your internal network is properly segmented to restrict access based on user permissions. This may involve configuring VLANs, subnetting, and firewall rules within your internal network infrastructure.

By following these steps, you can create multiple SSL VPN groups in Fortinet with limited access to different networks based on user roles and permissions. This approach allows you to enforce security policies and control access to resources based on the specific needs of each user group

 

Thank you.

 

View solution in original post

2 REPLIES 2
ozkanaltas
Valued Contributor III

Hello @CodeTron ,

 

You can apply this with the user group and firewall policy. In this way, your user just accesses allowed networks in a policy with their ssl-vpn connection. 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Durga_Ashwath

Hello CodeTron,

Yes, it is possible to create multiple SSL VPN groups that have limited access to different networks. Here's a general approach to achieving this:

  1. User Groups: First, you need to create different user groups in FortiGate for each category of VPN users, such as AdminVPN Users and StandardVPN Users.

  2. SSL VPN Configuration: Configure SSL VPN settings on the FortiGate appliance, including authentication methods (such as username/password, client certificates, etc.) and SSL VPN settings (IP address range, encryption settings, etc.).

  3. VPN Portal Configuration: Set up VPN portals for each user group. VPN portals are customized web pages where users can log in and access VPN services. Each portal can have its own authentication settings and access controls.

  4. Access Policies: Define access policies based on user groups. You can create firewall policies that allow or restrict traffic based on the source user group, destination networks, and services. For example:

    • For AdminVPN Users, create policies allowing access to systems and management resources.
    • For StandardVPN Users, create policies allowing access to specific systems they need but limiting access to other resources.
    • Repeat this process for other user groups as necessary.
  5. User Authentication: Configure authentication methods for each user group. FortiGate supports various authentication methods, including local user database, LDAP, RADIUS, and more. You can assign different authentication methods to each user group based on your requirements.

  6. Network Segmentation: Ensure that your internal network is properly segmented to restrict access based on user permissions. This may involve configuring VLANs, subnetting, and firewall rules within your internal network infrastructure.

By following these steps, you can create multiple SSL VPN groups in Fortinet with limited access to different networks based on user roles and permissions. This approach allows you to enforce security policies and control access to resources based on the specific needs of each user group

 

Thank you.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors