If the user is not matched in the policy, the policy is not applied. So the only way I can imagine what is happening is that you only have one policy towards the tunnel. There need to be at least 2 policies: the first specific to that one user, and the second for all users. Maybe you could post a screenshot of the policy table for clarification.

Dear Ede , thank you for your reply, I have two firewall policies. Please see the sreenshot. And see the output form the Debug in CLI.The " msg=" Denied by forward policy check (policy 205)" " This 205 policy is the one that has the user inside and is the first in the priority. id=20085 trace_id=10 func=print_pkt_detail line=4368 msg=" vd-root received a packet(proto=6, X.X.X.X:51221-X.X.X.X:3389) from VPN_PeerA_0. flag , seq 197828979, ack 0, win 8192" id=20085 trace_id=10 func=init_ip_session_common line=4517 msg=" allocate a new session-004b429f" id=20085 trace_id=10 func=vf_ip4_route_input line=1596 msg=" find a route: flags=00000000 gw-x.x.x.x via port1" id=20085 trace_id=10 func=fw_forward_handler line=554 msg=" Denied by forward policy check (policy 205)"

Could you put policy 171 first, and for service specify " NOT RDP" ? Then traffic should fall through to policy 170. The negation option is new to v5.2.

Dear Ede, i did this but the results are the same. the log from the Cli : id=20085 trace_id=1011 func=print_pkt_detail line=4368 msg=" vd-root received a packet(proto=6, x.x.x.x:51913->x.x.x.x:3389) from VPN_PeerA_0. flag Still cannot understand !!! Does this has to do because i use peer id for the vpn ? Thanks in Advanced.

No, the VPN has nothing to do with this. It' s a policy issue. I think we both need to read up on fall-through mechanism in FOS 5.2.

Dear Ede, i have never used in the past identity policy. The vpn has split enabled so the traffic for web goes through local gateway of pc connection and not through the tunnel. How the user will authentigate to the fortigate ? I thought that as he authenticate by entering the user name and password on the vpn tunnel. The only firewall policy that i have is from Vpn to lan. Do you have any example to help ? Thanks in Advanced

The user must log on before the RDP rule are run. Login sending information protocols, HTTP, FTP, TELNET, etc.

You have 2 different things here:

- authentication for a VPN connection

- authentication through a policy (Identity based policy)

 

First, VPN. To establish a VPN connection the user has to enter his credentials in a dialog presented by the FortiClient application. Either username and password are pre-set in the config, or the user enters them interactively.

 

So, when a VPN connection is established, traffic arrives at an IB policy.

Now the user has to open a session first which allows him to enter username and password. There are only a few tools and services to do so: a browser (using HTTP(S)), a telnet app (using telnet), or a ftp client (using ftp). FortiOS does not support any other service for policy authentication!

Once the user starts up a browser to access some host behind the tunnel, the firewall will intervene and present a replacement page on which the user can enter his username and password.

Once authenticated, the user can use any service which is allowed (additionally) in the policy, like ssh, RDP or whatever.

 

So I think you missed the policy authentication step. IB policies work independent of VPNs - you could use one to have authenticated access within your LAN if you wish. So, the policy doesn't know about the VPN credentials, the user has to enter them explicitely.

Hope this helps in explaining. Just give it a try please.