Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

VPN users to hitting the correct outgoing Firewall Policy

I am having issues with getting outgoing SSL VPN setup

  • FortiGate FGT200F-HA1 cluster running v7.2.4 firmware.
  • DUO Authentication Proxy 6.3.0
  • Windows Server 2016

The VPN is setup as

  • Users connect to the VPN remotely via FortiClient VPN.
  • All traffic goes though the SSL VPN.
  • User are authenticated via Active Directory username, password, DUO 2-Factor

and must be a member of two groups, one to allow VPN, and the other to determine their web access

  • The DUO Radius server is local.
  • All users are Domain joined and Windows OS based.

Below is my current configuration remote users can connect successfully and 2-factors works, and all users outgoing web access to sites is the same.


Incoming Firewall Policy for VPN


What I am trying to do and it not working is to filter the Outgoing traffic based on the users Active Directory group.

I have created more Firewall Policies like the one below but when activated VPN users always hit the first Firewall policy even if they are not in the active directory group.


I have checked the FortiGate Source rules, and it says if the Source types are different then it’s “AND” and if they are the same its “OR”.

So the example should only be met if all sources are met.






First of all, try update your FortiOS to 7.2.7. I see there is already FSSO bug fixed on 7.2.5 that may have relationship with your issue.

873313    SSL VPN policy is ignored if no user or user group is set and the FSSO group is set.

In all cases you need update to 7.2.7 to fix the VPN vulnerability if you want to stay safe.

Top Kudoed Authors