Does anybody know about a way to utilize user/group identities of VPN clients on a FortiGate which is not their VPN gateway?
What I mean is:
Let's say people connect by FortiClient to FortiGate1. It's very easy and handy to include their group identity in firewall policies on this very FortiGate, because it has authenticated & authorized them and it knows who they are.
But then their traffic is forwarded to FortiGate2. Which sees only source IP addresses and nothing more. So unless I assign each group of users VPN addresses from another range (which is very non-flexible and doesn't solve the case when a user belongs to multiple groups) - FortiGate2 has no way to differentiate between them.[/ul]
Is there some new elegant technology to solve this, which I don't know about?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.