Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
julianhaines
New Contributor

Created on ‎02-14-2024 02:07 AM Edited on ‎02-14-2024 02:08 AM

VPN users to hitting the correct outgoing Firewall Policy

I am having issues with getting outgoing SSL VPN setup

  • FortiGate FGT200F-HA1 cluster running v7.2.4 firmware.
  • DUO Authentication Proxy 6.3.0
  • Windows Server 2016

The VPN is setup as

  • Users connect to the VPN remotely via FortiClient VPN.
  • All traffic goes though the SSL VPN.
  • User are authenticated via Active Directory username, password, DUO 2-Factor

and must be a member of two groups, one to allow VPN, and the other to determine their web access

  • The DUO Radius server is local.
  • All users are Domain joined and Windows OS based.

Below is my current configuration remote users can connect successfully and 2-factors works, and all users outgoing web access to sites is the same.

 

Incoming Firewall Policy for VPN

Incomming.png

What I am trying to do and it not working is to filter the Outgoing traffic based on the users Active Directory group.

I have created more Firewall Policies like the one below but when activated VPN users always hit the first Firewall policy even if they are not in the active directory group.

Example.png

I have checked the FortiGate Source rules, and it says if the Source types are different then it’s “AND” and if they are the same its “OR”.

So the example should only be met if all sources are met.

 

Thanks

 

 

Labels:
235
0 Kudos
1 REPLY 1
AEK
SuperUser
SuperUser

Created on ‎02-14-2024 07:00 AM

First of all, try update your FortiOS to 7.2.7. I see there is already FSSO bug fixed on 7.2.5 that may have relationship with your issue.

873313    SSL VPN policy is ignored if no user or user group is set and the FSSO group is set.

In all cases you need update to 7.2.7 to fix the VPN vulnerability if you want to stay safe.

https://docs.fortinet.com/document/fortigate/7.2.7/fortios-release-notes/289806

AEK
AEK
201
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.