FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
skaneria
Staff
Staff
Article Id 193349
Description
While connecting to SSL VPN user gets the portal assigned to access the resource allocated to the specific user.

This article describes this error and how to correct it.

Solution
If user is getting incorrect portal following things can be checked.

1) If user is part of multiple groups.
2) If policy is created for that user or not.
3) The order of the policy.

Example:

The User1 is part of management and employee group, where User2 is part of only employee group.

Full-access portal is assigned to the management group and tunnel-access is assigned to the employee group.

The policies are configured as below:





The portal setting is configured as below:




When User1 is connecting to the VPN then the user1 will receive the tunnel-access portal and not the full-access portal

To resolve this policy order needs to be changed as below:




Once the policy order is changed then User1 will receive the full-access portal which is configured for management group.
This happens because when firewall is doing the policy lookup from top to bottom, it will try to match the user/group and after matching the user/group, respective portal will be assigned.
In the above example when employee group is on top of management group and user1 is part of employee group as well, the firewall will allocate tunnel access to user1 as the policy lookup matched the policy ID 5.
Similarly, if the user/group is called in the policy and it is not matching any group/user which have been configured in the SSL VPN settings then that user will have the default portal which have been configured in 'All Other Users/Groups'.
If the user is part of multiple user groups, then create the policy in such way that more specific user group matches first so users can get the correct VPN portal.


Contributors