FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Chong_Yoon_Fui_FTNT
Article Id 191728
Description
This article describes how to do when LDAP Group user is not matching correct authentication-rule, and how to assign correct IP address in the IP pool source.

Solution
Assume that it is set up as below and check the test results for each situation.

1) In case that the firewall policy includes both group and user objects and authentication-rule contains only group object:
- When accessing SSL VPN by using a LDAP user, the user is matched default portal.
So user does not get an IP address in custom source IP pool.

2) In case that the firewall policy includes both group and user objects and authentication-rule contains only user object,
- When accessing SSL VPN by using a LDAP user, it matches custom portal.
So the user can be assigned an IP address in custom source IP pool.

The difference between the above two actions is whether the matched objects in the firewall group were matched equally in the authentication-rule.
In the first case, the reason that the user was not assigned the IP address in custom IP source pool is that there was no user object in the authentication-rule after matching the user object in firewall policy first.
In the opposite case, if only group objects exist in the firewall policy, the authentication-rule also has group objects to normally obtain the IP address from the custom source IP pool.

In conclusion, in order to assign an IP address in the custom IP source pool to LDAP user, the same object has to match in the firewall policy and in the authentication-rule.

Contributors