Created on 01-11-2010 06:22 AM Edited on 06-02-2022 08:13 AM By Anonymous
Description
This article explains what Firewall Policies are checked by the FortiGate system when accessing the device in SSL-VPN Web mode (portal).
Scope
FortiGate units, running FortiOS firmware version 4.00 MR3 or 5.0.x
Solution
SSL-VPN Firewall Policy lookup happens at two places:
This is detailed hereafter.
1. User authentication process
The flow described below is an example when a user connects to the FortiGate unit up to the authentication:
2. Web Portal access
Once a user is authenticated and granted access to the Web portal, the traffic from this user's session is not limited to the SSL VPN policy that was matched for authentication, and each flow generated by user U from group G is matched against:
srcintf and srcaddr in the Firewall Policies are no longer used for traffic generated from the web portal. Only the above mentioned criteria are used.
3. Example with the following Firewall Policies
edit 10 set srcintf "wan1" set dstintf "dmz" set srcaddr "FNET-INTERN" set dstaddr "FNET-ADMIN" set action ssl-vpn config identity-based-policy edit 1 set groups "USERS" set schedule "business_hours" set service "VNC" next end next edit 5 set srcintf "wan1" set dstintf "dmz" set srcaddr "all" set dstaddr "FNET-LOCAL1" "FNET-LOCAL2" set action ssl-vpn config identity-based-policy edit 1 set groups "USERS" set schedule "always" set service "RDP" next end next end |
User "fortinet" from group "USERS" was granted access to the portal by SSL VPN policy number 5; traffic for user "fortinet" will however be able to match policy number 10 if:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.