FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 190122

Description
This article explains what Firewall Policies are checked by the FortiGate system when accessing the device in SSL-VPN Web mode (portal).


Scope
FortiGate units, running FortiOS firmware version 4.00 MR3 or 5.0.x
Solution
SSL-VPN Firewall Policy lookup happens at two places:

  1. srcint/srcaddr fields are used to allow/deny portal authentication
  2. dstint/dstaddr/service/group are used to allow/deny traffic from the portal to the destination

This is detailed hereafter.


1. User authentication process


The flow described below is an example when a user connects to the FortiGate unit up to the authentication:

  • A user with IP address u.u.u.u connects to the FortiGate web portal (w.w.w.w:10443) on wan1
  • FortiOS firmware performs a Firewall Policy lookup for an SSL VPN policy (or multiple policies), based on :
  • the source interface of the policies (wan1)
  • the source address of the policies
  • Once a compliant SSL VPN policy is found, the Web portal login page is displayed to the user.
  • If no compliant SSL VPN policy is found, no login page is shown.
  • When the user logs in, the credentials provided are checked against the group(s) which are configured in this policy.
  • If these credentials do not match any group, then another policy lookup is performed to find the next compliant SSL VPN policy.
  • This continues until:
    • the user is granted access
    • the user is rejected because his credential do not match any further compliant SSL VPN policy



2. Web Portal access

Once a user is authenticated and granted access to the Web portal, the traffic from this user's session is not limited to the SSL VPN policy that was matched for authentication, and each flow generated by user U from group G is matched against:

  • the destination interface of SSL VPN policies
  • the schedule of SSL VPN policies
  • the service of SSL VPN policies
  • the group of SSL VPN policies


srcintf and srcaddr in the Firewall Policies are no longer used for traffic generated from the web portal. Only the above mentioned criteria are used.


3. Example with the following Firewall Policies


edit 10
   set srcintf "wan1"
   set dstintf "dmz"
   set srcaddr "FNET-INTERN"
   set dstaddr "FNET-ADMIN"
   set action ssl-vpn
   config identity-based-policy
      edit 1
      set groups "USERS"
      set schedule "business_hours"
      set service "VNC"
      next
  end
next

edit 5
   set srcintf "wan1"
   set dstintf "dmz"
   set srcaddr "all"
   set dstaddr "FNET-LOCAL1" "FNET-LOCAL2"
   set action ssl-vpn
       config identity-based-policy
         edit 1
         set groups "USERS"
         set schedule "always"
         set service "RDP"
    next
   end
  next
end




User "fortinet" from group "USERS" was granted access to the portal by SSL VPN policy number 5; traffic for user "fortinet" will however be able to match policy number 10 if:

  •  the egress interface is dmz
  •  the destination IP belongs to "FNET-ADMIN"
  •  the traffic matches VNC service
  •  the schedule is valid
 

 

Contributors