Fortigate FortiVPN

1mm · ‎10-26-2023

Hello,

We have virtual FortiGate, deployed in Azure. We activated Remote Access VPN (FortiVPN) and integrated it with SAML Azure. Authentication don based Group. And I have question regarding these groups.

For example:

If i Have group_1 which have access to server_1 and server_2, also i have user_A which is member of group_1.

Also I have group_2 which has access to Server_3, and user_B.

And User_A can access to servers which is provided be group_1

And User_B can access to servers which is provided be group_2

But If I then need to provide for User_A access to the Server_3 what do I need to do? Do I need to add this user also to Group_2? or I need to create Group_3, provide for this group accesss to server_1, server_2, server_3 and then add to this group User_A?

hbac · ‎10-27-2023

@1mm,

Both group A and B must be mapped under SSL-VPN Settings. You also need firewall policy to allow group B.

Regards,

View solution in original post

hbac · ‎10-26-2023

Hi @1mm,

It is better to move User_A to a new group which has access to Server1,2,3.

Regards,

1mm · ‎10-26-2023

Thanks @hbac

As I understood there is no possibility when user can be member of several groups?

mauromarme · ‎10-26-2023

Hello @1mm
That's completly up to you.
You can create a new group and add that user or you can add that user to multiple groups.
Regards,

Mauricio Marin
Fortinet TAC Senior Engineer

1mm · ‎10-26-2023

Thanks @mauromarme

I did some tests:

I created on Azure 2 groups. Group_A and Group_B. I mapped it to fortigates. Group_A I selected as group for authentication (When you can select group in VPN settings and then map it to the portal) and provided some type of accesses. I added user to the Group_A and this user had access to the servers which were accepted for Group_A. Then I addess several rules for where I select as source also Group_B and added useres additionally to this group but he didnot recieve access to servers for Group_B (I didnot map this group to the portal in VPN settings). Where is the issue or misconfiguration?

1mm · ‎10-27-2023

Are there any ideas?

Debbie_FTNT · ‎10-27-2023

Hey 1mm,

in principle, as long as SAML server returns all group memberships in the assertions, then FortiGate should know the user is member of multiple groups, and allow access to policies accordingly.

Please ensure you have the following set up:
- user groups with remote SAML server as member, and filtering on the group name sent by SAML

- in the SAML server settings, ensure FortiGate is set up with correct assertions:
config user saml
edit <SAML server>
set group-name <group assertion>
end

As an example:
- SAML server sends the group name in an assertion called "group", then in FortiGate you need 'set group-name "group"'
- SAML server sends the group name in an assertion called "group-id" then in FortiGate you need 'set group-name "group-id"'

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

hbac · ‎10-27-2023

@1mm,

Both group A and B must be mapped under SSL-VPN Settings. You also need firewall policy to allow group B.

Regards,

mauromarme · ‎10-27-2023

Hi @1mm
Both groups should be mapped on the SSL VPN configuration.
If you only map Group_A to SSL, the only rules that are going to work are the ones for Group_A.

Mauricio Marin
Fortinet TAC Senior Engineer

1mm · ‎10-29-2023

Thanks friends for help!