This article describes how we to match the SSL-VPN user to all the group once it is authenticated on SSL-VPN.
Solution
Step 1: ‘sslvpntest1’ has been used as a sample SSL-VPN user.
Step 2: The ‘sslvpntest1’ is a member of ‘sslvpngrp1’, ‘sslvpngrp2’, ‘sslvpngrp3’, ‘sslvpngrp4’ and ‘sslvpngrp5’.
Step 3: Make sure that to have configured IPV4 POLICY for all those group that the ‘sslvpntest1’ is part of.
Step 4: Once the ‘sslvpntest1’ authenticates on SSL-VPN, all the groups that the ‘sslvpntest1’ is part of under FIREWALL USER MONITOR are visible.
Step 5: And in CLI by running this command:
# get vpn ssl monitor
Step 6: For debugging, run this command.
# diag debug app fnbamd -1
# diag debug en
Step 7: Then here is a sample log that would show how the FortiGate matches the ‘sslvpntest1’ to all the group that it is part of after it authenticates on SSL-VPN.
[624:root:18]add user sslvpntest1 in group sslvpngrp5
[624:root:18]Will add auth policy for policy 7 for user sslvpntest1:sslvpngrp1
[624:root:18]add user sslvpntest1 in group sslvpngrp4
[624:root:18]Will add auth policy for policy 6 for user sslvpntest1:sslvpngrp1
[624:root:18]add user sslvpntest1 in group sslvpngrp3
[624:root:18]Will add auth policy for policy 5 for user sslvpntest1:sslvpngrp1
[624:root:18]add user sslvpntest1 in group sslvpngrp2
[624:root:18]Will add auth policy for policy 4 for user sslvpntest1:sslvpngrp1
[624:root:18]add user sslvpntest1 in group sslvpngrp1
[624:root:18]Will add auth policy for policy 3 for user sslvpntest1:sslvpngrp1
[624:root:18]Add auth logon for user sslvpntest1:sslvpngrp1, matched group number 6
[624:root:18]fsv_associate_fd_to_ipaddr:1910 associate 10.212.134.200 to tun (ssl.root:37)
[624:root:18]proxy arp: scanning 6 interfaces for IP 10.212.134.200
[624:root:18]Cannot determine ethernet address for proxy ARP
[624:root:17]sslvpn_read_request_common,679, ret=-1 error=-1, sconn=0x7feb1b378900.
[624:root:17]Destroy sconn 0x7feb1b378900, connSize=1. (root)