Fortinet v3.0 MR7 manual SSL VPN user groups, Protection profiles

Note: You cannot use Directory Service user groups directly in FortiGate firewall policies. You must add Directory Service groups to FortiGate user groups. A Directory Service group should belong to only one FortiGate user group. If you assign it to multiple FortiGate user groups, the FortiGate unit recognizes only the last user group assignment.

For a Directory Service user group, the Directory Service server authenticates users when they log on to the network. The FortiGate unit receives the user’s name and IP address from the FSAE collector agent. For more information about FSAE, see the FSAE Technical Note.

A Directory Service user group provides access to a firewall policy that requires Directory Service type authentication and lists the user group as one of the allowed groups. The members of the user group are Directory Service users or groups that you select from a list that the FortiGate unit receives from the Directory Service servers that you have configured. See “Directory Service servers” on page 27.

Note: A Directory Service user group cannot have SSL VPN access.

For more information about users and user groups, see the FortiGate

Administration Guide.

SSL VPN user groups

An SSL VPN user group provides access to a firewall policy that requires SSL VPN type authentication and lists the user group as one of the allowed groups. Local user accounts, LDAP, and RADIUS servers can be members of an SSL VPN user group. The FortiGate unit requests the user’s user name and password when the user accesses the SSL VPN web portal. The user group settings include options for SSL VPN features.

An SSL VPN user group can also provide access to an IPSec VPN for dialup users. In this case, the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup group peer option. You configure the user’s VPN client with the user name as peer ID and the password as pre-shared key. The user can connect successfully to the IPSec VPN only if the user name is a member of the allowed user group and the password matches the one stored on the FortiGate unit.

Protection profiles

Note: A user group cannot be an IPSec dialup group if any member is authenticated using a RADIUS or LDAP server.

Each user group is associated with a protection profile to determine the antivirus, web filtering, spam filtering, logging, and intrusion protection settings that apply to the authenticated connection. The FortiGate unit contains several pre-configured protection profiles and you can create your own as needed.

When you create or modify any firewall policy, you can select a protection profile. If the firewall policy requires authentication, its own protection profile is disabled and the authentication user group protection profile applies.

Note: Protection profiles do not apply to VPN connections.