No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

SSL VPN security policies based on vpn users are not being matches on USG6300

Publication Date:  2016-05-31 Views:  193 Downloads:  0
Issue Description

The security policies creted based on users are not being matches by these users when they authenticate via SSL.

In this scenario the SSL VPN configuration is working, the scope is to implement policy filtering based on authenticated users.



This example will take reference to upper scenario.

->in this scenario SSL VPN was configured, and is working.

->the remote users can access the SSL VPN gateway

->users were created

->two users are being authenticated  via SSL VPN

              =>diferentiate permission is wanted for users, for example, CLIENT1 to have access all internal network  and for CLIENT2 to have access only to Server

  First Step: create security policies for both users

  ->for the sake of simplicity, security policies focus on User filter.

          Name:                  policy_client1
          Source Zone:         any
          Destination Zone:   any
          User:                    CLIENT1
           ActionSelect:         Permit.        

                   =>the policy will permit clien1 to have acces to LAN network

          Name                                    policy_clien2
          Source Zone                           any
          Destination Zone                     any
          Destination Address/Region       192.169.1.2/32
          User                                      CLIENT2
          Action Select                          Permit.

                =>the policy will permit client2 to have access only to server from LAN

If only this is configured the policies will not take effect for client1 and client2 users, the policies will not be matched.


Solution
In order to implement diferentiated permission based on vpn user, after security policies from FIRST STEP have been configured, Authentication Policy needs to be configured on firewall

Second Step:

under Policy -> Authentication Policy

                Source zone: any

                Dest zone: any

                Source address: <virtual ip range configured for SSL users>

                Destination address: any

                Action: auth


After the Authentication Policy was configured the firewall will implement filtering based on security policies created for users.

            ->client1 will have access to all LAN network

            ->client2 will have access conform policy , to server.

Verification if the configuration is working:

a. Verify the Security Policy counter is matched

b. Input "display firewall session verbose", the Username appears in the result 

END