topic Identity Awareness with AD not possible in Spark Firewall (SMB)

Identity Awareness with AD not possible

G_W_Albrecht — Tue, 25 Mar 2025 10:05:28 GMT

Customer uses VPN with the GAiA cluster of the main site as center and SMB appliances (locally & SMP managed) on remote sites. As the SMBs also need to connect by VPN to a FortiGate, their external IPs have been removed from Encryption Domain using the Advanced Settings. This configuration was build with help of CP TAC and works as expected.

But now the customer wants to use IA for his users with an AD server at the main site - but IA packets use the external IP of the SMB and are not routed thru VPN to the main site, making the needed communication impossible.

Did anyone already encounter such an obstacle and found a way to resolve it ?

Re: Identity Awareness with AD not possible

Chris_Atkinson — Tue, 25 Mar 2025 11:33:10 GMT

I recall another option in Advanced Settings that caters to similar.

Will share a screenshot accordingly, but applicability to central managed devices would need to be checked/confirmed with TAC perhaps.

"VPN site to site global settings - Use internal IP address for encrypted connections from local gateway."

Re: Identity Awareness with AD not possible

G_W_Albrecht — Tue, 25 Mar 2025 11:49:49 GMT

This is locally managed and VPN site to site global settings are already used as advised by TAC:

"Do not encrypt connections originating from the local gateway" in VPN->Community resolved the Forti VPN issue and does disable "Use internal IP address for encrypted connections from local gateway" = TRUE automatically, so the ping from WebGUI thru the VPN tunnel does not work, only from CLI using ping -I <Local Address> it succeeds.

Re: Identity Awareness with AD not possible

AkosBakos — Tue, 25 Mar 2025 13:54:30 GMT

Hi @G_W_Albrecht

Re: Identity Awareness with AD not possible

G_W_Albrecht — Tue, 25 Mar 2025 14:12:14 GMT

Thank you, forgot about that sk ! But it can not work - as written above, customer has SMB appliances (locally & SMP managed), so changing the SMS database does not help as the SMS only manages the main GAiA GW, but not the SMBs.

Re: Identity Awareness with AD not possible

AkosBakos — Tue, 25 Mar 2025 14:22:52 GMT

Indeed, I always forget that, you have always tricky and detailed questions... and SMB-s 🙂

Re: Identity Awareness with AD not possible

G_W_Albrecht — Tue, 25 Mar 2025 15:42:41 GMT

Remember - this is the SMB Gateways (Spark) board 😉 With GAiA this would be no issue at all as you could use the Encryption Domain per VPN Community feature and define different Communities for VPNs to CP and Forti. But that is impossible <yet with SMBs...

Re: Identity Awareness with AD not possible

Dafna — Wed, 26 Mar 2025 11:58:35 GMT

Hi,

Can you please attach the topology?

Why did you exclude the external IP?

Re: Identity Awareness with AD not possible

G_W_Albrecht — Wed, 26 Mar 2025 12:45:47 GMT

Customer has ca 73 SMBs locally Managed by SMP that each have a tunnel to a Fortigate (that is the reason why the external IP must be excluded (can send you a PM with SR# - this was configured by TAC)) and to the main Site GAiA cluster who sits in front of the AD.