Skip to main content
evejar
Staff
evejar
Staff
August 31, 2016

Technical Tip: Identity-based-route

  • August 31, 2016
  • 0 replies
  • 6262 views

Description

 

This article describes that sometimes it is needed to create routes based on identity, for example, if needed that the president of a company needs to go out with a particular ISP or wants a specific group to use a limited link to go to the Internet.

 

This scenario could be useful in different situations with local users, remote users, and FSSO users.

 

idetityeev.png


Scope

 

This article describes a basic configuration on how to create Identity-Based-Route.

Firmware 5.2.


Solution

 

Firstly, it is necessary to have groups that will be used in the identity-based route policy.

Then, it is needed to create a policy that will tie the groups to a specific gateway. To do this, check the following configuration:

 

config firewall identity-based-route

    edit "Prueba"

        set comments "KBNOW"

            config rule

                edit 1

                    set gateway 192.168.157.1 

                    set device "wan2"   

                    set groups "Identidad"  -----------> Groups that will use this policy.

                next

            end

    next

end

 

The next step involves: specifying these gateway options in the user identity based firewall policy as follows:

 

config firewall policy

    edit 1  -------------> Be careful this probably would not be the same.

        set name "Authentication Based Routing "

        set uuid ed855e70-0c7e-51e6-906b-7c1f188040e5

        set srcintf "internal4"

        set dstintf "wan2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "PruebaCaso" -------------> Can use any time 'always' or a specific time for the user.

        set service "ALL"

        set logtraffic all

        set groups "Identidad"   -----------> Groups that will use this policy.

        set identity-based-route "Prueba" ----------->  Identity Based route.

        set nat enable

    next

    edit 5 -------------> Be careful this probably would not be the same

        set name "Salida NORMAL"

        set uuid 7c3f9384-5d8c-51e6-0457-548cc55dc461

        set srcintf "internal4"

        set dstintf "internal2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set groups "SinID"  -----------> Other users.

    next

end

 

If using FSSO, enable it in each policy:

 

set fsso enable 

 

After this user will be able to send traffic to another route based on identity.

 

Related articles:

Technical Note: How FortiGate can block Duolingo in different ways. Blocks web application.

Wireless client load balancing

Technical Tip: Active and passive authentication behavior

Technical Note: Disconnecting a member from a cluster

Technical Tip: How to block by country or geolocation

    Terms & ConditionsAccessibility statement