Skip to main content
Jaures
Jaures
New Member
March 10, 2015
Solved

Allow all LAN users access to some websites prior to user identity policies

  • March 10, 2015
  • 2 replies
  • 4567 views

Hello all,

 

I have to implement policies on a Fortigate 200D (running version 5.2.2).

First, I need to allow all Lan users access to some websites they need for work.

Some of the websites are specific (www.google.com), some of them use wildcard (ie *.fortinet.com).

I created a policy LAN ---> WAN1, source: all, destination: FQDN of the websites, allow all services.

This policy is the first in my policy list, from LAN to WAN1.

Then i created user identity policies with user groups defined in SSO authentication, with the required web access

restrictions.

However, i do not get any hit counts on my first policy, the one allowing all LAN users to specific web destination.

I know u cannot create FQDN address object with wildcard address.

Maybe there is a better way to implement my requirements.

 

Any help on this please?

Thanks

Jaures.

 

 

    Best answer by Dave_Hall

    Hi Jaures.

     

    Traditionally, you would place the more "broader" firewall rules near the bottom of the firewall chain with the concise ones (like identity polices) near the top.  In your case you would want to simply create a standard web filter (and UTM feature set) and place it below the last Firewall rule covering web traffic and [strike]before[/strike] after your last identity policy.

     

    The online 5.2 Handbook perfectly illustrates the setup you are looking for.

     

    If your "general" web access firewall rule still doe not work, confirm you have NAT enabled, firewall labels have correct subnet mask, correct firewall objects usage (address vs FQDN).

     

    2 replies

    Dave_Hall
    Dave_HallAnswer
    New Member
    March 10, 2015

    Hi Jaures.

     

    Traditionally, you would place the more "broader" firewall rules near the bottom of the firewall chain with the concise ones (like identity polices) near the top.  In your case you would want to simply create a standard web filter (and UTM feature set) and place it below the last Firewall rule covering web traffic and [strike]before[/strike] after your last identity policy.

     

    The online 5.2 Handbook perfectly illustrates the setup you are looking for.

     

    If your "general" web access firewall rule still doe not work, confirm you have NAT enabled, firewall labels have correct subnet mask, correct firewall objects usage (address vs FQDN).

     

    Jaures
    JauresAuthor
    New Member
    March 13, 2015

    Hello Dave,

    Thank you for the reply. It was helpful, as i was putting the "general" web access firewall at the top of the list. I moved it down the list, and it looks fine now.

     

    Regards,

    Jaures.

     

    Terms & ConditionsAccessibility statement