blocking internet for a user or group

Forum|Forum|15 years ago
June 14, 2010
3 replies
11931 views

I have a user here who I' d like to block their internet access completely. I see where I can block and filter specific sites, but I don' t see how I can block access to one specific user. I have a Fortigate 60B and my current Firewall Policy is set to allow " all" on the inside to access " all" on the outside using the web filter policy I' ve setup. The web filter I setup uses mostly the default Fortinet blocks as well as the facebook, myspace, and web based email blocks I' ve setup. In a perfect world I' d really like to allow this user only access to certain sites and block all else, but I think that may be outside the capabilities of the 60B that I have. Thanks for all input!

abelio

SuperUser

Hello and welcome,

I have a user here who I' d like to block their internet access completely. I see where I can block and filter specific sites, but I don' t see how I can block access to one specific user.

Ok, How do you identify that user univoquely in your network?

In a perfect world I' d really like to allow this user only access to certain sites and block all else,

ok, your perfect world is a few commands ahead.

but I think that may be outside the capabilities of the 60B that I have.

not at all; you need a way to identify users with no ambiguity and apply appropiate policies Did you implement one in your network?

A

Anonymous_UserAuthor

Contributor

abelio, Thanks for the reply. Our network is using Active Directory, so all users are identified by a unique username. I' m not that good with firewall setups, but I' ll add that our VPN users are enabled/disabled through their AD account and the Fortigate is using what I think is a RADIUS service to authenticate the VPN users.

abelio

SuperUser

Thanks for the reply. Our network is using Active Directory, so all users are identified by a unique username.

you' re welcome; ok, then FSAE is the easier wway to go; check following links to get a picture: http://docs.fortinet.com/fgt/archives/3.0/techdocs/FSAE_Administration_Guide_01-30007-0373-20080718.pdf http://docs.fortinet.com/ifos.html http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30081 http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31819

I' m not that good with firewall setups, but I' ll add that our VPN users are enabled/disabled through their AD account and the Fortigate is using what I think is a RADIUS service to authenticate the VPN users.

Maybe you' ve a back integration between your radius and your AD to do that; if that' s working properly you could also use it for authenticate firewall policies But if you choose for FSAE usage, you could also use it for VPNs. check http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31873 regards

SECCON1MC

New Member

Well said Able - There are a few methods which can be used to identify user when working with a FortiGate (to create an Identity Based Policy) - FSAE = the most loved and hated method will send the FortiGate user info as they are logging into the WIN AD or Novel Directory - Authentication Web Interface = simplest to implement asking a user for a username and password before they are allowed to send data through a policy. This can then be linked into accounts (groups) on a radius server, firewall, etc. - NTLM = haven' t spent much time using this but it allows for NTLM packets to be used as part authentication. So the first question is how are you identifying users? ~Matt

A

Anonymous_UserAuthor

Contributor

I want to also block internet to a group of PCs by subnet. I still want them to be able to access only certain sites. I' ve placed certain PCs into a specific VLAN/subnet to have a quick way of seeing if a PC is in this " no internet" VLAN. Is there a policy I can setup for this way of internet blocking/allowing certain sites? TIA.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded