Skip to main content
Rafi
Rafi
Visitor III
October 5, 2016
Question

Fortigate user identity policy

  • October 5, 2016
  • 1 reply
  • 4812 views

Hello,

I have forti 3600c which i connect to my AD, and a i am trying to configure user rule.

 

See details:

My 3600c version: Version: FortiGate-3600C v5.0,build7746,150114 (GA)

My fortigate can see AD and works fine with him ( i can sse the users)

To configure user policy i configured:

[ol]
  • FSSO Authentication, and he works good (forti can see the users from AD)
  • User group type FSSO and member "testf" (test user in my AD)
  • And policy with sub policy. (policy sub type is User Identity)[/ol]

    My goal is to block user "testf" and only him, to do so i configured policy which src/dst ip is "any",

    In the sub policy i took group"FSSO-Blocked-Users" which user "testf" is member,  dst address are "all" and the action is Deny

    And i have default deny sub-policy, i all so marked the "skip this policy for unauthenticated user"

     

    When i unmarked "skip this policy for unauthenticated user" i lost internet connectivity for all users.

    When i marked "skip this policy for unauthenticated user" my private user worked but also "testf" worked and didn't blocked.

     

    I don't no what i am missing ????

     

    See cli configuratin: 

    config firewall policy edit 112 set srcintf "any" set dstintf "any" set srcaddr "all" set action accept set status disable set fsso enable set fall-through-unauthenticated enable set global-label "Test" set replacemsg-override-group "auth-policy-112" set identity-based enable    config identity-based-policy      edit 2         set schedule "always"        set logtraffic all        set groups "FSSO-Blocked-Users"        set dstaddr "all"        set service "ALL"        set action deny    next  end next

     

     

     

    Regards

    Rafi

      • 1 reply

      Rafi
      RafiAuthor
      Visitor III
      October 5, 2016

      Hi,

       

      I success with this it work fine all the time, but there is some 'bug' i think.

      I checked the connection with ping to 8.8.8.8 and this is the status:

       

      - if i set the policy to deny and then login everything work as expected (no ping and no internet)

      - If i changed from deny to allow while im login the ping and internet start to work as expected, but when i chenged it back to 'deny' ping continue to work but no internet access.

       

      But i have new problem, after i login the fortigate remember my ip address and even if i login with different user he still block me (because the ip is the same).

       

      Does anyone have an idea ?

       

      Rgards

      Rafi

      Terms & ConditionsAccessibility statement