Skip to main content
Infrarium
Infrarium
New Member
April 26, 2022
Solved

Managing users internet access problem (PROFILE BASED)

  • April 26, 2022
  • 1 reply
  • 5368 views

Hello everyone,

 

Where i work we have a Fortigate 400E unit and I have some doubts on how to manage internet access for some of the users, we are using the profile based mode:

 

Heres the scenario:

Sales department have a firewall rule "Sales department internet access"

Marketing department have a firewall rule "Marketing department internet access"

General managers have another firewall rule for them aswell.

 

Those internet access rules have different levels of access. For instance, general managers can access more websites than sales or marketing departments. 

 

So far this is working, not issues at all. But sometimes a user from marketing or sales department gets assigned a task that in order to get it done he/she must have access to certain websites that are not allowed in the original policy.

 

So, i need to give that user (and only that user) the permission to access the new websites he needs to access, but i dont want to give that access to the whole sales or marketing department (this is required by the Cybersecurity analyst aswell).

 

Do i need to create a new policy that adds the original department permissions plus the new permissions? This seems very inefficient because if thats the case i should create tons of rules of internet access because this happens more often than not.

 

Additional information: Apart from profile based mode on the firewall, we are using windows active directory sso, so all of the rules are using windows security group membership as one of the requirements.

 

Thanks in advance!

Best answer by seshuganesh

Hi Team,

 

You can set web profile override for 360 days.

You cannot define more than that. I will keep you posted if there is any other way.

1 reply

seshuganesh
Staff
seshuganesh
Staff
April 27, 2022

Hi Team,

 

As per your requirement you can configure web profile override and add grant permission to specific user or user group or IP.

You can use this article for the same:

https://docs.fortinet.com/document/fortigate/6.2.10/cookbook/408599/web-profile-override

Please check and keep us posted

Infrarium
InfrariumAuthor
New Member
April 27, 2022

Thanks for the fast reply.

 

I was not aware of this feature. Im checking it now, but the only drawback that see is that it requires to set a expire date. In my case, some of the new permissions i need to grant should be granted indefinitely. Maybe theres another way of setting up rules to achieve what i want.

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
April 28, 2022

Hey infrafium,

Do users have different requirements to access specific websites?

If your users in question all just need to visit the same websites, you could perhaps add another FSSO group and make the users member of a specific override group in AD as necessary, and just have a policy with that group that only those specific users would match.

The users can be members of multiple FSSO groups, and the regular policies would still apply for any traffic but those specific websites.

However, if you have wildly different requirements for different users, this would not scale well.

Terms & ConditionsAccessibility statement