Skip to main content
fred339
fred339
Explorer III
October 13, 2022
Question

Setting up firewall policy with Source: [Users]

  • October 13, 2022
  • 7 replies
  • 8932 views

Fortigate 80_F 6.4.10

I'm trying to set up a Firewall Policy that will apply only to certain users in order to ALLOW certain URLs listed in a WEB profile with a Static URL Filter.

So, in the particular Web ProfileI've put usernames names as Source entries.

I'm getting:

"One address, address group, external resource or internet service is required"

Yet, the interface seems to allow putting the names in there.

???

7 replies

scan888
scan888
New Member
October 13, 2022

Could you please post a printscreen of the error message?

Thanks.

gfleming
Staff
gfleming
Staff
October 13, 2022

Sounds like you are missing a destination address and destination service. If you are using a URL filter you can just use "All" as your destination address and tcp 80/443 for service. The URL filter will restrict what web sites can be visited.

fred339
fred339Author
Explorer III
October 13, 2022

Fortigate Users Pink.pngFortigate Buyer Firewall Policy Pink.png

 I had meant to include these.  The first one shows the message that comes up in red.

scan888
scan888
New Member
October 13, 2022

Hello

 

Add the Source Subnet Object to the Source Attribute as well. Or use the "all"-Object for testing.

You need an address, FQDN Object always, the user object is on top.

 

I hope you are able to solve your issue with this hint.

    fred339
    fred339Author
    Explorer III
    October 13, 2022

    "The URL filter will restrict what web sites can be visited."

    I thought the idea was to add ALLOW and not BLOCK - which is the default overall.  So, expand, not restrict.

     

    "Add the Source Subnet Object to the Source Attribute as well" 

    That seems to do the trick (I used *all*).  I could be more specific and add the subnet ranges but that should amount to the same thing.  Then how do usernames not just get overridden??

    gfleming
    Staff
    gfleming
    Staff
    October 13, 2022

    FOr this you can use FQDN address objects or ISDB entries.

    fred339
    fred339Author
    Explorer III
    October 13, 2022

    Is there a reason why domain usernames don't work by themselves?  They should be connected OK.

    Or, should I be concerned that the link between the Fortigate and AD is broken to cause that?

    A
    Anonymous_User
    Contributor
    October 14, 2022

    hi @fred339 ,

     

    The basic thing is, FSSO connection must be working so FGT can have visibility on the user logon in the AD server.


    This FSSO basically read logon user. Once FGT grab this information from AD server, you can manage the user on the Policy IPv4.

     

     

      fred339
      fred339Author
      Explorer III
      October 17, 2022

      Thank you all.  
      @gfleming:  Thank you!  I appear to have it working.  So that's good.  I wouldn't have thought about the address entry.

      I still have questions related to the responses I've received here. Still learning.

      @haiqal:
      What does IPv4DoS Policy have to do with anything in this question?  Or were you referring to something else?

      @scan888: 
      "You need an address, FQDN Object always, the user object is on top."
      When I enter Sources and add an FQDN address group, it always shows up *below* the FQDN usernames group.  Is this in conflict?

       

       

       

      Terms & ConditionsAccessibility statement