Skip to main content
Nicola_Papapicco
Nicola_Papapicco
New Member
November 27, 2014
Question

Using FSSO groups in policy to limit internet access

  • November 27, 2014
  • 2 replies
  • 14169 views

Hello,

 

I want to permit internet access to restricted groups of actve directory users. I have the collector agent on my domain controller and I am able to monitor fsso logon users from my fortigate 90D. I want that a group of AD users has full access to intenet, another group has full access during working hours, another group has full access only to some protocols (i.e. https, smtp, pop ...). I created an identity based policy for each group but when I enable these policy and disable the policy with permit all to all, nobody can access internet even AD user with permit in their policy.

Is there a step by step guide to configure this scenario with various group of AD users enabled to variuos protocols and time schedules to access the web.

May be my mistake was attempting to map one to one policies from the previous firewall MS ISA Server.

 

Thank you

nick 

 

    2 replies

    dbarroco
    dbarroco
    New Member
    November 29, 2014

    Hi, 

     

    I have not been able to fully implement this feature, because it works for some time and then i loose access, but that's another story (i'm not using the agent on the DC, just polling)...I say if you go to your FG Log -> Events -> USers you should see activity there (don't forget to enable user activity logging in the logging settings) regarding which user logged on what station. You might get your users blocked if this info does not reach the FG.

     

    http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Authentication/FSSO-IBP.html

     

    LEt me know if you manage to get this working. On a different scenario with Server 2012R2 DC with agent or not this info does not come into the FG, hence I get the same problem as you.

     

    Nicola_Papapicco
    Nicola_PapapiccoAuthor
    New Member
    December 11, 2014

    Hi dbarroco,

    I never was able to have collector agent on domain controllers working to authenticate domain users in any policy to let them access internet. I am using polling from the fortigate (local fsso agent) with the same issue. After a while users loose internet connection, then restarting the pc they can connect to internet again

    I cannot figure out what could be the problem, fortinet support guys told me they recommend using collector agent on domain controllers but I was not able to configure it to work in policy.

    Is there anyone that was successful to configure fsso with collector agent to authenticate users to access internet?

     

    Fullmoon
    Fullmoon
    New Member
    December 12, 2014

    Nicola Papapicco wrote:

    Hi dbarroco,

    Is there anyone that was successful to configure fsso with collector agent to authenticate users to access internet?

     

    I had similar implementation using this link below. Pls take a look it can help u further

    https://www.youtube.com/watch?v=BfMyWBAosK0

     

    You may try to watch these videos as well

     

    Terms & ConditionsAccessibility statement