Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
evejar
Staff
Staff

Created on ‎08-31-2016 07:19 AM Edited on ‎07-10-2025 08:09 AM By Moderator

Article Id 190482

Technical Tip: Identity-based-route

Description

 

This article describes that sometimes it is needed to create routes based on identity, for example, if needed that the president of a company needs to go out with a particular ISP or wants a specific group to use a limited link to go to the Internet.

 

This scenario could be useful in different situations with local users, remote users, and FSSO users.

 

idetityeev.png


Scope

 

This article describes a basic configuration on how to create Identity-Based-Route.

Firmware 5.2.


Solution

 

Firstly, it is necessary to have groups that will be used in the identity-based route policy.

Then, it is needed to create a policy that will tie the groups to a specific gateway. To do this, check the following configuration:

 

config firewall identity-based-route

    edit "Prueba"

        set comments "KBNOW"

            config rule

                edit 1

                    set gateway 192.168.157.1 

                    set device "wan2"   

                    set groups "Identidad"  -----------> Groups that will use this policy.

                next

            end

    next

end

 

The next step involves: specifying these gateway options in the user identity based firewall policy as follows:

 

config firewall policy

    edit 1  -------------> Be careful this probably would not be the same.

        set name "Authentication Based Routing "

        set uuid ed855e70-0c7e-51e6-906b-7c1f188040e5

        set srcintf "internal4"

        set dstintf "wan2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "PruebaCaso" -------------> Can use any time 'always' or a specific time for the user.

        set service "ALL"

        set logtraffic all

        set groups "Identidad"   -----------> Groups that will use this policy.

        set identity-based-route "Prueba" ----------->  Identity Based route.

        set nat enable

    next

    edit 5 -------------> Be careful this probably would not be the same

        set name "Salida NORMAL"

        set uuid 7c3f9384-5d8c-51e6-0457-548cc55dc461

        set srcintf "internal4"

        set dstintf "internal2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set groups "SinID"  -----------> Other users.

    next

end

 

If using FSSO, enable it in each policy:

 

set fsso enable 

 

After this user will be able to send traffic to another route based on identity.

 

Related articles:

Technical Note: How FortiGate can block Duolingo in different ways. Blocks web application.

Wireless client load balancing

Technical Tip: Active and passive authentication behavior

Technical Note: Disconnecting a member from a cluster

Technical Tip: How to block by country or geolocation

Labels:
5724
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.