Hello all,
I have to implement policies on a Fortigate 200D (running version 5.2.2).
First, I need to allow all Lan users access to some websites they need for work.
Some of the websites are specific (www.google.com), some of them use wildcard (ie *.fortinet.com).
I created a policy LAN ---> WAN1, source: all, destination: FQDN of the websites, allow all services.
This policy is the first in my policy list, from LAN to WAN1.
Then i created user identity policies with user groups defined in SSO authentication, with the required web access
restrictions.
However, i do not get any hit counts on my first policy, the one allowing all LAN users to specific web destination.
I know u cannot create FQDN address object with wildcard address.
Maybe there is a better way to implement my requirements.
Any help on this please?
Thanks
Jaures.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Jaures.
Traditionally, you would place the more "broader" firewall rules near the bottom of the firewall chain with the concise ones (like identity polices) near the top. In your case you would want to simply create a standard web filter (and UTM feature set) and place it below the last Firewall rule covering web traffic and [strike]before[/strike] after your last identity policy.
The online 5.2 Handbook perfectly illustrates the setup you are looking for.
If your "general" web access firewall rule still doe not work, confirm you have NAT enabled, firewall labels have correct subnet mask, correct firewall objects usage (address vs FQDN).
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Hi Jaures.
Traditionally, you would place the more "broader" firewall rules near the bottom of the firewall chain with the concise ones (like identity polices) near the top. In your case you would want to simply create a standard web filter (and UTM feature set) and place it below the last Firewall rule covering web traffic and [strike]before[/strike] after your last identity policy.
The online 5.2 Handbook perfectly illustrates the setup you are looking for.
If your "general" web access firewall rule still doe not work, confirm you have NAT enabled, firewall labels have correct subnet mask, correct firewall objects usage (address vs FQDN).
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Hello Dave,
Thank you for the reply. It was helpful, as i was putting the "general" web access firewall at the top of the list. I moved it down the list, and it looks fine now.
Regards,
Jaures.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.