Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cpattonsfs
New Contributor

Allow authentication on block

We're a school environment, and I want to use a default web filtering policy for everyone, then allow faculty/staff to authenticate to have a less-restrictive filtering experience. Right now, the only way I can accomplish this is to set certain categories to "authenticate" instead of "block". The problem is that I have to set the authenticate rules for every individual category. What I would like instead is to have un-authenticated users able to browse the web freely until they encounter a blocked site, then be able to override or otherwise trigger authentication. Is this at all possible? Thanks!

6 REPLIES 6
gschmitt
Valued Contributor

cpattonsfs wrote:

We're a school environment, and I want to use a default web filtering policy for everyone, then allow faculty/staff to authenticate to have a less-restrictive filtering experience. Right now, the only way I can accomplish this is to set certain categories to "authenticate" instead of "block". The problem is that I have to set the authenticate rules for every individual category. What I would like instead is to have un-authenticated users able to browse the web freely until they encounter a blocked site, then be able to override or otherwise trigger authentication. Is this at all possible?

Not quite sure what it is you are asking.... you don't have to set all categories to auth. Just the ones you'd like users to authenticate to?

ede_pfau
Esteemed Contributor III

If you look through the categories you'll notice there are a number of which are harmless in any respect ('tobacco', really?).

I can imagine that the administration of a school's FGT is difficult but to block everything is IMHO not the right way. You should get a resolution from your authorities which content needs to be blocked, so to say, a blacklist of categories. This is more of a legal problem than a technical one. If the list is a long one, bad luck, you'd have to set the 'override' status on each one.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
cpattonsfs

Sorry, apparently I haven't been clear.

 

I don't wish to block EVERYTHING. My question has to do with when authentication is required.

 

As I understand it, this is the workflow that is required in order to use different filtering profiles, or to utilize the "override" command:

 

1) As soon as a device logs on, it must authenticate before it can even access the internet.

2) They are automatically assigned a profile based on their identity.

3) When a blocked page is encountered, if "Allow blocked override" is checked and users are in a group that is allowed to override, the page is displayed and the override remains in place for the amount of time specified in the settings.

 

STEP 1 is the problem here. I do not want ALL of my users to have to authenticate just so that a FEW can be assigned an alternate profile. Here's what I WANT to happen:

 

1) As soon as device logs on, it has immediate access to the internet and uses the default filtering profile.

2) When a blocked page is encountered, the user can authenticate, which will assign them the correct profile based on identity.

3) If a page is still blocked with the newly-assigned profile, the override function can be used, as above.

 

Right now I CAN accomplish this, by setting each category I want to block to "authenticate" instead of "block." The problem is that if, for example, I want to block 5 categories, then I have to manually change each one to "Authenticate" AND change the settings for each one. Not the end of the word, but just not ideal.

 

I guess this might be splitting hairs. I guess I was spoiled by the dedicated filtering appliance I'm used to, as this was easy to configure. 

michellem812

You can do this, we do similar; we use FSSO with the DC agent on our Windows domain controller, but the situation you list is similar to our iPads - our iPads get the "student" (guest) policy which is more restricted and it can be overrode but has no authentication. In Policies, we have 3 policies (in this order):

1: FSSO_staff users on Windows get the "staff" profile (ie., they can get to Shopping sites like walmart.com)

2: FSSO_student users on Windows get the "student" (guest) profile. (ie., they cannot get to walmart.com)

3: SSO_Guest_users get the "student" (guest) profile (ie., they cannot get to walmart.com)

Staff or students who login to the AD network on Windows get on the internet and their network credentials automatically tell the Fortigate which profile they get. iPads or laptops that aren't in our domain default automatically to the "student" (guest) profile, so they can browse most of the internet, but can't get to Shopping sites like Walmart.com.

On the iPad, if they try to go to walmart.com, they can click the Override link and sign in with a staff username/password, if you set the "Allow Blocked Override" option in the "student" (guest) profile.

Make sense? Hope it helps!

hmofaz
New Contributor

Hello,

This sounds what i need also.

I this possible?

Thanks

Bye

Sarvesh_FTNT
Staff
Staff

neber mind I see you were answered

Labels
Top Kudoed Authors