Every other content filter I have ever used Lets you install an agent on the client for the purposes of identifying to the content filter who the user is.
Content filters: Lightspeed systems, Securly, Go Guardian. You get the point.
Currently the only way fortinet does this is server side and it's windows only. You have to install software on the domain controller.
Our environment is mixed, we have windows,chromebooks, mac. This is pretty common now.
The solution is simple.
Eliminate FSSO ( its far overcomplex for its simple goal)
windows : create a simple .msi that reports the username at login to the fortigate
Mac: Create a dmg mac program that reports the username at login to the fortigate
Chromebook: Create a chrome extension that reports the username at login to the fortigate
Without this feature content filtering is pretty useless. If you can't identify users on most platforms and assign different policies
what is even the point of using your content filtering.
I have expressed this request multiple times to multiple people and nobody listens.
Fortinet Does not listen to customers. I got very political answers or just the run around.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Could you used the license FortiClient? That will get most of what your asking for the MACOSX device. ChromeOS might be a far fetch .
PCNSE
NSE
StrongSwan
I understand the forticlient would do this function. However, I'm not paying licensing for the client. I don't need any of the features of the client. Zero.
Fortinet has this big push to get their multi featured security client on everyone's machine.
They should make a thin client with just the identification piece for mac.
Ask for a NFR ( new feature request ) , most of the others are using a proxy and it has basic context awareness to identified the end users ( OS type, version ,etc....)
I think your asking for something that can easily be achieved via a alternative solutions or via a add-on or 3rd parties network profiler.
Next, the bigger issues, is how are you going to enforce and delivery a end-point-agent for BYOD or "off the domain" devices?
Again, a webproxy that has endpoint context awareness is the smarter approach imho
Ken
PCNSE
NSE
StrongSwan
Hi mfahey,
I have a similar problem with an increase in the number of Chromebooks in the organisation. I can use explicit proxy to provide filtering but in order to use specific policies, and identify users, the users have to login. This isn't a smooth approach but might be a half-way-house for what you're after?
The problem with this is that the explicit proxy login page is only served over HTTP so all users' credentials are sent unencrypted. I've raised an NFR to get the login page moved to HTTPS but apparently no-one else has requested this feature. If you think it would be beneficial please contact your account manager and add your support to NFR 0467541.
The fact that a company produces a security product that allows credentials to be submitted in plain text astonishes me. Surely encrypting credentials is security 101?!
Jonathan
EMNOC we did ask for a NFR. THey dont listen. BYOD devices use captive portal to authenticate.
Users need to login and be online. Not present with multiple logins to various things.
Jonathan, - Everyone I have spoke to has suggested work arounds like proxy and everything else instead of admitting that the content filtering piece lacks key functionality.
We gave up with fortinet and simply are using securly.com for filtering of chromebooks. IT works great and you can be up and running in minutes.
Bottom line is fortinet doesn't listen to its customers.
Hi Mfahey,
I completely agree there's functionality missing, I'm just hoping there's some traction on my NFR. Thanks for the tip of Securly, I'll give that a look.
Jonathan
my best bet would be to use a captive portal / identity-based policy for everone. A bit of a nuisance though but doable today.
Is the Device identification that bad in your environment, even with 'active scan' enabled?
Device identification is terrible and does not work.
ede_pfau - realistically no we can't use captive portal. the requirement is login to the computer without mutliple logins to other things. Every other content filtering software has agents except fortinet.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.