Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mfahey
New Contributor III

Feature Request: Identify users on mac,chrome and windows to assign policies properly.

Every other content filter I have ever used Lets you install an agent on the client for the purposes of identifying to the content filter who the user is.

 

Content filters: Lightspeed systems, Securly, Go Guardian. You get the point.

 

Currently the only way fortinet does this is server side and it's windows only. You have to install software on the domain controller.

 

Our environment is mixed, we have windows,chromebooks, mac. This is pretty common now.

 

The solution is simple.

Eliminate FSSO ( its far overcomplex for its simple goal)

windows :  create a simple .msi that reports the username at login to the fortigate 

Mac: Create a dmg mac program that reports the username at login to the fortigate

Chromebook: Create a chrome extension that reports the username at login to the fortigate

 

Without this feature content filtering is pretty useless. If you can't identify users on most platforms and assign different policies

what is even the point of using your content filtering.

 

I have expressed this request multiple times to multiple people and nobody listens. 

 

Fortinet Does not listen to customers. I got very political answers or just the run around.

 

 

 

 

8 REPLIES 8
emnoc
Esteemed Contributor III

Could  you used the license FortiClient? That will get most of what your asking for the MACOSX device. ChromeOS might be a far fetch .

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
mfahey
New Contributor III

I understand the forticlient would do this function. However, I'm not paying licensing for the client. I don't need any of the features of the client. Zero. 

Fortinet has this big push to get their multi featured security client on everyone's machine. 

They should make a thin client with just the identification piece for mac.

emnoc
Esteemed Contributor III

Ask for a NFR ( new feature request ) , most of the others are  using a proxy and it has basic context awareness to identified the end users ( OS  type, version ,etc....)

 

 

I think your asking for something that can easily be achieved via a alternative solutions or via a  add-on or 3rd parties network profiler.

 

Next, the bigger issues, is how are you  going to enforce and delivery a end-point-agent  for  BYOD or "off the domain" devices?

 

Again, a webproxy that has endpoint context awareness is the smarter approach imho

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
eksjonathan

Hi mfahey,

 

I have a similar problem with an increase in the number of Chromebooks in the organisation.  I can use explicit proxy to provide filtering but in order to use specific policies, and identify users, the users have to login.  This isn't a smooth approach but might be a half-way-house for what you're after?

 

The problem with this is that the explicit proxy login page is only served over HTTP so all users' credentials are sent unencrypted.  I've raised an NFR to get the login page moved to HTTPS but apparently no-one else has requested this feature.  If you think it would be beneficial please contact your account manager and add your support to NFR 0467541.

 

The fact that a company produces a security product that allows credentials to be submitted in plain text astonishes me.  Surely encrypting credentials is security 101?!

 

Jonathan

mfahey
New Contributor III

EMNOC we did ask for a NFR. THey dont listen.  BYOD devices use captive portal to authenticate. 

 

Users need to login and be online. Not present with multiple logins to various things. 

 

Jonathan, - Everyone I have spoke to has suggested work arounds like proxy and everything else instead of admitting that the content filtering piece lacks key functionality. 

We gave up with fortinet and simply are using securly.com for filtering of chromebooks. IT works great and you can be up and running in minutes. 

 

Bottom line is fortinet doesn't listen to its customers. 

eksjonathan

Hi Mfahey,

 

I completely agree there's functionality missing, I'm just hoping there's some traction on my NFR.  Thanks for the tip of Securly, I'll give that a look.

 

Jonathan

ede_pfau

my best bet would be to use a captive portal / identity-based policy for everone. A bit of a nuisance though but doable today.

Is the Device identification that bad in your environment, even with 'active scan' enabled?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
mfahey
New Contributor III

Device identification is terrible and does not work. 

 

ede_pfau - realistically no we can't use captive portal. the requirement is login to the computer without mutliple logins to other things. Every other content filtering software has agents except fortinet. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors