config firewall policy edit 77 set srcintf " port1" set dstintf " port2" set srcaddr " <users_to_access_via_FSAE>" set dstaddr " all" set action accept set ippool enable set poolname " IP.pool.outbound" set fsae enable set identity-based enable set nat enable config identity-based-policy edit 2 set groups " High level Internet" set logtraffic enable set profile " I/S" set schedule " always" set service " Allow.Default" next edit 3 set groups " Medium level Internet" set logtraffic enable set profile " general w unrated" set schedule " always" set service " Allow.Default" next edit 4 set groups " Low level Internet" set logtraffic enable set profile " general w/o unrated" set schedule " always" set service " Allow.Default" next edit 1 set groups " FSAE_Guest_Users" set logtraffic enable set profile " restrictive" set schedule " always" set service " Allow.Default" next end next endWhere " High level Internet" , " Medium level Internet" , " Low level Internet" , " FSAE_Guest_Users" are FSAE groups. " High Level Internet" gives maximum Internet access, and " FSAE_Guest_Users" Internet access is strictly limited access. The" FSAE_Guest_Users" is created on the FGT, and cannot be removed. This is the place to go when someone cannot be verified as logged into your network. This determines what will happen to them. Any policy below this with
set srcintf " port1" set dstintf " port2" set srcaddr " <users_to_access_via_FSAE>" set dstaddr " all"will never get accessed. Hope that helps.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.