Hello,
Our webfilter is flow-based and we have several AD groups that each have specific web filtering profile (from no access to full access) Everything is working fine for all users, the sites that need to be blocked are blocked. My problem is when a guest connect to our Wifi. Sometimes (it's definitely not all the time), the web filter will restrict ALL sites. I created a replacement page to get some information and I can see that the guest user (not in the domain) is referred to as a generic user that exist in our AD
Since english is not my main language, here is a short example
on the domain, user "ABC" is part of the group "No access" This group is linked to a web filter profile on fortigate that allow no websites access
If I log with the user "ABC" and try to connect to any website, I get fortigate blocked page (wich is what I want) Now, a guest comes in our office, connect to our wifi (sadly we don't have separate access) to get internet access. Sometimes, he will be blocked as if he was user ABC (the username on the block page is "ABC") How can I be sure that users that are not part of the domain, that use computer that are not part of the domain, don't get this problem ? I hope I'm clear enough... Let me know if you need more information Thank you for your help
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
How do you have AD integrated with the Fortigate? If the group object is an FSSO group, make sure you enable FSSO on the rule in the advanced options
I have 4 groups created in AD (All my AD users are member of 1 of these) and each one is member of a FSSO group on the Fortigate
Each one has a specific web filter rule (flow-based / SSL inspection) assigned to it
What options are you speaking of ?
What I don't understand is why a non-domain user using a non-domain computer is recognized as a domain user by the webfilter... note that he is never asked to enter any credentials at any time He is logged with his local username
and to be clear, it has happened to other people (no relationship between them) as well
Thank you !
This option is available via the CLI or if you are using a FortiManager, the advanced options section. From the CLI run
config firewall policy
edit <policyId>
set fsso enable
end
If this option is set to disabled (default setting) it will ignore FSSO users and groups. Your guests are not authenticated to your AD. They are simply being allowed on the rule because the groups assigned to the rule are being ignored.
Hope that helps.
d
Thanks for your input. I've double checked my settings and fsso is ENABLED (check the full config below)
I still don't get why some guests, while browsing, get the block page (as they are not part of any group) and why they are identified on the FG as a specific user (always the same by the way) that is a member of the "No Access" AD Group used in one of the policy...
I used %%USERNAME%% on the block page to check and it returns always the same user If I remove this user from the AD group linked to the FG profile, the guest can then has full access to all websites
Again, thanks for your help.
- Fabien
Here is the full config of one of the policy
policyid : 13
uuid : 794ceca8-5d42-51e5-afda-ef6d1c329723
srcintf:
== [ internal1 ]
name: internal1
dstintf:
== [ wan1 ]
name: wan1
srcaddr:
== [ all ]
name: all
dstaddr:
== [ all ]
name: all
rtp-nat : disable
action : accept
status : enable
schedule : always
schedule-timeout : disable
service:
== [ ALL ]
name: ALL
utm-status : enable
logtraffic : utm
logtraffic-start : disable
capture-packet : disable
auto-asic-offload : enable
wanopt : disable
webcache : disable
session-ttl : 0
vlan-cos-fwd : 255
vlan-cos-rev : 255
wccp : disable
ntlm : disable
ntlm-guest : disable
ntlm-enabled-browsers:
fsso : enable
rsso : disable
fsso-agent-for-ntlm :
groups:
== [ BASIC_FILTERING ]
name: BASIC_FILTERING
users:
devices:
auth-path : disable
disclaimer : disable
natip : 0.0.0.0 0.0.0.0
match-vip : disable
diffserv-forward : disable
diffserv-reverse : disable
tcp-mss-sender : 0
tcp-mss-receiver : 0
comments :
auth-cert :
auth-redirect-addr :
identity-based-route:
block-notification : disable
custom-log-fields:
tags:
replacemsg-override-group:
srcaddr-negate : disable
dstaddr-negate : disable
service-negate : disable
timeout-send-rst : disable
delay-tcp-npu-session: disable
profile-type : single
av-profile :
webfilter-profile : Basic_Filtering
spamfilter-profile :
dlp-sensor :
ips-sensor :
application-list :
voip-profile :
icap-profile :
profile-protocol-options: default
ssl-ssh-profile : certificate-inspection
traffic-shaper :
traffic-shaper-reverse:
per-ip-shaper :
nat : enable
permit-any-host : disable
permit-stun-host : disable
fixedport : disable
ippool : disable
central-nat : disable
redirect-url :
Can you check the logs and see what rule is blocking the user? What are you using to get the AD information? Do you have a FortiAuthenticator or just using the software installed on the Domain Controllers? Either way, the list of users identified should show up in the Monitor - Firewall Users. Have a guest connect and search for the IP address to see if they are in this list.
Regards
D
We did the following:
AD:
4 groups populated by user accounts (Full, Basic, Strict and No Access)
Fortigate:
4 User Groups (Fortinet Single Sign-On) each one having AD group as a member
4 policies (using the 4 groups) + one without webfilter
Order of policies (LAN - WAN):
No Access
Strict
Basic
Full
All (no webfilter)
Detail of BASIC Webfilter policy:
The guest user gets the block page as if he was connected as one domain user (user account "VideoCad")
This is a generic user logged on several computers in the company
If I want to test this account, I open Chrome as this user (the account has a password) and I can check that the webfilter is working as intended. I tested to log to CNN.com
[code lang=css]date=2018-01-16 time=09:32:06 logid=0316013056 type=utm subtype=webfilter eventtype=ftgd_blk level=warning vd="root" policyid=12 sessionid=61269217 user="VIDEOCAD" srcip=192.168.120.119 srcport=61020 srcintf="internal1" dstip=151.101.1.67 dstport=80 proto=6
service=HTTP hostname="www.cnn.com" profile="NO ACCESS" action=blocked reqtype=direct url="/favicon.ico" sentbyte=366 rcvdbyte=0 direction=N/A msg="URL belongs to a denied category in policy" method=domain cat=36 catdesc="News and Media" crscore=30 crlevel=high
Thanks again for your help :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1711 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.