Hello,
I have one problem, and I do not understand how to solve it:
I have to create one policy (IPv4) with application control. This policy must be triggered by single application.
For example: By this policy I would like to control YouTube traffic. allow some AD group to visit youtube pages.
Another rule would be do same for Facebook, for twitter, etc.
how I can implement granular application control?
I can allow, block, or monitor applications. but I would like to use one application - (for example YouTube family).
Any ideas? May be I have to use completely different way?
PS: FGT100D, with active contract. No explicit proxy.
Update: forgot to mention: latest firmware for today, v5.2.2,build642 (GA)
Just example, what I speaking about - application control. I do not like to check or monitor categories. I would like to allow youtube only, nothing more.
[broken image deleted]
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yes, but unfortunately it doesn't work like this.
For users in multiple groups, it will apply the first relevant rule. The best thing to do where multiple groups for a user exist, is to put the preferred rule w/ application control above the others (normally this is a more permissive profile, as it's often the IT department that are in multiple groups).
Hope this helps.
......
-Jake
The way to do this is to have an individual profile for each AD usergroup, which would contain all the applications you want to control for that usergroup.
You can't create a profile for each individual app and apply multiple profiles to one rule.
......
-Jake
iJake wrote:Hi, thanks,The way to do this is to have an individual profile for each AD usergroup, which would contain all the applications you want to control for that usergroup.
You can't create a profile for each individual app and apply multiple profiles to one rule.
I understand AD groups and we are using this (FSSO Agents on AD servers).
but my question was, how to create policy rule that would match next criteria:
1. User in group "allowed_youtube" or "social_media"
2. Application "youtube"
3. Action "allowed"
if #1 nor #2 not matched - go next rule and check.
for example next rule would be:
1. User in group "allowed_twitter" or "social_media"
2. Application "twitter"
3. Action "allowed"
etc.
easy, from 1st point of view.
But "how" - not clear for me.
You can't have 10 profiles and apply them to one usergroup within 1 rule, because the traffic matches a rule and the action is applied, it won't go any further down.
But to create a single profile with multiple signatures in it, you go to:
Security Profile > Application Control > Select/Create Profile > Application Overrides > Add Signatures
From there you can select individual signatures for the applications you want to control, though I suspect you already know how to do this.
You would have to select all signatures under this one profile and apply this one profile to the relevant usergroup.
......
-Jake
None of our Fortigates are on 5.2, but reviewing the patch notes for 5.2.0 (page 13 to 16), it outlines the changes to the identity-based firewall policies from 5.0 to 5.2 (indicated below) and then goes on to provide examples on how to use this new "Implicit fall-through" features for user authentication polices.
Haven't checked, but I am going to assume the 5.2 FortiGate Cookbook website (or 5.2 cookbook pdf) will have examples on how to use this "Implicit fall-through" user authentication polices.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
That's useful information, but I'm not sure that's what the OP wants.
From what I read, it sounds like he wants a specific application profile for youtube, and another for facebook, then he just wants to add those profiles to the rule relating to the usergroup.
......
-Jake
vladimir's follow-up post seems to imply the testing of users (in a group) for different categories, in which case the "Implicit fall-through" authentication policies may be what he's after.
That said, I am also more use to grouping various app access/blocks in a single application senor and assigning that to a group in a firewall policy. (I do not know if vladimir is aware that app sensors are executed from top/down, so he could easily craft sensors in a particular order.)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Yeah, that's top down and it will apply the relevant action to the matched traffic within the application profile.
My understanding of it is he is referring to the IPv4 policy within 5.2 - and he wants multiple rules for one usergroup, with one rule for each application. Something that would complicate management and I don't believe is possible in any case.
But yeah, the screenshot you attached compliments the instructions I wrote about (too lazy to make a screenshot :p) and is the way to implement control for multiple applications for 1 usergroup.
......
-Jake
iJake wrote:Yeah, that is exactly what I mean - I would like in rule (if possible) - match all parameters - interfaces, from/to/user/device/group, service, time window and exact application. if all criterias matched - apply defined action.If no matched - go to next rule.
My understanding of it is he is referring to the IPv4 policy within 5.2 - and he wants multiple rules for one usergroup, with one rule for each application.
Easy and granular, isn't?
user can be member of more than one group. as I wrote before. for example: allow_facebook_read and allow_facebook_post
vladimir.
Yes, but unfortunately it doesn't work like this.
For users in multiple groups, it will apply the first relevant rule. The best thing to do where multiple groups for a user exist, is to put the preferred rule w/ application control above the others (normally this is a more permissive profile, as it's often the IT department that are in multiple groups).
Hope this helps.
......
-Jake
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.