Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
julianhaines
New Contributor

Created on ‎02-12-2024 12:40 AM

How to trace why a user is not hitting a web filter

I have two FGT200G devices setup in a Cluster and a local Active Directory domain, I use local LDAP to authenticate users and all computers are domain joined and Windows 10/11. I also have a FortiAnalyzer setup for reporting, and web filter policies blocking certain sites.

 

The issue I am facing is that sometimes users do not hit the relevant Web Filter policy and end up in the Catch All Web Filter, I have been trying to figure out why this is but have no luck.

 

Is there a way of seeing why the user did not hit the web filter policy? Could it be that the FortiGate did not know the user?

Labels:
460
0 Kudos
6 REPLIES 6
AEK
SuperUser
SuperUser

Created on ‎02-12-2024 01:21 AM

Are you using FSSO or active portal?

If FSSO, which type?

AEK
AEK
447
0 Kudos
julianhaines
New Contributor
In response to AEK

Created on ‎02-12-2024 01:26 AM

Hi,

 

I am using FSSO, I have added 10 user groups below which are assigned to users and used to determine which web filter to hit.

FSSO.png

442
0 Kudos
AEK
SuperUser
SuperUser
In response to julianhaines

Created on ‎02-12-2024 05:54 AM Edited on ‎02-12-2024 05:55 AM

Hi Julian

  • Which FortiOS version?
  • Which FSSO agent version?
  • Windows domain controller version
  • Did it work fine before? If so, what was the last changes you did before it started to fail (firmware upgrade? any config change?...)
  • Do you see the affected users in FortiGate's user monitor (FortiView) at the moment when the issue occurs
  • Do you see the affected users in FSSO agent (user view) at the moment when the issue occurs
AEK
AEK
409
0 Kudos
julianhaines
New Contributor
In response to AEK

Created on ‎02-14-2024 02:14 AM Edited on ‎02-14-2024 02:20 AM

I am having issues with getting outgoing SSL VPN setup

  • FortiGate FGT200F-HA1 cluster running v7.2.4 firmware.
  • DUO Authentication Proxy 6.3.0
  • Windows Server 2016
  • FSSO Agent v5.0.0309

The VPN is setup as

  • Users connect to the VPN remotely via FortiClient VPN.
  • All traffic goes though the SSL VPN.
  • User are authenticated via Active Directory username, password, DUO 2-Factor

and must be a member of two groups, one to allow VPN, and the other to determine their web access

  • The DUO Radius server is local.
  • All users are Domain joined and Windows OS based.

my current configuration remote users can connect successfully and 2-factors works, and all users outgoing web access to sites is the same.

 

InandOut.png

 

What I am trying to do and it not working is to filter the Outgoing traffic based on the users Active Directory group.

I have created more Firewall Policies like the one below but when activated VPN users always hit the first Firewall policy even if they are not in the active directory group.

 

Example.png

 

I have checked the FortiGate Source rules, and it says if the Source types are different then it’s “AND” and if they are the same its “OR”.

So the example should only be met if all sources are met.

 

Here is my Firewall Policies in sequence, VPN - Elevated is always hit

Firewall Policy Sequence.png

 

351
0 Kudos
julianhaines
New Contributor
In response to julianhaines

Created on ‎02-14-2024 03:07 AM

Could this be the issue as the first two sources in the Firewall Policy as Groups so doing an "OR" and not "AND"

 

Between identical elements, it's a logical OR (e.g. this address or this address).

Between different elements, it's a logical AND (this address AND this group-member AND this MAC-address).

 

SSL.ROOT - VIRTUAL-WAN-LINK

Firewall Policy SOURCE

Source.png

338
0 Kudos
hbac
Staff
Staff
In response to julianhaines

Created on ‎02-12-2024 07:35 AM

Hi @julianhaines,

 

You need to check and make sure the user appears as logged in on the collector agent and FortiGate. Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-General-troubleshooting-for-FSSO/ta-...

 

Regards, 

399
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.