I have two FGT200G devices setup in a Cluster and a local Active Directory domain, I use local LDAP to authenticate users and all computers are domain joined and Windows 10/11. I also have a FortiAnalyzer setup for reporting, and web filter policies blocking certain sites.
The issue I am facing is that sometimes users do not hit the relevant Web Filter policy and end up in the Catch All Web Filter, I have been trying to figure out why this is but have no luck.
Is there a way of seeing why the user did not hit the web filter policy? Could it be that the FortiGate did not know the user?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Are you using FSSO or active portal?
If FSSO, which type?
Hi,
I am using FSSO, I have added 10 user groups below which are assigned to users and used to determine which web filter to hit.
Created on 02-12-2024 05:54 AM Edited on 02-12-2024 05:55 AM
Hi Julian
Created on 02-14-2024 02:14 AM Edited on 02-14-2024 02:20 AM
I am having issues with getting outgoing SSL VPN setup
The VPN is setup as
and must be a member of two groups, one to allow VPN, and the other to determine their web access
my current configuration remote users can connect successfully and 2-factors works, and all users outgoing web access to sites is the same.
What I am trying to do and it not working is to filter the Outgoing traffic based on the users Active Directory group.
I have created more Firewall Policies like the one below but when activated VPN users always hit the first Firewall policy even if they are not in the active directory group.
I have checked the FortiGate Source rules, and it says if the Source types are different then it’s “AND” and if they are the same its “OR”.
So the example should only be met if all sources are met.
Here is my Firewall Policies in sequence, VPN - Elevated is always hit
Could this be the issue as the first two sources in the Firewall Policy as Groups so doing an "OR" and not "AND"
Between identical elements, it's a logical OR (e.g. this address or this address).
Between different elements, it's a logical AND (this address AND this group-member AND this MAC-address).
SSL.ROOT - VIRTUAL-WAN-LINK
Firewall Policy SOURCE
Hi @julianhaines,
You need to check and make sure the user appears as logged in on the collector agent and FortiGate. Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-General-troubleshooting-for-FSSO/ta-...
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.