Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gilfalko
New Contributor III

Identity Policy fall-through

Hey,

I've been playing around with the new User-Source based policies but unable to make them work.

I have the following policy which is placed at the very top of the list but it just doesnt work (see attached image).

Instead, it falls through to another policy I have that allows internet for the entire office.

What am I missing?

Thanks

Gil

 

1 Solution
gilfalko
New Contributor III

I just wanted to update that after speaking to a Fortigate representative I finally managed to solve this issue.

This has nothing to do with Captive Portal just for the record.

 

The reason that my non-auth NAT policy was always getting hit is because all non-auth policies take precedence over User Source based policies. Yes even if the non-auth policy is at the bottom of your policy list.

Once I made sure that SW_INTERCONNECT (gil's PC, gilfalko user) was the ONLY policy using gil's PC as the source of the communication, the forti portal popped out immediately. Well, I also had to erase all sessions from my station first.

 

I hope that helps someone out there.

Peace

View solution in original post

19 REPLIES 19
emnoc
Esteemed Contributor III

The diag debug flow would be your best friend,  but I would 1st check the firewall address src for that gil laptop source.

 

2nd, i would substitute a new policy ( & re-ordering ) using something under your control for testing.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
gilfalko
New Contributor III

emnoc wrote:

The diag debug flow would be your best friend,  but I would 1st check the firewall address src for that gil laptop source.

 

2nd, i would substitute a new policy ( & re-ordering ) using something under your control for testing.

 

Thanks for the reply.

I actually did run a "diag debug flow" and all it showed me is that the policy being "hit" is the one I have that enables Internet outbound traffic for the entire office. SW_Interconnect (ALL) --> WAN1 (ALL) + NAT to be exact.

The source for gil's laptop (my laptop) is 100% correct as I use it for all sorts of other things.

 

Substitute what with what? I can do whatever I want right now as no one's in the office :D

 

emnoc
Esteemed Contributor III

So is the fw-policy order correct?

 

If  the SRC is in that policy-id " gils laptop " is correct , than it should have been matched.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
gilfalko
New Contributor III

emnoc wrote:

So is the fw-policy order correct?

 

If  the SRC is in that policy-id " gils laptop " is correct , than it should have been matched.

 

This policy is the **first** in the top-down line. gil's laptop is indeed correct.

Yet I'm still getting no auth portal when attempting to surf the web.

 

emnoc
Esteemed Contributor III

I believe  your fw-policy ids  ordering is not correct, or some thing else is not in wack with the src and/or user group defined. When you execute a show firewall policy ?  from cli, what policy-id is listed 1st  ? If you change this to a deny, does it block your host ( that would validate if  this is being match by order  & for that source )

 

Here's a posting for authentication, but this is proabably not going to help but I still would run diag debug app authd -1

http://socpuppet.blogspot...-policies-trouble.html

 

edit to add ; a show firewall policy xxx  might shed some light also, where xxx is our fwpolicy-id that you think should be matched with identity enabled.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
gilfalko
New Contributor III

I uploaded the result of "show firewall policy" and the matching first policy I see in the GUI.

Also here's the rule itself taken from the CLI:

 

config firewall policy edit 58 set uuid 7dae3ef6-48d8-51e5-86b8-592fb2c673e7 set srcintf "SW_Interconnect" set dstintf "wan1" set srcaddr "Gils Laptop" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable set fsso enable set users "artur" set nat enable next end

 

Oh and I know for a fact that that policy is not being matched or else i'd be getting that portal :\

emnoc
Esteemed Contributor III

I don't see set identity in your firewall policy. Take a look at that eg blog.

 

set identity-based enable

 

what version fortiOS version.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
gilfalko
New Contributor III

emnoc wrote:

I don't see set identity in your firewall policy. Take a look at that eg blog.

 

set identity-based enable

 

what version fortiOS version.

Your link was broken but I found it eventually.

The option does not exist in 5.2.3.

It was the first thing I tried when I read it.

I only have "set identity-based-route"

 

xsilver_FTNT

gilfalko wrote:

emnoc wrote:

I don't see set identity in your firewall policy. Take a look at that eg blog.

 

set identity-based enable

 

what version fortiOS version.

Your link was broken but I found it eventually.

The option does not exist in 5.2.3.

It was the first thing I tried when I read it.

I only have "set identity-based-route"

 

Because in 5.2 when you add user group (set groups ..) you'll make it identity-based.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors