- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Identity Policy fall-through
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Identity Policy fall-through
Hey,
I've been playing around with the new User-Source based policies but unable to make them work.
I have the following policy which is placed at the very top of the list but it just doesnt work (see attached image).
Instead, it falls through to another policy I have that allows internet for the entire office.
What am I missing?
Thanks
Gil
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just wanted to update that after speaking to a Fortigate representative I finally managed to solve this issue.
This has nothing to do with Captive Portal just for the record.
The reason that my non-auth NAT policy was always getting hit is because all non-auth policies take precedence over User Source based policies. Yes even if the non-auth policy is at the bottom of your policy list.
Once I made sure that SW_INTERCONNECT (gil's PC, gilfalko user) was the ONLY policy using gil's PC as the source of the communication, the forti portal popped out immediately. Well, I also had to erase all sessions from my station first.
I hope that helps someone out there.
Peace
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The diag debug flow would be your best friend, but I would 1st check the firewall address src for that gil laptop source.
2nd, i would substitute a new policy ( & re-ordering ) using something under your control for testing.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:The diag debug flow would be your best friend, but I would 1st check the firewall address src for that gil laptop source.
2nd, i would substitute a new policy ( & re-ordering ) using something under your control for testing.
Thanks for the reply.
I actually did run a "diag debug flow" and all it showed me is that the policy being "hit" is the one I have that enables Internet outbound traffic for the entire office. SW_Interconnect (ALL) --> WAN1 (ALL) + NAT to be exact.
The source for gil's laptop (my laptop) is 100% correct as I use it for all sorts of other things.
Substitute what with what? I can do whatever I want right now as no one's in the office :D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So is the fw-policy order correct?
If the SRC is in that policy-id " gils laptop " is correct , than it should have been matched.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:So is the fw-policy order correct?
If the SRC is in that policy-id " gils laptop " is correct , than it should have been matched.
This policy is the **first** in the top-down line. gil's laptop is indeed correct.
Yet I'm still getting no auth portal when attempting to surf the web.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe your fw-policy ids ordering is not correct, or some thing else is not in wack with the src and/or user group defined. When you execute a show firewall policy ? from cli, what policy-id is listed 1st ? If you change this to a deny, does it block your host ( that would validate if this is being match by order & for that source )
Here's a posting for authentication, but this is proabably not going to help but I still would run diag debug app authd -1
http://socpuppet.blogspot...-policies-trouble.html
edit to add ; a show firewall policy xxx might shed some light also, where xxx is our fwpolicy-id that you think should be matched with identity enabled.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I uploaded the result of "show firewall policy" and the matching first policy I see in the GUI.
Also here's the rule itself taken from the CLI:
config firewall policy edit 58 set uuid 7dae3ef6-48d8-51e5-86b8-592fb2c673e7 set srcintf "SW_Interconnect" set dstintf "wan1" set srcaddr "Gils Laptop" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable set fsso enable set users "artur" set nat enable next end
Oh and I know for a fact that that policy is not being matched or else i'd be getting that portal :\
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't see set identity in your firewall policy. Take a look at that eg blog.
set identity-based enable
what version fortiOS version.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:I don't see set identity in your firewall policy. Take a look at that eg blog.
set identity-based enable
what version fortiOS version.
Your link was broken but I found it eventually.
The option does not exist in 5.2.3.
It was the first thing I tried when I read it.
I only have "set identity-based-route"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gilfalko wrote:emnoc wrote:I don't see set identity in your firewall policy. Take a look at that eg blog.
set identity-based enable
what version fortiOS version.
Your link was broken but I found it eventually.
The option does not exist in 5.2.3.
It was the first thing I tried when I read it.
I only have "set identity-based-route"
Because in 5.2 when you add user group (set groups ..) you'll make it identity-based.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Related Posts
- Fortigate with Mikrotik Site to site... 457 Views
- API v2 Adding user to a... 316 Views
- How to correctly understand and use... 749 Views
- IPSec Between Fortigate and Mikrotik 5268 Views
- Problem config vpn ipsec site to... 2360 Views
Labels
-
FortiGate
6,569 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
566 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
337 -
FortiAP
336 -
FortiClient EMS
267 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Traffic shaping policy
5 -
SNMP
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Email filter profile
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.