Hey,
I've been playing around with the new User-Source based policies but unable to make them work.
I have the following policy which is placed at the very top of the list but it just doesnt work (see attached image).
Instead, it falls through to another policy I have that allows internet for the entire office.
What am I missing?
Thanks
Gil
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I just wanted to update that after speaking to a Fortigate representative I finally managed to solve this issue.
This has nothing to do with Captive Portal just for the record.
The reason that my non-auth NAT policy was always getting hit is because all non-auth policies take precedence over User Source based policies. Yes even if the non-auth policy is at the bottom of your policy list.
Once I made sure that SW_INTERCONNECT (gil's PC, gilfalko user) was the ONLY policy using gil's PC as the source of the communication, the forti portal popped out immediately. Well, I also had to erase all sessions from my station first.
I hope that helps someone out there.
Peace
The diag debug flow would be your best friend, but I would 1st check the firewall address src for that gil laptop source.
2nd, i would substitute a new policy ( & re-ordering ) using something under your control for testing.
PCNSE
NSE
StrongSwan
emnoc wrote:The diag debug flow would be your best friend, but I would 1st check the firewall address src for that gil laptop source.
2nd, i would substitute a new policy ( & re-ordering ) using something under your control for testing.
Thanks for the reply.
I actually did run a "diag debug flow" and all it showed me is that the policy being "hit" is the one I have that enables Internet outbound traffic for the entire office. SW_Interconnect (ALL) --> WAN1 (ALL) + NAT to be exact.
The source for gil's laptop (my laptop) is 100% correct as I use it for all sorts of other things.
Substitute what with what? I can do whatever I want right now as no one's in the office :D
So is the fw-policy order correct?
If the SRC is in that policy-id " gils laptop " is correct , than it should have been matched.
PCNSE
NSE
StrongSwan
emnoc wrote:So is the fw-policy order correct?
If the SRC is in that policy-id " gils laptop " is correct , than it should have been matched.
This policy is the **first** in the top-down line. gil's laptop is indeed correct.
Yet I'm still getting no auth portal when attempting to surf the web.
I believe your fw-policy ids ordering is not correct, or some thing else is not in wack with the src and/or user group defined. When you execute a show firewall policy ? from cli, what policy-id is listed 1st ? If you change this to a deny, does it block your host ( that would validate if this is being match by order & for that source )
Here's a posting for authentication, but this is proabably not going to help but I still would run diag debug app authd -1
http://socpuppet.blogspot...-policies-trouble.html
edit to add ; a show firewall policy xxx might shed some light also, where xxx is our fwpolicy-id that you think should be matched with identity enabled.
PCNSE
NSE
StrongSwan
I uploaded the result of "show firewall policy" and the matching first policy I see in the GUI.
Also here's the rule itself taken from the CLI:
config firewall policy edit 58 set uuid 7dae3ef6-48d8-51e5-86b8-592fb2c673e7 set srcintf "SW_Interconnect" set dstintf "wan1" set srcaddr "Gils Laptop" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable set fsso enable set users "artur" set nat enable next end
Oh and I know for a fact that that policy is not being matched or else i'd be getting that portal :\
I don't see set identity in your firewall policy. Take a look at that eg blog.
set identity-based enable
what version fortiOS version.
PCNSE
NSE
StrongSwan
emnoc wrote:I don't see set identity in your firewall policy. Take a look at that eg blog.
set identity-based enable
what version fortiOS version.
Your link was broken but I found it eventually.
The option does not exist in 5.2.3.
It was the first thing I tried when I read it.
I only have "set identity-based-route"
gilfalko wrote:emnoc wrote:I don't see set identity in your firewall policy. Take a look at that eg blog.
set identity-based enable
what version fortiOS version.
Your link was broken but I found it eventually.
The option does not exist in 5.2.3.
It was the first thing I tried when I read it.
I only have "set identity-based-route"
Because in 5.2 when you add user group (set groups ..) you'll make it identity-based.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.