Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Infrarium
New Contributor II

Managing users internet access problem (PROFILE BASED)

Hello everyone,

 

Where i work we have a Fortigate 400E unit and I have some doubts on how to manage internet access for some of the users, we are using the profile based mode:

 

Heres the scenario:

Sales department have a firewall rule "Sales department internet access"

Marketing department have a firewall rule "Marketing department internet access"

General managers have another firewall rule for them aswell.

 

Those internet access rules have different levels of access. For instance, general managers can access more websites than sales or marketing departments. 

 

So far this is working, not issues at all. But sometimes a user from marketing or sales department gets assigned a task that in order to get it done he/she must have access to certain websites that are not allowed in the original policy.

 

So, i need to give that user (and only that user) the permission to access the new websites he needs to access, but i dont want to give that access to the whole sales or marketing department (this is required by the Cybersecurity analyst aswell).

 

Do i need to create a new policy that adds the original department permissions plus the new permissions? This seems very inefficient because if thats the case i should create tons of rules of internet access because this happens more often than not.

 

Additional information: Apart from profile based mode on the firewall, we are using windows active directory sso, so all of the rules are using windows security group membership as one of the requirements.

 

Thanks in advance!

1 Solution
seshuganesh

Hi Team,

 

You can set web profile override for 360 days.

You cannot define more than that. I will keep you posted if there is any other way.

View solution in original post

5 REPLIES 5
seshuganesh
Staff
Staff

Hi Team,

 

As per your requirement you can configure web profile override and add grant permission to specific user or user group or IP.

You can use this article for the same:

https://docs.fortinet.com/document/fortigate/6.2.10/cookbook/408599/web-profile-override

Please check and keep us posted

Infrarium

Thanks for the fast reply.

 

I was not aware of this feature. Im checking it now, but the only drawback that see is that it requires to set a expire date. In my case, some of the new permissions i need to grant should be granted indefinitely. Maybe theres another way of setting up rules to achieve what i want.

Debbie_FTNT

Hey infrafium,

Do users have different requirements to access specific websites?

If your users in question all just need to visit the same websites, you could perhaps add another FSSO group and make the users member of a specific override group in AD as necessary, and just have a policy with that group that only those specific users would match.

The users can be members of multiple FSSO groups, and the regular policies would still apply for any traffic but those specific websites.

However, if you have wildly different requirements for different users, this would not scale well.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Infrarium

Hi,

 

The method you describe is similar to the method i've been using to solve this kind of situations. For your first question: Yes, in order to access certain websites (like social media, online shopping, etc) you have to be given the permission by the manager. Then, we (System Administrators) create a AD group that is called, lets say, Sales department internet access plus social media, and we take the original sales department internet access policy and we clone it, and we add in the new created policy the permission to access social media websites (and we change the source AD group to match the new group). 

 

This seems to work, but also seems inefficient, because if someone from sales department is given the permission to access another blocked websites, for instance, online shopping websites, i need to repeat the entire process again.

 

The most important point here is to give one or some users the permission to access new websites, but also to keep the old privileges. seshuganesh idea was great, but the "time limit" mandatory field is a huge drawback.

seshuganesh

Hi Team,

 

You can set web profile override for 360 days.

You cannot define more than that. I will keep you posted if there is any other way.

Labels
Top Kudoed Authors