Hi
I have been trying to find the method of dealing with the NGFW Policy-Based 'Unintended consequences' as described in the Cookbook but have been unsuccessful. Can someone point me in the right direction of the workaround?
So far, on a base install, we have set up authentication rules for SSO and FW passing all traffic authenticating on different AD Groups (Staff, Students), and a Guest rule authenticating against FG Guest groups. This all works fine in Policy-Based mode.
As soon as we create a Policy to block 'Facebook', as Application or URL, other web traffic is blocked.
The Cookbook (PDF Page 201 for 6.2.0) describes a known issue but I have been unable to find anything discussing how to allow for it:
"NGFW policy-based firewall policies might have unintended consequences to the passing or blocking of traffic. For
example, if you add new firewall policies that are designed to DENY social media traffic based on applications or URLs,
having a traditional “catch all” firewall policy to DENY all other traffic at the bottom of the firewall policy list may have the
unintended consequence of blocking legitimate traffic."
Another issue is in Profile-Based mode the firewall user Auth against LDAP fails. An FG local user in the same FG Group succeeds. SSO works. LDAP tests are ok and resolve fine. :-/
Is the Quotas system available in Policy-Based mode?
Thanks for any advice.
Fortigate Newbie.