Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dhnish
New Contributor

New to FG-90D; Assigning specific IP/IP Group to access certain sites

Hai

 

Dear support,

Using FG-90D, how do i assign either specific IP or Group-of IPs  having access to facebook?

Please help.

Thank you.

.d

5 REPLIES 5
ede_pfau
Esteemed Contributor III

hi,

 

and welcome to the forums.

 

The forums are a self-help platform from users and partners, run in their spare time, for exchange of experience and practices. If you expect the Fortinet support to help you, this is not the right place. With a valid support contract FTNT is obliged to assist you. Open a ticket at support.fortinet.com .

 

Anyhow, we would like to give you hints but I would ask you to supply more information. What are you planning to achieve? Are you talking about source addresses, destination addresses, NAT, ...? How is the application FB related to the problem?


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
dhnish

Hai

Dear Ede,

a) Overall security policy blocks all social-sites.

b) for specific business need, i need certain user/users to have access to FB site.

Ques: How do i do that in FG-90D as i wish to have a Group setting and no need to add policy an IP at a time.

     if there is a better way, hope you can advice.

Thank you.

ede_pfau
Esteemed Contributor III

Let's assume your FGT is running FOS v5.2 or v5.4 - please specify.

 

Use a policy with authentication! If you create a regular security policy, with source and destination addresses, service etc. from 'internal' to 'wan' then just add a (already configured) user group to 'source address'. Now, users have to first authenticate against the FGT and are then allowed to send traffic across that policy.

If the number of users is small, say up to 20 users, you can create local user accounts on the FGT. Or create remote authentication via MSAD/LDAP.

If you don't like that idea you could authenticate via the device ID. For that, device detection has to be enabled on the 'internal' interface. The disadvantage of this is that permission is tied to hardware, not knowledge.

 

You find all of this, concepts and examples, in the 'FortiOS Handbook' for your version, from docs.fortinet.com. Read into it to get inspired how these scenarios are handled with a FGT.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Toshi_Esumi
Esteemed Contributor III

I'm not a sales person from FTNT but to identify all social-sites, which might keep changing, you need to have Fortiguard Web filtering service as mentioned in the cookbook.

http://cookbook.fortinet.com/blocking-social-media-using-fortiguard-categories-54/

 

dmcquade
New Contributor III

You could also do a combination of a web filtering profile + Application Sensor (and CASI depending on which FortiOS version you are running) to allow access to Social Networking as a category and restrict access to specific social network sites via the Application sensor and CASI profile. I've even used these to restrict access to specific features within the social networking to make them read only (i.e. block posting, chat, and file upload).

 

Hope that helps

Top Kudoed Authors