Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
adsl_jalawiah
New Contributor

Newbie looking for help

Hello Experts I am very new to Fortinet. We recently purchased a FortiGate-100D UTM Device. I need support from my fellow members in this forum to configure the device. Please can you help me? Our Scenario We are having a windows network and do have a i) Domain Controller - 192.168.10.1 ii) Additional Domain Controller - 192.168.10.2 I installed FSSO Collector Agent in a Win 7 PC - IP: 192.168.10.9 And then from the Win 7 PC pushed the DC Agent to the ADC. What I want to acheive I have certian groups in AD as below InternetAccess_Full - will have access to most of site InternetAccess_Restricted - will have access to few sites InternetAccess_Insurance - will have access only to 2 or 3 sites InternetAccess_IT - will have unlimited access Now how can i acheive this from the firewall. I assume I need to create web filter profile and then associate with Policy. But how can i mention which group has what level of access. Please as I am new, I need a detailed help. Hoping to get it from here. Thanks & Regards AJ[size=3][/size][size=4][/size]
Thanks & Regards ------------------------------ AJ Save Tree! Save Earth
Thanks & Regards ------------------------------ AJ Save Tree! Save Earth
7 REPLIES 7
billp
Contributor

AJ, Welcome to the forums. I am not an AD shop, but it sounds like you' re on the right path. Have you seen the seen the Fortigate Cookbook? http://docs.fortinet.com/cookbook.html? In general, you create a Fortigate User Group and then associate it with a Directory Service User Group. In FortiOS 4.2.13, you do this under the User tab. You can then create UTM policies based on the Fortigate User Group under the UTM tab. Then ultimately, you create an access policy under the Firewall tab that uses the UTM policies. I believe AD has a guest user that gets a default policy if it doesn' t match any of your existing user group policies. Typically, most shops have this default to a series of security updates. Before anyone could give you more detailed instructions, you' d need to tell them what version of FortiOS you are running. There are basically 3 branches of FortiOS now: 4.2.x, 4.3.x, and 5.0. Based on other forum posts, here' s the consensus that I found: 4.2.13 is considered solid and very reliable. 4.3.9 is considered stable now for those that need the features included. 5.0 was just released broadly. I haven' t heard of anyone running this on production boxes yet, but it' s supposed to be pretty good for a FortiOS dot zero release. Fortigate has done a decent job with their documentation. You' ll want the PDFs on your desktop for fast reference as you get familiar with things.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
adsl_jalawiah
New Contributor

Hi Bill, Thanks a lot for the reply. Oops I forgot to mention the OS version of FortiGate. The box is running 5.0 I shall have a look at the cookbook link you mentioned above. Thank you once again for throwing some light on it. Thanks Riaz
Thanks & Regards ------------------------------ AJ Save Tree! Save Earth
Thanks & Regards ------------------------------ AJ Save Tree! Save Earth
rwpatterson
Valued Contributor III

Welcome to the forums. Personally, I installed the collector agent on the domain controller. But aside from that, all else looks similar to what I have. I will note here that I have 4.2.12, so things may have changed in version 5. I have not yet peeked under the hood on that release. What I' m writing, the theory should work for all versions, but the code may be different.
  • Check the FSSO software to see if it collecting data from the domain controller(s).
  • Check the Fortigates to see if they are reading the FSSO software.
  • Configure the user groups to include the AD groups.
  • Configure the policies to allow the user groups (AD and FGT) Internet access. Second bullet: In V4.2, Click ' User > Directory Service > Create New' , fill in the blanks. The name should be the name of the AD domain, not a single controller. Trust me. Makes life easier if you are adding AD domains down the line. Refresh the page and see if your AD groups populate. Additionally if correct, the FSSO software will indicate that it' s talking with the FGTs. Third bullet: In v4.2, click ' User > User Group > Create New' , add a name, select a type of " Directory Service" , then select which AD groups this user group will contain. Fourth bullet: Create a policy. To get the AD authentication to work, click on ' Enable Identity Based Policy' . This will open up a new area. It' s here that you select which user groups have what access. Make sure that you include ALL access in the From-To relationship here. Any policy below that goes from this same From-To pair will not be read. The ' FSSO_Guest_Users" account is the catch all for any unauthenticated user. Make a policy for these users as well, or they will hit the implicit deny and get nowhere. That' s the nuts and bolts of it. Good luck.
  • Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
    ede_pfau
    Esteemed Contributor III

    Actually, in 5.0 the FGT might poll the DC regularily so that you don' t have to deploy the FSSO software client. If that is a good idea depends on the number of accounts and local bandwidth.

    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    Ede"Kernel panic: Aiee, killing interrupt handler!"
    billp
    Contributor

    Ede, Not trying to hijack the thread, but do you think 5.0 is stable enough to recommend in a new installation like Riaz is doing?

    Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

    Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
    ede_pfau
    Esteemed Contributor III

    Well, that' s a hairy question to answer... There' s 2 aspects: - setting up FSSO on DCs and getting it to work might demand substantial technical knowledge. And the success of installing the client depends on many circumstances on the server - whereas the polling scenario shines with simplicity. The drawback is that this feature has just been introduced in 5.0, and an old saying goes " never go with the first release" . - from what I' ve heard in Partner meetings, FOS 5.0 does make a mature impression, despite the featuritis. I would like to see it as the FOS 4.3 was intended to be, like Windows 7 vs. Vista. My intention was to mention the alternative. The OP must decide this on his own. A test bed setup in the lab might bring some insight quickly. And, chipping in your experience and thoughts in the discussion is no hijacking at all. I do appreciate it, and I' m sure the other fellow members do as well.

    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    Ede"Kernel panic: Aiee, killing interrupt handler!"
    rwpatterson
    Valued Contributor III

    I would have even (gulp) attempted to try 5.0 at my core to answer that question, but alas, the 1000As I have in the core aren' t supported on 5.

    Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
    Top Kudoed Authors