- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Newbie looking for help
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Newbie looking for help
Hello Experts
I am very new to Fortinet. We recently purchased a FortiGate-100D UTM Device. I need support from my fellow members in this forum to configure the device. Please can you help me?
Our Scenario
We are having a windows network and do have a
i) Domain Controller - 192.168.10.1
ii) Additional Domain Controller - 192.168.10.2
I installed FSSO Collector Agent in a Win 7 PC - IP: 192.168.10.9
And then from the Win 7 PC pushed the DC Agent to the ADC.
What I want to acheive
I have certian groups in AD as below
InternetAccess_Full - will have access to most of site
InternetAccess_Restricted - will have access to few sites
InternetAccess_Insurance - will have access only to 2 or 3 sites
InternetAccess_IT - will have unlimited access
Now how can i acheive this from the firewall.
I assume I need to create web filter profile and then associate with Policy.
But how can i mention which group has what level of access.
Please as I am new, I need a detailed help. Hoping to get it from here.
Thanks & Regards
AJ[size=3][/size][size=4][/size]
Thanks & Regards
------------------------------
AJ
Save Tree! Save Earth
Thanks & Regards ------------------------------ AJ Save Tree! Save Earth
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AJ,
Welcome to the forums.
I am not an AD shop, but it sounds like you' re on the right path.
Have you seen the seen the Fortigate Cookbook?
http://docs.fortinet.com/cookbook.html?
In general, you create a Fortigate User Group and then associate it with a Directory Service User Group. In FortiOS 4.2.13, you do this under the User tab. You can then create UTM policies based on the Fortigate User Group under the UTM tab. Then ultimately, you create an access policy under the Firewall tab that uses the UTM policies.
I believe AD has a guest user that gets a default policy if it doesn' t match any of your existing user group policies. Typically, most shops have this default to a series of security updates.
Before anyone could give you more detailed instructions, you' d need to tell them what version of FortiOS you are running. There are basically 3 branches of FortiOS now: 4.2.x, 4.3.x, and 5.0.
Based on other forum posts, here' s the consensus that I found:
4.2.13 is considered solid and very reliable.
4.3.9 is considered stable now for those that need the features included.
5.0 was just released broadly. I haven' t heard of anyone running this on production boxes yet, but it' s supposed to be pretty good for a FortiOS dot zero release.
Fortigate has done a decent job with their documentation. You' ll want the PDFs on your desktop for fast reference as you get familiar with things.
Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Bill,
Thanks a lot for the reply. Oops I forgot to mention the OS version of FortiGate. The box is running 5.0
I shall have a look at the cookbook link you mentioned above. Thank you once again for throwing some light on it.
Thanks
Riaz
Thanks & Regards
------------------------------
AJ
Save Tree! Save Earth
Thanks & Regards ------------------------------ AJ Save Tree! Save Earth
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Welcome to the forums.
Personally, I installed the collector agent on the domain controller. But aside from that, all else looks similar to what I have. I will note here that I have 4.2.12, so things may have changed in version 5. I have not yet peeked under the hood on that release. What I' m writing, the theory should work for all versions, but the code may be different.
Check the FSSO software to see if it collecting data from the domain controller(s).
Check the Fortigates to see if they are reading the FSSO software.
Configure the user groups to include the AD groups.
Configure the policies to allow the user groups (AD and FGT) Internet access.
Second bullet: In V4.2, Click ' User > Directory Service > Create New' , fill in the blanks. The name should be the name of the AD domain, not a single controller. Trust me. Makes life easier if you are adding AD domains down the line. Refresh the page and see if your AD groups populate. Additionally if correct, the FSSO software will indicate that it' s talking with the FGTs.
Third bullet: In v4.2, click ' User > User Group > Create New' , add a name, select a type of " Directory Service" , then select which AD groups this user group will contain.
Fourth bullet: Create a policy. To get the AD authentication to work, click on ' Enable Identity Based Policy' . This will open up a new area. It' s here that you select which user groups have what access. Make sure that you include ALL access in the From-To relationship here. Any policy below that goes from this same From-To pair will not be read. The ' FSSO_Guest_Users" account is the catch all for any unauthenticated user. Make a policy for these users as well, or they will hit the implicit deny and get nowhere.
That' s the nuts and bolts of it.
Good luck.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, in 5.0 the FGT might poll the DC regularily so that you don' t have to deploy the FSSO software client. If that is a good idea depends on the number of accounts and local bandwidth.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ede,
Not trying to hijack the thread, but do you think 5.0 is stable enough to recommend in a new installation like Riaz is doing?
Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, that' s a hairy question to answer...
There' s 2 aspects:
- setting up FSSO on DCs and getting it to work might demand substantial technical knowledge. And the success of installing the client depends on many circumstances on the server
- whereas the polling scenario shines with simplicity. The drawback is that this feature has just been introduced in 5.0, and an old saying goes " never go with the first release" .
- from what I' ve heard in Partner meetings, FOS 5.0 does make a mature impression, despite the featuritis. I would like to see it as the FOS 4.3 was intended to be, like Windows 7 vs. Vista.
My intention was to mention the alternative. The OP must decide this on his own. A test bed setup in the lab might bring some insight quickly.
And, chipping in your experience and thoughts in the discussion is no hijacking at all. I do appreciate it, and I' m sure the other fellow members do as well.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would have even (gulp) attempted to try 5.0 at my core to answer that question, but alas, the 1000As I have in the core aren' t supported on 5.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Related Posts
- Newbie : Make a firewall policy... 413 Views
- SSL for HTTPS 464 Views
- IPv6, Central NAT, and SD-WAN and... 143 Views
- Websites behind Cloudflare not working 439 Views
- Is it possiable to block file... 365 Views
Labels
-
FortiGate
6,457 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.