Good day,
I am setting up Outbound firewall authentication with Microsoft Entra ID as a SAML IdP and have a question about the required Firewall Policies and can't find the answer anywhere, I am following this guide https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/33053
I the Firewall policy it says to use "All", "Azure-FW-Auth" for the source which means it will apply to all users, is there a way of targeting only certain devices or IP's?
I have tried replaying the "All" with Address Lists with a device's IP and or MAC but when I do this the Firewall Policy stops working and I am not sure why as it should.
How would I set up to target only certain devices so I can roll out in stages rather then all in one go?
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Source IPs and source user/groups are separate configuration fields. A packet must match both criteria to match the firewall policy.
If your firewall policy is set for sources "all" (IPs) + "Azure-FW-Auth" (group), this functionally means "any IP with an authenticated member of this group", without any further IP restriction.
You can certainly narrow this down, e.g. to something like "LAN-subnet" (e.g. defined as a relevant /24) + "Azure-FW-Auth", but you need to make sure that this combination makes sense. (don't set the source-address to a subnet where these user's won't be located)
Hi, thanks for the information, I have tried with an Address IP range of 10.0.6.159-10.0.6.159 but this does not work, I have confirmed this is the device's IP.
Time to run debug flow to check what happens!
Identify some easy test target that nobody else will be trying to communicate with (to reduce noise in debugs; e.g. http://www.example.com), then setup debug flow for it:
diag debug flow filter port 80
diag debug flow filter addr 93.184.215.14 # www.example.com
diag debug enable
diag debug flow trace start 10
=> try accessing it from the test client device, do this for both test-cases (src-addr "all", and when set to something specific)
Then see what's matched.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.