Fortigate 80_F 6.4.10
I'm trying to set up a Firewall Policy that will apply only to certain users in order to ALLOW certain URLs listed in a WEB profile with a Static URL Filter.
So, in the particular Web ProfileI've put usernames names as Source entries.
I'm getting:
"One address, address group, external resource or internet service is required"
Yet, the interface seems to allow putting the names in there.
???
Could you please post a printscreen of the error message?
Thanks.
Sounds like you are missing a destination address and destination service. If you are using a URL filter you can just use "All" as your destination address and tcp 80/443 for service. The URL filter will restrict what web sites can be visited.
I had meant to include these. The first one shows the message that comes up in red.
Hello
Add the Source Subnet Object to the Source Attribute as well. Or use the "all"-Object for testing.
You need an address, FQDN Object always, the user object is on top.
I hope you are able to solve your issue with this hint.
"The URL filter will restrict what web sites can be visited."
I thought the idea was to add ALLOW and not BLOCK - which is the default overall. So, expand, not restrict.
"Add the Source Subnet Object to the Source Attribute as well"
That seems to do the trick (I used *all*). I could be more specific and add the subnet ranges but that should amount to the same thing. Then how do usernames not just get overridden??
FOr this you can use FQDN address objects or ISDB entries.
Is there a reason why domain usernames don't work by themselves? They should be connected OK.
Or, should I be concerned that the link between the Fortigate and AD is broken to cause that?
hi @fred339 ,
The basic thing is, FSSO connection must be working so FGT can have visibility on the user logon in the AD server.
This FSSO basically read logon user. Once FGT grab this information from AD server, you can manage the user on the Policy IPv4.
Thank you all.
@gfleming: Thank you! I appear to have it working. So that's good. I wouldn't have thought about the address entry.
I still have questions related to the responses I've received here. Still learning.
@haiqal:
What does IPv4DoS Policy have to do with anything in this question? Or were you referring to something else?
@scan888:
"You need an address, FQDN Object always, the user object is on top."
When I enter Sources and add an FQDN address group, it always shows up *below* the FQDN usernames group. Is this in conflict?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.