Setting up firewall policy with Source: [Users]

fred339 · ‎10-13-2022

Fortigate 80_F 6.4.10

I'm trying to set up a Firewall Policy that will apply only to certain users in order to ALLOW certain URLs listed in a WEB profile with a Static URL Filter.

So, in the particular Web ProfileI've put usernames names as Source entries.

I'm getting:

"One address, address group, external resource or internet service is required"

Yet, the interface seems to allow putting the names in there.

???

Fred Marshall

scan888 · ‎10-13-2022

Could you please post a printscreen of the error message?

Thanks.

- Have you found a solution? Then give your helper a "Like" and mark the solution.

gfleming · ‎10-13-2022

Sounds like you are missing a destination address and destination service. If you are using a URL filter you can just use "All" as your destination address and tcp 80/443 for service. The URL filter will restrict what web sites can be visited.

Cheers,
Graham

fred339 · ‎10-13-2022

Fortigate Users Pink.png Fortigate Buyer Firewall Policy Pink.png

I had meant to include these. The first one shows the message that comes up in red.

Fred Marshall

scan888 · ‎10-13-2022

Hello

Add the Source Subnet Object to the Source Attribute as well. Or use the "all"-Object for testing.

You need an address, FQDN Object always, the user object is on top.

I hope you are able to solve your issue with this hint.

- Have you found a solution? Then give your helper a "Like" and mark the solution.

fred339 · ‎10-13-2022

"The URL filter will restrict what web sites can be visited."

I thought the idea was to add ALLOW and not BLOCK - which is the default overall. So, expand, not restrict.

"Add the Source Subnet Object to the Source Attribute as well"

That seems to do the trick (I used *all*). I could be more specific and add the subnet ranges but that should amount to the same thing. Then how do usernames not just get overridden??

Fred Marshall

gfleming · ‎10-13-2022

FOr this you can use FQDN address objects or ISDB entries.

Cheers,
Graham

fred339 · ‎10-13-2022

Is there a reason why domain usernames don't work by themselves? They should be connected OK.

Or, should I be concerned that the link between the Fortigate and AD is broken to cause that?

Fred Marshall

Muhammad_Haiqal · ‎10-13-2022

hi @fred339 ,

The basic thing is, FSSO connection must be working so FGT can have visibility on the user logon in the AD server.

This FSSO basically read logon user. Once FGT grab this information from AD server, you can manage the user on the Policy IPv4.

haiqal

fred339 · ‎10-17-2022

Thank you all.
@gfleming: Thank you! I appear to have it working. So that's good. I wouldn't have thought about the address entry.

I still have questions related to the responses I've received here. Still learning.

@haiqal:
What does IPv4DoS Policy have to do with anything in this question? Or were you referring to something else?

@scan888:
"You need an address, FQDN Object always, the user object is on top."
When I enter Sources and add an FQDN address group, it always shows up *below* the FQDN usernames group. Is this in conflict?

Fred Marshall

Setting up firewall policy with Source: [Users]

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website