Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
damianhlozano
Contributor

Created on ‎09-20-2022 08:39 AM

Use local users for less restrictions

Hello team!!!

 

I have a local group "UsersLevel1" in the FGT with many members

I have 2 different web filter and application control, for level 1 (less restrictions) and level 2 (More restrictions) 

 

What I am trying to accomplish is the following:

- When a user try to access Internet, FGT ask him username and password

- If user enters valid credentials in the "UsersLevel1" Group, he can navigate with level 1 security profiles

- If user does not enter any credential, he can navigate with level 2 security profiles

 

If this is not possible, we would like to do the following:

- When a user try to access Internet, FGT ask him username and password

- If user enters credentials in the "UsersLevel1" Group, he can navigate with level 1 security profiles

- If user enters credentials in the "UsersLevel2" Group, he can navigate with level 2 security profiles

 

Is this possible?

When I enable "Security mode: Cautive Portal" on the LAN interface, if I create a rule with local users on it, it seems that you cant just does not enter any credential, FGT will stop looking for matching rules after this rule with local users

 

Later I will configure FGT to synchronize with AD, but we wanted to do this for devices which can not join AD

 

Thanks in advance.

Regards,

Damián

 

Damián Lozano
Damián Lozano
Labels:
2239
0 Kudos
3 REPLIES 3
gfleming
Staff
Staff

Created on ‎09-20-2022 10:42 AM

Put your level 1 policies at the top of your policy table. These rules will take precedence. Then, put level 2 policies below with user group UsersLevel2 attached to it. Now, if anyone tries to access anything that requires level 2 they will be authenticated for UserLevel2 credentials.

Cheers,
Graham
2231
0 Kudos
damianhlozano
Contributor

Created on ‎09-20-2022 01:52 PM

Ok, thanks.

Just tested and worked

So, the first option I wrote is not possible, but the second one is possible and worked for me.

 

Regards,

Damián

Damián Lozano
Damián Lozano
2224
0 Kudos
gfleming
Staff
Staff
In response to damianhlozano

Created on ‎09-20-2022 03:25 PM

Just thinking now, Option 1 could be possible using Explicit Proxy. You could configure two different proxy policies, one for LEVEL1 and one for LEVEL2. When using the proxy, if both proxy policies have a user group defined in the source then authentication can occur for the respective access.

Unauthenticated users can access the internet using non-proxy config.

 

https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/300428/explicit-web-proxy

Cheers,
Graham
2220
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.