Hello,
my FGT 100D has 5.2.4 firmware version.
I tried more time to configure User Identity Policy to prevent access from an interface to another based on user/group rule, but i didn't receive any user and password request across my browser.
In older firmware It worked fine.
How can I solve it?
Yhanks
Hello,
I'd suggest to use debug flow tool or session list to check which firewall policy was used/applied on the traffic. As it might appear that your traffic is matching different policy.
Also note that 5.0 vs 5.2 policy design has changed, see What's new on Docs.fortinet.com. Basically 5.2 has automatic fall through unauthenticated built in policy check, which mean all IP based policies are checked first, then should the traffic hit implicit deny second policy check round is strated, now taking user/device identity into account.
Here is the KB for FortiOS built in tools .. extremely handy for traffic flow related issues troubleshooting
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30038
Kind regards, Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Thanks xsilver for your reply.
I try to write more details:
I configured a single policy (MARCO), into a VDOM, that permit from interface WAN (subintervace IP 30.40.0.2) with source any-IP and marco-USER to an interface with destination my server 40.40.40.40.
if I try to reach my server, the match policy is matched (i see in log), but the browser link is modified with the IP 30.40.0.2 and then null page without it ask me any authentication popup. No other policy is matched.
If i only remove user marco, i can access to my server.
My FGT has firmware v5.4.0,build1011.
sorry
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.