Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
shocko
Contributor

User Centric Policies on Fortigate

I'm using Forticlient EMS 7.2.4 and Fortigate 42000F 7.0.12 (on-prem). Currently all our policy rules are the traditional system to system or area to area type i.e.

 

  • IP/CIDR/HOSTNAME to IP/CIDR/HOSTNAME

I'm looking for a modern approach where I can govern network level access from system to system based on the user initiating the traffic. For example, if I have a support person working on shared laptop I would like to them to be able to get to back-end SystemA but not neccessarily another user that might user the same laptop from time to time.

I assume this is a ZTNA type solution but wondering if my existing stack/kit would already have this capabilty?

 

3 REPLIES 3
johnathan
Staff
Staff

FSSO is probably the easiest way to do this. You can allow access transparently, based on the AD user or group.  See this document for a bit more details: https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/450337/fsso

"Never trust a computer you can't throw out a window."
sjoshi
Staff
Staff

Hi,

 

To implement user-centric policies on FortiGate using FortiClient EMS and FortiGate 4200F, you can leverage Zero Trust Network Access (ZTNA) features. Here's how you can achieve this:

1. **Zero Trust Network Access (ZTNA)**: ZTNA allows you to control network access based on user identity and device posture, rather than just IP addresses. This aligns with your requirement for user-specific access control.

2. **FortiClient EMS Integration**: Ensure that your FortiClient EMS is properly integrated with your FortiGate 4200F to manage user identities and access policies centrally.

3. **User Tagging**: Utilize user tagging in FortiClient EMS to assign specific security posture tags to users based on their roles or permissions. For example, you can tag support personnel differently from other users.

4. **Policy Configuration**: Configure firewall policies on your FortiGate 4200F that consider the security posture tags assigned to users. This way, you can control access based on user identity and device classification.

5. **Testing and Monitoring**: Test the user-centric policies to ensure they function as intended. Monitor traffic and access logs to verify that only authorized users can reach specific backend systems.

By implementing ZTNA and user-centric policies, you can enhance security and control access based on user identity, providing a more modern and granular approach to network access control.

Refer:-
https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/477578/ztna-ip-mac-based-acc...

Let us know if this helps.
Salon Raj Joshi
shocko

Thanks @sjoshi and @johnathan 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors