Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ch
New Contributor

WAN selection by Active Directory Group

Hi All, Please forgive me if this is in the wrong section - I wasn' t sure which section to pick as my query covers a few of them Just a query - can anyone point me in the right direction to correctly config a FortiGate firewall. I' ve used it for 3 years now and it runs beautifully. However, we' ve had a new ADSL line installed and want to route traffic per Active Directory group (e.g. One group of users runs on one line (WAN1), the other on the next line (WAN2)) We' ve had authentication on the firewall since implementation however, I' ve tried (and failed) to get the two lines to run at the same time without hassles (I can route all traffic on one line, or the other, but not split concurrently). We make use of the dmz for our servers and is running without any issues after I reconfig' d the firewall. Basically, our servers on static IP' s are set to route on the DMZ & all other authenticated users run to either WAN1 or WAN2, based upon their AD Organisational Group. I' ve got the servers running nicely (In the screenshot below, i' ve only added a static route for our Mail server to test the environment), and can choose ALL traffic to go to either WAN1 or WAN2 (Depending on the order of the policy rule... If I remove the Policy Rule for WAN1 & 2, then traffic will only go to WAN1 (irrespective if the firewall policy is active on WAN2). P.S. - We currently make use of the FSSO to apply our Firewall policies for filtering, etc.
4 REPLIES 4
Warren_Olson_FTNT

I don' t believe you could distribute traffic based on authentication, at least i haven' t seen any potential way of doing so. As far as taking advantage of your 2 ISP links, start with the following: http://kb.fortinet.com/kb/viewContent.do?externalId=100137 http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Install_advanced/routing_ecmp_basic.html
Benoit_Rech_FTNT

Hello, YES, it is possible to distribute traffic based on authentication. There is a KB article describing how to configure this feature: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33588 Of course, you can adapt the identification part, and rely on different mechanism (LDAP, RADIUS, TACACS, RSSO, ...) instead of local users. Benoit
Nihas
New Contributor

You can achieve this through FSSO. You need to create multiple ( Or as per your requirement) " Security Groups" , eg:-Management_Users / Internet_users etc under the Active Directory. Then you can create the policies separately for each user group with each WAN link. But, remember - You cannot ensure the fail over if you are splitting the WAN links connections for different groups.
Nihas [\b]
Nihas [\b]
Warren_Olson_FTNT

Thanks for the article Ben10!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors