Hi All,
I hava a FGT 100D with the last version 5.2.2, and trying to implement Web filter profiles using Proxy Mode.
Could you tell me if i can apply two or more Web filter profiles to a given Group (FSSO groups on my case).
My issue is that when i use Policies to do this, only the rule on the top will be applied and the seconde one will be ignored (example in attachment) - this is just an example to illustrate the issue.
The ideal would be to combine FSSO groups with Web Filtring Profiles without passing by Firewall rules/policies, is this possible?
Many Thanks for your help.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can't us multiple profiles for the same group. Your best bet would be to apply a policy to the more specific groups and put them above the more general group policies. So if you have a user in two groups, use the second group to make a policy and put it above the primary groups policy.
Alternatively, you can use LDAP w/ FSSO and populate your FSSO groups with specific users, and apply policy to them that way.
But to clarify, you can't have group A filtered by 1 policy, then filter it again with another policy.
......
-Jake
The first rule to match the traffic will be enforced on that traffic. It will not continue down the list. So you can't apply a policy to traffic if a policy has already been applied. If you want to change the users that are hit by that rule, you will need to break down the FSSO groups or if certain users are on certain subnets, you can use both IP Address objects and FSSO groups to match your traffic.
If you implement LDAP with FSSO and set your collector agent to advance mode, you can put specific users in an FSSO group, which might also solve your problem.
That being said, if you want all users within a group to have the same policy, then there's no need to have two web filtering policies for that one group.
......
-Jake
Hi,
Thanks for your reply,
To answer to your last remark, i will (in my case) have some users member of multiple groups, so i should affect this kind of "mutualised" user to multiple web filter profiles. So like you said, if a user will be matched by a firewall rule, only the Webfiltrig profil associated to the rule will be applied. And this is the issue.
That's why i asked if we can associate multiple web filter profliles to a FSSO group, or otherwise, When we implement a web filter profile, the action will just authorize what we introduce as URL without a block all at end (because actually, without it, all the web traffic will pass)
You can't us multiple profiles for the same group. Your best bet would be to apply a policy to the more specific groups and put them above the more general group policies. So if you have a user in two groups, use the second group to make a policy and put it above the primary groups policy.
Alternatively, you can use LDAP w/ FSSO and populate your FSSO groups with specific users, and apply policy to them that way.
But to clarify, you can't have group A filtered by 1 policy, then filter it again with another policy.
......
-Jake
Hi Rzahraoui,
Did you follow ijakes lead. Where you able to get it working? He is right that is the only way to get what you want done working.
Carlitos loves firewalls
NSE4 (5.4,6.0)
NSE5 (Fortimanager 6.0, Fortianalyzer 6.0)
NSE7 (Enterprise Firewall 6.0)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.