Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
marko7781
New Contributor II

What are the options for user or group based firewall policies?

Hi,

In our previous NG-Firewall solution we had an option to create firewall rules filtering based on a user or a group from Active Directory. We simply had an agent that transmited the user and group membership data to the firewall so the firewall could decide based on logged user from the workstation, its group membership and application proccess trying to access the destination.

 

FortiGate has this functionality, but we are considering potencial licensing issues. I know that FortiAuthenticator provides this functionality as well as a lot more, but it is licensed per user or device on top of FortiGuard and FortiCare.

 

Can we use menctioned functionality as its base without FortiAuthenticator and avoid aditional cost or it is required to buy FortiAuthenticator to be able to place AD user or group as source or destination firewall rule?

 

Also, will those AD and App based rules work with Free FortiClient when a user is authenticated to the VPN?

1 Solution
Sheikh

Hello @marko7781 ,

 

There are no additional licenses for FSSO, but it will only work within Fortinet products.

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**

View solution in original post

8 REPLIES 8
Sheikh
Staff
Staff

Hello @marko7781 ,

 

Actually, it all depends on your needs. FortiAuthenticator is capable of much more than just giving FortiGate access to LDAP users and groups. It is an identity and access management solution. See the datasheet below.

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiAuthenticator.pdf

 

There is some other information that might help you understand FSSO agents and their mode of operation. Moreover, these LDAP groups provided by the FSSO agent or collector agent can be used for SSLVPN or any other policies in FortiGate.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-Agent-in-polling-mode/ta-p/228136http...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-polling-connector-agent-configuration...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-choose-between-DC-Agent-mode-or-Polli...

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
marko7781
New Contributor II

Hello @Sheikh ,

Actually what we need is:

- To be able to filter access to network resources by using AD user and group attributes rather than IP addresses.

- To be able to retrieve information in the firewall logs about the users that was allowed or denied firewall policy along with the network information and application used (example: user dsmith, application chrome.exe, source IP, destination IP...).

- Using the Free FortiClient for VPN access we should be able to accomplish the same effect as when the workstation is in the local network.

 

If we have FortiGuard and FortiCare already in place, do we need additional licenses for  this requirement?

marko7781
New Contributor II

Hello, have you got any updates if we need a license for functionalities mentioned in above answer?

hbac

Hi @marko7781,

 

I don't think you need additional license. 

 

Regards, 

marko7781
New Contributor II

Thank you @hbac 

@Sheikh can you also confirm if I need any aditional licenses?

Sheikh

Hello @marko7781 ,

 

There are no additional licenses for FSSO, but it will only work within Fortinet products.

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
marko7781
New Contributor II

Thank you for reply.

dbu

Hi @thiago34 ,

I believe now you need to specify the address or address group configured for this user group. 
(Which IPs are expected from these users)

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors