- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- What' s the best way to restrict Internet access ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What' s the best way to restrict Internet access by user groups?
Greetings Experts:
--Help. I' m a consultant who recently inherited an Internet lock down project for an important client from two colleagues who left our firm before finishing said project. It' s quite a mess; the client is peeved; I' m confused (and irked at my former co-workers).
--The goal is to have three levels of Internet access based on user groups. What is the best way to do this? It looks like most of the configuration is done (see Notes below) except for the actual policies.
-- Do I need the FortiClient? I didn' t see a way to accomplish my goals with firewall policies or UTM, etc., after reading through the 4.0 admin guide as well as the FSAE guide and the knowledge base.
--I' m relatively new to advanced Fortigate configurations. However, I have setup other Fortigates to restrict Internet access globally with firewall policies and FortiGuard services.
--Please let me know if you need more info. I' m grateful for any and all advice.
Patrick
NOTES
--Goal:
Group 1 = Allow all
Group 2 = Allow all, blacklist a few sites
Group 3 = Deny all, but white list a few sites
--Device Info:
Fortigate 100A (OS 4.0 MR1 Patch 4)
--Config Info:
AD Security Groups created.
FSAE installed (LDAP mode) on Win 2K3 DC.
Local, Directory Service and User Groups created on the 100A.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Welcome to the forums. If the user groups are already created, and the policies are set up, just create custom protection profiles, and drop them into the policies. The PPs do the actual filtering. Within them you set the levels of Internet access, logging, etc. for the policies they are in.
Hope that helps.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Bob:
--Thanks for the assist. Your quick response means I have to address this Monday and can' t stall the client. Seriously, I' ll play with the protection profiles and post back the results. I don' t think all of the policies are setup but it shouldn' t be too hard to sort that out.
All the best,
Patrick
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Bob:
--No joy. I' m still unclear how to deny Internet access for some users except for a few select sites. Is there a walk through etc. for setting up policies, protection profiles, white/black lists for use with FSAE? Also, Does FSAE require authentication for accounts that are allowed to use the Internet or accounts to block from Internet?
--I suspect I' m doing something wrong but I' m not sure where (policies?). Here' s what I attempted:
-Added URL filter with specific websites, set to allow.
-Enabled Web filtering in a new protection profile; set to use newly-created URL filter.
-Added FSAE authentication policy as per admin guide; added HTTP and HTTPS services; applied newly-created protection profile; applied policy to LAN>WAN.
--Logged into test PC with account not part of directory service group; successfully accessed Internet.
--Logged into test PC with account that belonged to directory service group; successfully accessed Internet.
--If I understood the admin guide correctly, I shouldn' t have been able to access the Internet (save for the white list) when logged in with an account not subject to FSAE authentication.
--Please let me know if you need more info. Thanks in advance for the help.
Patrick
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you log onto a denied PC, check under " user > Monitor" and find the policy that' s allowing Internet access. Make sure it' s the one you designated for that purpose. Policies are enacted from the top down, so the first good one gets the traffic. Make your scopes as granular as possible so that someone cannot inadvertently surf via another wide scoped policy.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Bob:
--I' ve opened a ticket with support and will work with them to resolve the issue. Thanks again for the advice.
All the best,
P.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using Identity base policies?
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
--Yes. We' re pulling the info from Windows AD.
Related Posts
- Fortigate SSLVPN with DUO MFA -... 285 Views
- SAML IdP - Sending specific asertion... 553 Views
- Can FortiGate+FortiAuthenticator VPN restrict client IP... 670 Views
- Policy-in-policy question 963 Views
- FortiGate SSL-VPN configuration and troubleshooting 634 Views
Labels
-
FortiGate
6,868 -
FortiClient
1,363 -
5.2
801 -
5.4
639 -
FortiManager
589 -
FortiAnalyzer
433 -
6.0
416 -
5.6
362 -
FortiAP
358 -
FortiSwitch
353 -
FortiClient EMS
277 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
165 -
6.4
128 -
FortiNAC
117 -
FortiGuard
109 -
IPsec
94 -
FortiSIEM
91 -
FortiGateCloud
90 -
FortiCloud Products
85 -
SSL-VPN
79 -
FortiToken
75 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
47 -
FortiADC
45 -
FortiEDR
42 -
Fortivoice
41 -
SD-WAN
37 -
FortiDNS
36 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
27 -
FortiAuthenticator
26 -
VLAN
26 -
FortiConnect
24 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
SAML
17 -
FortiGate v5.2
17 -
DNS
17 -
FortiSwitch v6.2
16 -
LDAP
16 -
Certificate
16 -
BGP
15 -
VDOM
15 -
FortiMonitor
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Authentication
12 -
fortilink
12 -
Routing
12 -
FortiCASB
12 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Traffic shaping policy
6 -
FortiBridge
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
FortiAP profile
5 -
WAN optimization
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.