Not applicable
Created on 06-14-2010 03:15 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
blocking internet for a user or group
I have a user here who I' d like to block their internet access completely. I see where I can block and filter specific sites, but I don' t see how I can block access to one specific user.
I have a Fortigate 60B and my current Firewall Policy is set to allow " all" on the inside to access " all" on the outside using the web filter policy I' ve setup. The web filter I setup uses mostly the default Fortinet blocks as well as the facebook, myspace, and web based email blocks I' ve setup.
In a perfect world I' d really like to allow this user only access to certain sites and block all else, but I think that may be outside the capabilities of the 60B that I have.
Thanks for all input!
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello and welcome,
I have a user here who I' d like to block their internet access completely. I see where I can block and filter specific sites, but I don' t see how I can block access to one specific user.Ok, How do you identify that user univoquely in your network?
In a perfect world I' d really like to allow this user only access to certain sites and block all else,ok, your perfect world is a few commands ahead.
but I think that may be outside the capabilities of the 60B that I have.not at all; you need a way to identify users with no ambiguity and apply appropiate policies Did you implement one in your network?
regards
/ Abel
regards
/ Abel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
abelio,
Thanks for the reply. Our network is using Active Directory, so all users are identified by a unique username.
I' m not that good with firewall setups, but I' ll add that our VPN users are enabled/disabled through their AD account and the Fortigate is using what I think is a RADIUS service to authenticate the VPN users.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply. Our network is using Active Directory, so all users are identified by a unique username.you' re welcome; ok, then FSAE is the easier wway to go; check following links to get a picture: http://docs.fortinet.com/fgt/archives/3.0/techdocs/FSAE_Administration_Guide_01-30007-0373-20080718.pdf http://docs.fortinet.com/ifos.html http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30081 http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31819
I' m not that good with firewall setups, but I' ll add that our VPN users are enabled/disabled through their AD account and the Fortigate is using what I think is a RADIUS service to authenticate the VPN users.Maybe you' ve a back integration between your radius and your AD to do that; if that' s working properly you could also use it for authenticate firewall policies But if you choose for FSAE usage, you could also use it for VPNs. check http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31873 regards
regards
/ Abel
regards
/ Abel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well said Able -
There are a few methods which can be used to identify user when working with a FortiGate (to create an Identity Based Policy)
- FSAE = the most loved and hated method will send the FortiGate user info as they are logging into the WIN AD or Novel Directory
- Authentication Web Interface = simplest to implement asking a user for a username and password before they are allowed to send data through a policy. This can then be linked into accounts (groups) on a radius server, firewall, etc.
- NTLM = haven' t spent much time using this but it allows for NTLM packets to be used as part authentication.
So the first question is how are you identifying users?
~Matt
[link=http://logMojo.com]logMojo[/link] by Security Confidence
Cloud Based - Logging â— Alerting â— Reporting â— Monitoring â— Management
Signup today!
[link=http://logMojo.com]logMojo[/link] by Security Confidence Cloud
Based - Logging â— Alerting â— Reporting â— Monitoring â— Management
Signup today!
Not applicable
Created on 06-21-2010 10:55 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to also block internet to a group of PCs by subnet. I still want them to be able to access only certain sites. I' ve placed certain PCs into a specific VLAN/subnet to have a quick way of seeing if a PC is in this " no internet" VLAN. Is there a policy I can setup for this way of internet blocking/allowing certain sites? TIA.