I have system that i want to set ip base internet policy which will be time base, now apart form that time limit any user who are in domain can login to system but should not able to access internet. is there any way that i can do from AD FSSO client or from fortigate (note: this is already there but i want to know how they did that) no ip is block on fortigate also changing ip address was no use thanks in adavance Vishal
[size="1"] FGT100E,FGT100D,FGT300C,FGT300E[/size] FortiOS 5.2, 5.4, 5.6,6.0,6.0.2 and 6.2
Hi Vishal,
not sure I understand your needs.
FSSO IS IP based, it is not session based, unless you use Collector for NTLM.
Keep in mind that pure IP based policies (no user groups, in short) has priority before Identity based policies.
Time schedules should work for both types.
Unless your DCs are behind firewall, from network/policy perspective (so no traffic/forward policy govern access from PC to DC), then logon to domain should always work.
FortiGate is implicit deny-any type of firewall. So policies are exemptions allowing access under specific conditions, like time, source/destination address/port, services and user/device identity.
So to achieve identity driven access avoid any pure IP based policies without user group bond.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff 
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2645 | |
| 1405 | |
| 810 | |
| 688 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.