Sometimes we need to create routes based on identity, for example if we need that the president of our company goes out with a particular ISP or you want that a specific group use a limited link to go to the Internet.
This scenario could be useful in different situation with local users, remote users and FSSO users.
Give a basic configuration to create Identity-Based-Route.
I am running 5.2 firmware.
I am not going to explain how to configure groups or FSSO
Firstly, you need to have your groups that you will use in the identity based route policy.
Then we need to create a policy that will tie the groups to a specific gateway. To do this please check the following configuration:
config firewall identity-based-route
edit "Prueba"
set comments "KBNOW"
config rule
edit 1
set gateway 192.168.157.1 -----------à Gateway that we want to use
set device "wan2" -----------à Wan that we want to use
set groups "Identidad" -----------à Groups that will use this policy
next
end
next
end
The next step involves: specifying these gateway options in the user identity based firewall policy, and we do that as follows:
config firewall policy
edit 1 -------------à Be careful this probably would not be the same
set name "Authentication Based Routing "
set uuid ed855e70-0c7e-51e6-906b-7c1f188040e5
set srcintf "internal4"
set dstintf "wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "PruebaCaso" -------------à you can use any time “always” or a specific time for the user.
set service "ALL"
set logtraffic all
set groups "Identidad" -----------à Groups that will use this policy
set identity-based-route "Prueba" -----------à Identity Based route
set nat enable
next
edit 5 -------------à Be careful this probably would not be the same
set name "Salida NORMAL"
set uuid 7c3f9384-5d8c-51e6-0457-548cc55dc461
set srcintf "internal4"
set dstintf "internal2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set groups "SinID" -----------à Others users
next
end
If you are using FSSO please enable in each policy #set fsso enable
After this you can be able to send traffic to another route based in identity.
Related Articles
Technical Note: How FortiGate can block Duolingo in different ways. Blocks web application.
Wireless client load balancing
Technical Tip: Active and passive authentication behavior
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.