Firewall User Identity Policy
There is a Server on the Internal LAN that is used as a resource by sales people that are out on the road and at home. The sales people and their administrator are the only ones that are allowed access to the server “SalesServer”. Because of the importance of the data on the server it needs to be backed up on a regular bases and to make sure that all of the files are available for backup no one is allowed access during the scheduled backup time.
• Firewall User Group has been created: “sales”. This is a group defined for more than one purpose.
• Firewall User has been created: “jsmith”, who is the administrator. “jsmith” is not a member of the sales group and can’t be placed in it because of other resources that the group has access to.
• A Virtual IP has been defined for the server “SalesServer” mapped from an external address to an internal address on port9. Port forwarding is enabled on TCP port 443 for the application that the sales people use.
• The schedule “Non-Maintenance_Window” has been created (between 2 a.m. and 3 a.m.) by starting the window at 3:00 and stopping at 2:00 (If the stop time is set earlier than the start time, the stop time will be during the next day).
• Because there is access from the Internet to the internal network the company’s HTTPS Server IPS profile, called “Protect_HTTPS_Server” will be enabled.
Go to Policy > Policy > Policy.
Create a new policy
Fill out the fields with the following information:
Field | Value |
Policy Type | Firewall |
Policy Subtype | User Identity |
Incoming Interface | wan1 |
Source Address | all |
Outgoing Interface | port9 |
Enable NAT | not enabled |
Enable Web cache | not enabled |
Enable WAN Optimization | not enabled |
Certificate | No Certificate |
Firewall | enabled |
Fortinet Single Sign-On | not enabled |
WiFi Singe Sign-on | not enabled |
NTLM Authentications | not enabled |
Customize Authentication Messages | (optional) |
Add tag | (optional) |
Comments | (optional) |
In the Configure Authentication Rules section, create a new Authentication rule by filling out the fields with the following information.
Field | Value |
Destination Address | SalesServer (virtual IP address) |
Group(s) | sales |
User(s) | jsmith |
Schedule | Non-Maintenance_Window |
Service | HTTPS |
Action | (automatically assigned value of “ACCEPT” |
Log Allowed Traffic | (optional) |
Traffic Shaping | (optional) |
In the Security Profiles Section:
Enable and select the security profiles as follows:
Security Profiles | Status | Profile Name |
AntiVirus | OFF | (option should be greyed out) |
Web Filter | OFF | (option should be greyed out) |
Application Control | OFF | (option should be greyed out) |
IPS | ON | Protect_HTTPS_Server |
Email Filter | OFF | (option should be greyed out) |
DLP Sensor | OFF | (option should be greyed out) |
VoIP | OFF | (option should be greyed out) |
ICAP | OFF | (option should be greyed out) |
Select OK
Enter the following CLI command:
config firewall policy
edit 0
set srcintf "wan1"
set dstintf "port9"
set srcaddr "all"
set action accept
set identity-based enable
config identity-based-policy
edit 1
set schedule "Non-Maintenance_Window"
set utm-status enable
set profile-type single
set groups "sales"
set users "jsmith"
set dstaddr "SalesServer"
set service "HTTPS"
set ips-sensor "Protect_HTTPS_Server"
next
end