Chapter 7 Firewall for FortiOS 5.0 : Building firewall objects and policies : Firewall Device Identity Policy
  
Firewall Device Identity Policy
The company is instituting a BYOD pilot project. They are going to be letting employee’s personal devices connect through a wireless network. Most will only be allowed only to the Internet but some will have access to the Internal LAN.
The wireless interface the users will be connecting on is “WiFi”.
The source address has been defined as the DCHP scope assigned to the wireless network, “Internal_wireless”.
The Internal Network is on the interface designated as “LAN”
There is no need to NAT the traffic.
The AntiVirus Profile to be used is “Internal-AV”, already defined.
The Application Profile to be used is “Internal-AC”, already defined.
The IPS Profile to be used is “Internal-IPS”, already defined.
The Device group for this policy is “IT_Personnel_phones”.
The IT team is a trusted group that will be accessing practically everything so the schedule will be the predefined “always” and the Service will be the predefined “ALL”.
While the IT team is trusted the company would like to verify that they are compliant with the Endpoint profile so the check for this must be enabled on the policy.
Go to Policy > Policy > Policy.
Create a new policy
Fill out the fields with the following information:
 
Field
Value
Policy Type
Firewall
Policy Subtype
Device Identity
Incoming Interface
wifi
Source Address
all
Outgoing Interface
port9
Enable NAT
not enabled
Customize Authentication Messages
(optional)
Add tag
(optional)
Comments
(optional)
In the Configure Authentication Rules section, create a new Authentication rule by filling out the fields with the following information.
Field
Value
Destination Address
Internal_Network
Device
IT_Personnel_Phones
Compliant with Endpoint Profile
enable
Schedule
always
Service
ALL
Action
(automatically assigned value of “ACCEPT”
Log Allowed Traffic
(optional)
Traffic Shaping
(optional)
In the Security Profile Section:
Enable and select the security profiles as follows:
Security Profiles
Status
Profile Name
AntiVirus
ON
Internal-AV
Web Filter
OFF
(option should be greyed out)
Application Control
ON
Internal-AC
IPS
ON
Internal-IPS
Email Filter
OFF
(option should be greyed out)
DLP Sensor
OFF
(option should be greyed out)
VoIP
OFF
(option should be greyed out)
ICAP
OFF
(option should be greyed out)
Select OK
Enter the following CLI command:
config firewall policy
edit 0
set srcintf "wifi"
set dstintf "LAN"
set srcaddr "Internal_wireless"
set action accept
set identity-based enable
set identity-from device
config identity-based-policy
edit 1
set schedule always
set utm-status enable
set dstaddr Internal_Network
set service ALL
set devices IT_Personnel_phones
set endpoint-compliance enable
set av-profile Internal-AV
set ips-sensor Internal-IPS
set application-list Internal-AC
next
end