Creating security policies for different users

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will create multiple security policies, which will apply security inspection to different users based on which user group they belong to.

This recipe is in the Basic FortiGate network collection. You can also use it as a standalone recipe.

This example contains three IPv4 policies:

  • Internet: The policy that the Employee user group uses to access the Internet. You use the FortiGate to apply some security inspection to traffic.
  • Accounting: The policy that the Accounting user group uses to access the Internet. You use the FortiGate to apply increased security inspection to protect sensitive information.
  • Admin: The policy that the Admin user group uses, connecting from a specific computer, to access the Internet. You use the FortiGate to apply limited security inspection.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 6.0

 1. Creating an Employee user, user group, and Internet policy

To create a new user, go to User & Device > User Definition (in the example, this account is called jpearson).

In the User Type section, select Local User.

 
In the Login Credentials section, set Username and set a Password.
In the Contact info section, set the user’s Email Address.
In the Extra Info section, verify that User Account Status is Enabled.
Your FortiGate now lists the new user.
To create a new user group, go to User & Device > User Groups (in the example, this group is called Employees). Add user jpearson to the Members list.
The FortiGate now lists the new user group.

To edit the Internet policy, go to Policy & Objects > IPv4 Policy.

For Source, set Address to all and User to the Employees group.

Under Security Profiles, enable AntiVirus and Web Filter. Set both to use the default profile.

SSL Inspection is enabled by default. Set it to the deep-inspection profile.

 

2. Creating an Accounting user, user group, and Internet policy

To create another user, go to User & Device > User Definition (in the example, akeating).

To create another user group, go to User & Device > User Groups (in the example, Accounting). Add user akeating to the Members list.

To create a new Accounting policy, go to Policy & Objects > IPv4 Policy.

For Source, set Address to all and User to the Accounting group.

Under Security Profiles, enable AntiVirus, Web Filter, Application Control, and IPS. Set all of these to use the default profile.

SSL Inspection is enabled by default. Set it to the deep-inspection profile.

 

3. Creating an Admin user, user group, device, and Internet policy

To create another user, go to User & Device > User Definition (in the example, tal-jamil).

To create another user group, go to User & Device > User Groups (in the example, Admin). Add user tal-jamil to the Members list.

 

To add a new device, go to User & Device > Custom Devices & Groups.

Set Alias to AdminPC and enter the MAC Address of the PC. Select the appropriate Device Type

The PC is now listed under Custom Devices.

To create a new Admin policy, go to Policy & Objects > IPv4 Policy.

For Source, set Address to all, User to the Admin group, and Device to the AdminPC.

Under Security Profiles, enable AntiVirus and set it to use the default profile.

SSL Inspection is enabled by default. Set it to the deep-inspection profile.

4. Ordering the policy table

To view the policy table, go to Policy & Objects > IPv4 Policy. Select the By Sequence view, which shows the policies in the order that they are used by your FortiGate.

Currently, the policies are arranged in the order you created them, with the oldest policy at the top of the list.

To have the correct traffic flowing through each policy, you must arrange them so that the more specific policies are located at the top.

To rearrange the policies, select the column on the far left (in the example, ID) and drag the policy to the required position, as shown on the right.

 

5. Results

From any PC in the internal network, attempt to browse the Internet.

A log in screen will appear. Use the jpearson account to log in. After authentication, you can connect to the Internet.

 

Go to Monitor > Firewall User Monitor. The list shows jpearson is online.

Right-click the account and select Deauthenticate.

On the same PC, attempt to browse the Internet again. This time, log in using the akeating account.

The Firewall User Monitor now shows akeating is online and you can access the Internet.

 

From the AdminPC, attempt to browse the Internet. Log in using the tal-jamil account.

The Firewall User Monitor now shows tal-jamil is online and you can access the Internet.

If you attempt to log in from any other device using the tal-jamil account, the account will authenticate; however, you will not have Internet access.

Go to FortiView. Under All Segments, select Policies and select the 5 minutes view.

You can see traffic hitting all three policies and that each user’s traffic is flowing through the correct policy.

 

For further reading, check out Firewall policies in the FortiOS 6.0 Online Help.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
This policy was previously created in the Installing a FortiGate in NAT/route mode.
Using the deep-inspection profile may cause certificate errors. See Preventing certificate warnings for more information.
If a certificate error occurs during the authentication process, browse to a different site and re-attempt user authentication. For more information, see Certificate errors with authentication.