Excluding users from security scanning

In this example, two company executives are excluded from the security scanning that a FortiGate applies to all other staff Internet traffic.

The executives in this example connect to the Internet using PCs with static IP addresses, so these addresses can be used to identify their traffic. If identifying users with a static IP address will not work for your network you can set up authentication or device identification (BYOD).

1. Applying security profiles to the staff policy

Go to Policy & Objects > Policy > IPv4 and edit the general policy that allows staff to access the Internet.

Under Security Profiles, enable Web Filter and Application Control. Set them to use the default profiles. Also set SSL/SSH Insection to the deep-inspection profile.

To be able to see results enable logging all sessions.


2. Creating firewall addresses for the executives

Go to Policy & Objects > Objects > Addresses. Create an address for each executive. Use /32 as the  Netmask to ensure that the firewall address applies only to the specified IP.


Select Create New > Address Group and create an address group for the executive addresses.  

3. Creating a security policy for the executives

Go to Policy & Objects > Policy > IPv4 and create a policy allowing the executives to access the Internet. Set Source Address to Executives. Enable logging and select Log all Sessions to be able to view results.

Leave all Security Profiles disabled.


In the policy list, the policy for executives (in this example ID=3) must be above the policy for staff (in this example ID=2).

You can re-order policies by hovering your mouse cursor over the borders of the left-most cell of a policy until the cursor changes into crossed arrows and then clicking and dragging that policy up or down into the required order.

Note that in this screen shot the policy ID (ID) is shown for each policy and the sequence number (Seq.#) is hidden.


4. Results  

Connect to the Internet from two computers on the internal network: one from an executive address and one from a staff address.

Go to Log & Report > Traffic Log > Forward Traffic. Right-click the column headings and make sure that the Policy ID column is visible.

In this example output, connections from (an executive address) use policy ID 3 and connections from (a staff address) use policy ID 2.


For further reading, check out Security Profiles in the FortiOS 5.2 Handbook.

Bill Dickie

Technical Writer at Fortinet
After completing a science degree at the University of Waterloo, Bill began his professional life teaching college chemistry in Corner Brook, Newfoundland and fell into technical writing after moving to Ottawa in the mid '80s. Tech writing stints at all sorts of companies finally led to joining Fortinet to write the first FortiGate-300 Administration Guide.