There are a certain set of obstacles that the FortiGate administrator can encounter using the default matching behavior. Challenges with Default Matching Behavior This is a suitable solution when there are not a large number of exceptions in the web-filtering policy. To effectively use this policy, it requires planning by the Active Directory administrator to make sure each active directory group has a certain level of permissions assigned to it. If a user is part of both the “fsso_admins” and “fsso_domain_users” group, they will be assigned the profiles according to the “fsso_admins” group because it is the first firewall policy rule that will be matched. Subsequently, the users who are apart of the “fsso_domain_users” are assigned to the “wf-domain-users” web-filter profile. In the example above, the users who are apart of the “fsso_admins” security group are assigned the “wf-admin-profile” web-filter profile. Below is an illustrative example from the firewall policy:Īs indicated by this screenshot of the policy, the matching rule assigns a corresponding web-filter based on the matching of the corresponding user group. This behavior best serves an environment that can assign a single web-filter to a matching user group where that user group is defined by a certain address, active directory group or device type. This is indicative by the following following screenshot from the IPv4 Policy WebGUI: Default Firewall Matchingīy default, the FortiGate firewall policy performs matching based on the following criteria: The matching of the FortiGuard categories happens within the web-filter and not in the firewall policy. The default behavior of the web-filter is to match traffic based on the layer 4 information and then apply a web-filter profile that enforces web-filtering policy based on its configuration. It is common to use the FortiGate as a web proxy for enterprise environments.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |