Hot!Web Filtering Multiple Groups

Author
EshChad
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/12/19 06:20:55
  • Status: offline
2017/12/19 07:14:23 (permalink)
0

Web Filtering Multiple Groups

Hi All
 
I am trying to get web filter setup on a Fortigate 200E running on 5.4.
 
I have managed to link my AD to my Fortigate. What i wanted to do was create a base level group which has most groups restricted e.g. social networking, internet radio and tv, etc.
 
What i then wanted to do was be able to create additional groups where they get access to different things e.g. marketing get social networking, internet radio and tv and HR get social networking and job search. The groups in this case could be called:
Marketing
HR
That seems fairly straightforward. What i have trouble with is how do i have cumulative groups where as I add multiple groups to a user, that builds their access e.g. if i had the following groups:
Social Networking
Internet Radio and TV
Marketing (has above)
HR (has social networking and job search)
Management (All categories except security)
 
If a user is part of multiple above groups, how would it work? Would the overall access be a cumulative of all the groups? I am moving from a websense product which allows you to set a category to undefined for certain groups so that it isn't blocked at the default level but looks to other groups to see if its allowed or not. Hope that makes sense.
#1

3 Replies Related Threads

    RobertReynolds
    Bronze Member
    • Total Posts : 56
    • Scores: 4
    • Reward points: 0
    • Joined: 2016/06/29 21:27:23
    • Location: Sydney, Australia
    • Status: offline
    Re: Web Filtering Multiple Groups 2017/12/19 08:57:54 (permalink)
    0
    Previously, when a user belonged to multiple user groups, this user could only access the group services that were within one group. With multiple group enforcement, a user can access the services within the groups that the user is part of.
    For example, userA belongs to user_group1, user_group2, user_group3, and user_group4; previously userA could only access services within one of those four groups, typically the group that matches the first security policy. This can be annoying if HTTP access is in user_group1, FTP access is in user_group2, and email access is in user_group3. Now userA can access services within user_group1, user_group2, user_group3, and user_group4.
    This feature is available only in the CLI and is enabled by default. It applies to RADIUS, LDAP, and TACACS+ servers. The new command for this feature is auth-multi-group found in config user settings and checks all groups a user belongs to for authentication.
     
    http://help.fortinet.com/...tion-54/UserGroups.htm
    #2
    EshChad
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/12/19 06:20:55
    • Status: offline
    Re: Web Filtering Multiple Groups 2017/12/19 09:43:18 (permalink)
    0
    Would this work for a web filter? e.g. user would have access to all the permissions from all the groups they are in? if so what do i set the categories to and if there is a clash does the allow overide?
    #3
    Sidewaysguy
    Bronze Member
    • Total Posts : 31
    • Scores: 3
    • Reward points: 0
    • Status: offline
    Re: Web Filtering Multiple Groups 2017/12/29 14:45:14 (permalink)
    0
    The key thing here is the order in which the policies are ordered as to how they are applied.  That is where you could potentially get some issues.  Remember, for things like social media, you will need to have a corresponding Application Control profile as well as the Webfilter for it to work. 
     
     
    #4
    Jump to:
    © 2018 APG vNext Commercial Version 5.5