Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
EshChad
New Contributor

Web Filtering Multiple Groups

Hi All

 

I am trying to get web filter setup on a Fortigate 200E running on 5.4.

 

I have managed to link my AD to my Fortigate. What i wanted to do was create a base level group which has most groups restricted e.g. social networking, internet radio and tv, etc.

 

What i then wanted to do was be able to create additional groups where they get access to different things e.g. marketing get social networking, internet radio and tv and HR get social networking and job search. The groups in this case could be called:

Marketing

HR

That seems fairly straightforward. What i have trouble with is how do i have cumulative groups where as I add multiple groups to a user, that builds their access e.g. if i had the following groups:

Social Networking

Internet Radio and TV

Marketing (has above)

HR (has social networking and job search)

Management (All categories except security)

 

If a user is part of multiple above groups, how would it work? Would the overall access be a cumulative of all the groups? I am moving from a websense product which allows you to set a category to undefined for certain groups so that it isn't blocked at the default level but looks to other groups to see if its allowed or not. Hope that makes sense.

3 REPLIES 3
RobertReynolds
Contributor

Previously, when a user belonged to multiple user groups, this user could only access the group services that were within one group. With multiple group enforcement, a user can access the services within the groups that the user is part of.

For example, userA belongs to user_group1, user_group2, user_group3, and user_group4; previously userA could only access services within one of those four groups, typically the group that matches the first security policy. This can be annoying if HTTP access is in user_group1, FTP access is in user_group2, and email access is in user_group3. Now userA can access services within user_group1, user_group2, user_group3, and user_group4.

This feature is available only in the CLI and is enabled by default. It applies to RADIUS, LDAP, and TACACS+ servers. The new command for this feature is auth-multi-group found in config user settings and checks all groups a user belongs to for authentication.

 

http://help.fortinet.com/...tion-54/UserGroups.htm

EshChad

Would this work for a web filter? e.g. user would have access to all the permissions from all the groups they are in? if so what do i set the categories to and if there is a clash does the allow overide?

Sidewaysguy
New Contributor III

The key thing here is the order in which the policies are ordered as to how they are applied.  That is where you could potentially get some issues.  Remember, for things like social media, you will need to have a corresponding Application Control profile as well as the Webfilter for it to work. 

 

 

Labels
Top Kudoed Authors