User explicit rule not working | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB

Mark Thread UnreadFlat Reading Mode ❐

Hot!User explicit rule not working

Author Post Essentials Only Full Version
southside New Member Total Posts : 8 Scores: 0 Reward points: 0 Joined: 2019/06/19 07:46:04 Status: offline 2019/07/09 04:23:50 (permalink) 0 User explicit rule not working Hi All, Testing a new rule restricted to a single user to test LDAP connectivity and future lockdown. Currently using a Fortigate 200E on software version 6.0.3. I have configured LDAP connectivity and created a user group containing the single user through FSSO. Rather than using a specific group I have selected the user in the all staff list for the user group. I have created a standard rule with a source of the user and all IPs, destination of Yahoo Web for testing, PAT to internet with AV, Web and SSL inspections. This rule is placed at the top of the rule stack to be first hit. When testing, I can access the Yahoo site but see no hit on this specific rule so the master rule below is being hit. Have I missed anything here? Regards Adrian #1 4 Replies Related Threads
hubertzw Gold Member Total Posts : 193 Scores: 5 Reward points: 0 Joined: 2018/04/16 13:29:04 Status: offline Re: User explicit rule not working 2019/07/09 05:08:56 (permalink) 0 Hi - do you see your username on the FSSO list? - how did you specify destination (Yahoo), IP, ISDB? Enable logging all sessions and compare the log with the policy (authentication, destination, etc.) #2
southside New Member Total Posts : 8 Scores: 0 Reward points: 0 Joined: 2019/06/19 07:46:04 Status: offline Re: User explicit rule not working 2019/07/09 05:47:45 (permalink) 0 When running the command in CLI I do not see my entry. Only one user in another FSSO group we have for All Users. Specified Yahoo through use of Internet Service Yahoo Web. #3
southside New Member Total Posts : 8 Scores: 0 Reward points: 0 Joined: 2019/06/19 07:46:04 Status: offline Re: User explicit rule not working 2019/07/09 07:21:06 (permalink) 0 Think I found the problem. When running debug for server-status I get a local fsso error connection refused. Since we have an agent on the DC I understand this isn't needed so I need to remove it from 'config user fsso-polling' ensure my fsso 'config user adgrp' records are paired to right Collector. Question is, will this impact any of the policy when I apply - understand that it's not working now? Strange thing is we have a FSSO group for all users and whilst I am awaiting the person who manages the LDAP server to tell me who is a member of that group, I only see one person listed when over 200 would be expected but that is another issue. Thanks in advance for help. Regards Adrian #4
hubertzw Gold Member Total Posts : 193 Scores: 5 Reward points: 0 Joined: 2018/04/16 13:29:04 Status: offline Re: User explicit rule not working 2019/07/09 09:19:13 (permalink) 0 Yes, when you have agent on DC you don't need fsso-polling configuration. It shouldn't impact policy configuration but every time when you change config do backup, it's a good pratice #5

Jump to:

© 2019 APG vNext Commercial Version 5.5