User explicit rule not working

Author
southside
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/19 07:46:04
  • Status: offline
2019/07/09 04:23:50 (permalink)
0

User explicit rule not working

Hi All,
 
Testing a new rule restricted to a single user to test LDAP connectivity and future lockdown. Currently using a Fortigate 200E on software version 6.0.3.
 
I have configured LDAP connectivity and created a user group containing the single user through FSSO. Rather than using a specific group I have selected the user in the all staff list for the user group.
 
I have created a standard rule with a source of the user and all IPs, destination of Yahoo Web for testing, PAT to internet with AV, Web and SSL inspections.
 
This rule is placed at the top of the rule stack to be first hit. When testing, I can access the Yahoo site but see no hit on this specific rule so the master rule below is being hit.
 
Have I missed anything here?
 
Regards
 
Adrian
#1

4 Replies Related Threads

    hubertzw
    Gold Member
    • Total Posts : 192
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: User explicit rule not working 2019/07/09 05:08:56 (permalink)
    0
    Hi
    - do you see your username on the FSSO list?
    - how did you specify destination (Yahoo), IP, ISDB?
     
    Enable logging all sessions and compare the log with the policy (authentication, destination, etc.)
    #2
    southside
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/19 07:46:04
    • Status: offline
    Re: User explicit rule not working 2019/07/09 05:47:45 (permalink)
    0
    When running the command in CLI I do not see my entry. Only one user in another FSSO group we have for All Users.
     
    Specified Yahoo through use of Internet Service Yahoo Web.
    #3
    southside
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/19 07:46:04
    • Status: offline
    Re: User explicit rule not working 2019/07/09 07:21:06 (permalink)
    0
    Think I found the problem. When running debug for server-status I get a local fsso error connection refused. Since we have an agent on the DC I understand this isn't needed so I need to remove it from 'config user fsso-polling' ensure my fsso 'config user adgrp' records are paired to  right Collector.
     
    Question is, will this impact any of the policy when I apply - understand that it's not working now?
     
    Strange thing is we have a FSSO group for all users and whilst I am awaiting the person who manages the LDAP server to tell me who is a member of that group, I only see one person listed when over 200 would be expected but that is another issue.
     
    Thanks in advance for help.
     
    Regards
     
    Adrian
     
    #4
    hubertzw
    Gold Member
    • Total Posts : 192
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: User explicit rule not working 2019/07/09 09:19:13 (permalink)
    0
    Yes, when you have agent on DC you don't need fsso-polling configuration. It shouldn't impact policy configuration but every time when you change config do backup, it's a good pratice
    #5
    Jump to:
    © 2019 APG vNext Commercial Version 5.5