FortiOS 5.2 Authentication: Excluding users from security scanning

The executives in this example connect to the Internet using PCs with static IP addresses, so these addresses can be used to identify their traffic. If identifying users with a static IP address will not work for your network you can set up authentication or device identification (BYOD).

1. Applying security profiles to the staff policy

Go to Policy & Objects > Policy > IPv4 and edit the general policy that allows staff to access the Internet.

Under Security Profiles, enable Web Filter and Application Control. Set them to use the default profiles. Also set SSL/SSH Insection to the deep-inspection profile.

To be able to see results enable logging all sessions.

2. Creating firewall addresses for the executives

Go to Policy & Objects > Objects > Addresses. Create an address for each executive. Use /32 as the  Netmask to ensure that the firewall address applies only to the specified IP.

Select Create New > Address Group and create an address group for the executive addresses.

3. Creating a security policy for the executives

Go to Policy & Objects > Policy > IPv4 and create a policy allowing the executives to access the Internet. Set Source Address to Executives. Enable logging and select Log all Sessions to be able to view results.

Leave all Security Profiles disabled.

In the policy list, the policy for executives (in this example ID=3) must be above the policy for staff (in this example ID=2).

You can re-order policies by hovering your mouse cursor over the borders of the left-most cell of a policy until the cursor changes into crossed arrows and then clicking and dragging that policy up or down into the required order.

Note that in this screen shot the policy ID (ID) is shown for each policy and the sequence number (Seq.#) is hidden.

4. Results

Connect to the Internet from two computers on the internal network: one from an executive address and one from a staff address.

Go to Log & Report > Traffic Log > Forward Traffic. Right-click the column headings and make sure that the Policy ID column is visible.

In this example output, connections from 192.168.13.10 (an executive address) use policy ID 3 and connections from 192.168.13.144 (a staff address) use policy ID 2.