This example contains three IPv4 policies:
- Internet: The policy that the Employee user group uses to access the Internet. You use the FortiGate to apply some security inspection to traffic.
- Accounting: The policy that the Accounting user group uses to access the Internet. You use the FortiGate to apply increased security inspection to protect sensitive information.
- Admin: The policy that the Admin user group uses, connecting from a specific computer, to access the Internet. You use the FortiGate to apply limited security inspection.
1. Creating an Employee user, user group, and Internet policy
To create a new user, go to User & Device > User Definition (in the example, this account is called jpearson).
In the User Type section, select Local User.
In the Login Credentials section, set Username and set a Password.
In the Contact info section, set the user’s Email Address.
In the Extra Info section, verify that User Account Status is Enabled.
Your FortiGate now lists the new user.
To create a new user group, go to User & Device > User Groups (in the example, this group is called Employees). Add user jpearson to the Members list.
The FortiGate now lists the new user group.
To edit the Internet policy, go to Policy & Objects > IPv4 Policy.
For Source, set Address to all and User to the Employees group.
Under Security Profiles, enable AntiVirus and Web Filter. Set both to use the default profile.
SSL Inspection is enabled by default. Set it to the deep-inspection profile.*
2. Creating an Accounting user, user group, and Internet policy
To create another user, go to User & Device > User Definition (in the example, akeating).
To create another user group, go to User & Device > User Groups (in the example, Accounting). Add user akeating to the Members list.
To create a new Accounting policy, go to Policy & Objects > IPv4 Policy.
For Source, set Address to all and User to the Accounting group.
Under Security Profiles, enable AntiVirus, Web Filter, Application Control, and IPS. Set all of these to use the default profile.
SSL Inspection is enabled by default. Set it to the deep-inspection profile.
3. Creating an Admin user, user group, device, and Internet policy
To create another user, go to User & Device > User Definition (in the example, tal-jamil).
To create another user group, go to User & Device > User Groups (in the example, Admin). Add user tal-jamil to the Members list.
To add a new device, go to User & Device > Custom Devices & Groups.
Set Alias to AdminPC and enter the MAC Address of the PC. Select the appropriate Device Type.
The PC is now listed under Custom Devices.
To create a new Admin policy, go to Policy & Objects > IPv4 Policy.
For Source, set Address to all, User to the Admin group, and Device to the AdminPC.
Under Security Profiles, enable AntiVirus and set it to use the default profile.
SSL Inspection is enabled by default. Set it to the deep-inspection profile.
4. Ordering the policy table
To view the policy table, go to Policy & Objects > IPv4 Policy. Select the By Sequence view, which shows the policies in the order that they are used by your FortiGate.
Currently, the policies are arranged in the order you created them, with the oldest policy at the top of the list.
To have the correct traffic flowing through each policy, you must arrange them so that the more specific policies are located at the top.
To rearrange the policies, select the column on the far left (in the example, ID) and drag the policy to the required position, as shown on the right.
5. Results
From any PC in the internal network, attempt to browse the Internet.
A log in screen will appear. Use the jpearson account to log in. After authentication, you can connect to the Internet.
Go to Monitor > Firewall User Monitor. The list shows jpearson is online.
Right-click the account and select Deauthenticate.
On the same PC, attempt to browse the Internet again. This time, log in using the akeating account.
The Firewall User Monitor now shows akeating is online and you can access the Internet.
From the AdminPC, attempt to browse the Internet. Log in using the tal-jamil account.
The Firewall User Monitor now shows tal-jamil is online and you can access the Internet.
If you attempt to log in from any other device using the tal-jamil account, the account will authenticate; however, you will not have Internet access.
Go to FortiView. Under All Segments, select Policies and select the 5 minutes view.
You can see traffic hitting all three policies and that each user’s traffic is flowing through the correct policy.