Description
This article explains how to identify a username that makes use of the 'authentication' web filter profile.
Scope
FortiGate.
Solution
Add the Firewall Authentication feature in the policy using web filter.
CLI Configuration - Web filter sample of 'BeerAdvocate':
config firewall policy
edit 3
set uuid 04ddead8-aa2d-51e5-87fc-273aa2d10cf7
set srcintf "port5"
set dstintf "port2"
set srcaddr "10.68.1_lab_subnet"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set av-profile "default"
set webfilter-profile "BeerAdvocate"
set application-list "appcontrol_web_streaming"
set profile-protocol-options "default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
.
config webfilter profile
edit "BeerAdvocate"
config ftgd-wf
unset options
config filters
edit 1
set category 7
set action authenticate
set auth-usr-grp "testgroup"
next
…truncated…
The GUI does not show the 'user' in the Security Web filter logs.
Security logs -> Web Filter (these logs are dynamic, so not always appear)
As shown below, no name appears under the name/group columns.
The solution is to add Firewall user or group authentication in the policy using web filter.
Modified policy:
config firewall policy
edit 3
set uuid 04ddead8-aa2d-51e5-87fc-273aa2d10cf7
set srcintf "port5"
set dstintf "port2"
set srcaddr "10.68.1_lab_subnet"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set groups "testgroup"
set av-profile "default"
set webfilter-profile "BeerAdvocate"
set application-list "appcontrol_web_streaming"
set profile-protocol-options "default"
set ssl-ssh-profile "certificate-inspection"
set nat enable <-----The result, as shown below, is that the user and user group using web filter authentication access are now listed in the report.
Exiting Webfilter authentication entries can be found with the following command:
diagnose webfilter fortiguard override all-warning
The entries contain authenticated category, user IP, and the expiry.