FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
evejar
Staff
Staff
Article Id 190482
Description

Sometimes we need to create routes based on identity, for example if we need that the president of our company goes out with a particular ISP or you want that a specific group use a limited link to go to the Internet.

This scenario could be useful in different situation with local users, remote users and FSSO users.

idetityeev.png


Scope

Give a basic configuration to create Identity-Based-Route.

I am running 5.2 firmware.

I am not going to explain how to configure groups or FSSO


Solution

Firstly, you need to have your groups that you will use in the identity based route policy.

Then we need to create a policy that will tie the groups to a specific gateway. To do this please check the following configuration:

config firewall identity-based-route

    edit "Prueba"

        set comments "KBNOW"

        config rule

            edit 1

                set gateway 192.168.157.1  -----------à Gateway that we want to use

                set device "wan2"   -----------à Wan that we want to use

                set groups "Identidad"  -----------à Groups that will use this policy

            next

        end

    next

end

 

The next step involves: specifying these gateway options in the user identity based firewall policy, and we do that as follows:

 

config firewall policy

edit 1  -------------à Be careful this probably would not be the same

        set name "Authentication Based Routing "

        set uuid ed855e70-0c7e-51e6-906b-7c1f188040e5

        set srcintf "internal4"

        set dstintf "wan2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "PruebaCaso" -------------à you can use any time “always” or a specific time for the user.

        set service "ALL"

        set logtraffic all

        set groups "Identidad"   -----------à Groups that will use this policy

        set identity-based-route "Prueba" -----------à  Identity Based route

        set nat enable

  next

edit 5 -------------à Be careful this probably would not be the same

        set name "Salida NORMAL"

        set uuid 7c3f9384-5d8c-51e6-0457-548cc55dc461

        set srcintf "internal4"

        set dstintf "internal2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set groups "SinID"  -----------à Others users

    next

end

If you are using FSSO please enable in each policy #set fsso enable 

 

After this you can be able to send traffic to another route based in identity.


Related Articles

Technical Note: How FortiGate can block Duolingo in different ways. Blocks web application.

Wireless client load balancing

Technical Tip: Active and passive authentication behavior

Technical Note: Disconnecting a member from a cluster

Technical Tip: How to block by country or geolocation

Contributors