Description
This article describes how to block internet access for mobile phones (Android and iOS) in a WLAN environment.
Scope
FortiOS version 7.2.6, FortiAP.
Solution
It is possible to deny access to the internet or certain networks for mobile phones specifically by setting NAC Policies and Firewall Policies.
The steps to configure this are as follows:
- Set a NAC policies according the following procedure: NAC Policies Configuration.
- Set firewall Policies to DENY general access.
Keeping the same topology and information in the document mentioned above, create a new Firewall Policy for Android and iOS devices using the VLAN interfaces:
For Android devices:
config firewall policy
edit <policy_id>
set name "NAC_Android WIFI"
set srcintf "vap_v400" ---> VLAN interfaces under the VAP
set dstintf "virtual-wan-link" ---> Interface or SD-WAN Zone Internet
set action deny
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
For iOS devices:
config firewall policy
edit <policy_id>
set name "NACiOS WIFI"
set srcintf "vap_v600" ---> VLAN interfaces under the VAP
set dstintf "virtual-wan-link" ---> Interface or SD-WAN Zone Internet
set action deny
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Note: This procedure is possible only on a wireless network with FortiAP devices managed by FortiGate.
