Advice on Fortigate firewall

Depending on your device you might be able to have multiple user identification policies (i think).
In which case this might work.

Create 2 different policies with 2 different nats.
the first policy have a user group with the guys who want to use the 1 line
the second policy have user group with guys who want to use 2nd line

Use PBR to route the traffic down each line based on the 2 different source IP's

From a doc i just saw, the order of operations seems to think SNAT happens before the final routing decision..

Not sure if this will work, but worth a look

I know on most fortigates you cant use 2 policies for user ident, but i think you can on certain models
 
Good news from my FG contact. There is a CLI feature called identity-based-route which should do what you need to do.

# show firewall identity-based-route
config firewall identity-based-route
edit "Gateways"
set comments "gateways based on groups"
config rule
edit 1
set gateway 192.168.1.1
set device "wan2"
set groups "Staff"
next
edit 1
set gateway 192.168.2.1
set device "wan1"
set groups "Managers"
next

end
next
end
Click to expand...

And then add it to your policy

edit 130
set uuid 6e53b28e-fc7f-51e3-8aef-ee923e7a30c9
set srcintf "port1"
set dstintf "OUTSIDE"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set webcache enable
set ntlm enable
set fsso enable
set groups "Exco" "LDAPExco" "FortiAuth-Exco"
set identity-based-route "Gateways"
set av-profile "HTTP SMTP Scanning"
set webfilter-profile "Exco"
set ips-sensor "protect_client"
set application-list "block-p2p"
set profile-protocol-options "default"
set ssl-ssh-profile "no_inspection"
set traffic-shaper "web-med"
set traffic-shaper-reverse "web-med"
set nat enable
next
Click to expand...

Edit: This is cut'n'paste from his config. I haven't validated it, but he says it works :)
 
Last edited:
Clarotech said:
Good news from my FG contact. There is a CLI feature called identity-based-route which should do what you need to do.



And then add it to your policy



Edit: This is cut'n'paste from his config. I haven't validated it, but he says it works :)
Click to expand...

Awesome, I'll have to upgrade two Fortigates to Ver 5 to use this it seems but was going to upgrade them anyway, tried it at the one that has ver 5 on and seems to work
 
irBosOtter said:
Awesome, I'll have to upgrade two Fortigates to Ver 5 to use this it seems but was going to upgrade them anyway, tried it at the one that has ver 5 on and seems to work
Click to expand...

Thanks for the feedback.

I've been happy with v5 since about 5.0.4. I have yet to take the plunge on 5.2.
 
Clarotech said:
Good news from my FG contact. There is a CLI feature called identity-based-route which should do what you need to do.



And then add it to your policy



Edit: This is cut'n'paste from his config. I haven't validated it, but he says it works :)
Click to expand...

This is a bit out of my league - but I'll give it a shot and let you know how it goes :p...
Thanks for finding this one out for me.
 
Clarotech said:
I've been happy with v5 since about 5.0.4. I have yet to take the plunge on 5.2.
Click to expand...
I've upgraded our firewall from 4.2.8 to 5.0.7 whilst undertaking this exercise - so the whole firewall interface is very 'new' to me at the moment
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X