Allow access to servers based on group
Next, create new rules to allow each user group access to their servers.
To create Allow rules for On-net users from port1 (Clients_LAN) to port2 (DMZ):
-
Go to Policy & Objects > Firewall Policy.
-
Click Create New. Name the first rule
Allow-on-net-Sales
.-
In the Incoming interface, select port1.
-
In the Outgoing interface, select port2.
-
In the Source list:
-
Select the Address all.
-
Add the User Groups LDAP-Sales.
-
-
In the IP/MAC Based Access Control field, add the FortiAD.info tag.
-
In the Destination list, add the Webserver address object.
-
Set the Service to ALL.
-
Set the Action to ACCEPT.
-
Set Inspection Mode to Proxy-based.
-
Enable NAT where necessary.
-
Enable Security Profiles as needed.
-
Enable Log Allowed Traffic, and choose All Sessions.
-
Click OK to complete.
-
-
Click Create New. Name the 2nd rule
Allow-on-net-Finance
.-
In the Incoming interface, select port1.
-
In the Outgoing interface, select port2.
-
In the Source list:
-
Select the Address all.
-
Add the User Groups LDAP-Finance.
-
-
In the IP/MAC Based Access Control field, add the FortiAD.info tag.
-
In the Destination list, add the Finance and Webserver address objects.
-
Set the Service to ALL.
-
Set the Action to ACCEPT.
-
Set Inspection Mode to Proxy-based.
-
Enable NAT where necessary.
-
Enable Security Profiles as needed.
-
Enable Log Allowed Traffic, and choose All Sessions.
-
Click OK to complete.
-
-
Click Create New. Name the 3rd rule
Allow-on-net-Admin
.-
In the Incoming interface, select port1.
-
In the Outgoing interface, select port2.
-
In the Source list:
-
Select the Address all.
-
Add the User Groups LDAP-Administrators.
-
-
In the IP/MAC Based Access Control field, add the FortiAD.info tag.
-
In the Destination list, add the EMS, FAC, FAZ, Finance and Webserver address objects.
-
Set the Service to ALL.
-
Set the Action to ACCEPT.
-
Set Inspection Mode to Proxy-based.
-
Enable NAT where necessary.
-
Enable Security Profiles as needed.
-
Enable Log Allowed Traffic, and choose All Sessions.
-
Click OK to complete.
-
-
Place the new policies below the Deny-vuln-on-net policy but above the to_DMZ_webservers policy.
-
Disable the to_DMZ_webservers policy so that authentication does not fall through to this wide open policy.