Fortinet white logo
Fortinet white logo

Default policy

Default policy

There are several ways you can apply Isolator profile and Web Filter profile settings to end users. Isolator profiles and Web Filter profiles can be applied to the guest account, individual local user accounts, and/or local user groups.

Applying default policy and profile settings

The FortiIsolator provides Default Policy to local users and guest that do not have assigned groups with selected policy. Default Policy is a way to apply a certain Isolator profile, Web Filter profile, and/or ICAP profile to local individual users or guest.

To apply profiles to default policy from GUI:
  1. Go to Policies and Profiles > Default Policy and select the desired Guest Type. This option determines the way of Logging in as an end user.
    guest disable

    A user has to log in with a user account of one of the following types:

    • Local user - The user can log in by entering the designated username and password configured in User definition if Login Option is Local User or SAML User.
    • NTLM user - If an FSSO agent server is configured in LDAP servers, the user can log in with single-sign-on by clicking the NTLM Authentication link and entering the credentials.
    • SAML user - If a SAML server is configured through FortiAuthenticator in SAML servers, the user can log in with single-sign-on by clicking the SAML Single Sign On link and entering the credentials.

    guest enable

    A user can log in with either a user account or as a guest.

    • To log in with a user account, the user enters the credentials of one of the following account types:

      • Local user - The user enters the designated username and password configured in User definition.
      • NTLM user - If an FSSO agent server is configured in LDAP servers, the user can single-sign-on by clicking the NTLM Authentication link and entering the credentials.
      • SAML user - If a SAML server is configured through FortiAuthenticator in SAML servers, the user can single-sign-on by clicking the SAML Single Sign On link and entering the credentials.
    • To log in as a guest, the user leaves the username and password empty and selects Guest.

    guest only

    A user has to log in as a guest.

    Note

    With guest only, the login page will not show. Users can browse sites without being prompted to log in.

  2. Select the Isolator profile, Web Filter profile, and/or ICAP Filter profile to be used in the policy. Also set Max Session Per User, Max Session Per IP, Auth Cookie Lifetime, and Login Option to be used in the default policy.

    Default Isolator Profile Name

    Select an Isolator profile for Default Policy.

    Default WebFilter Profile Name

    Select a Web Filter profile for Default Policy.

    Default ICAP Profile Name

    Select an ICAP profile for Default Policy.

    Max Session Per User

    Maximum number of sessions (tabs) allowed for requests from a same local user

    Max Session Per IP

    Maximum number of sessions (tabs) allowed for requests from a unique IP address

    Auth Cookie Lifetime

    Number of hours after which the authorization cookie expires and the user needs to re-login. Enter an integer within the range of 1-240.

    Note

    This setting does not take effect when the user is in guest mode.

    Login Option

    Select the options that the user can log in. This option is available only if Guest Type is guest disable and a SAML server is configured through FortiAuthenticator in SAML servers.

    • Local User or SAML User—Allow the user to log in using a local user account or SAML credentials.

    • SAML User—Allow the user to log in using the SAML credentials only. Local user accounts are not allowed.

  3. Click OK to finish.

To apply profiles to default policy from CLI:

> set guest-type 0|1|2

(disabled = 0, enabled = 1, guest-only = 2)

For example:

> set guest-type 0

> show guest-type

guest type : Disabled

> set guest-type 1

> show guest-type

guest type : Enabled

> set guest-type 2

> show guest-type

guest type : Guest Only

> set default-policy <isolator-profile-name> <webfilter-profile-name> <icap-profile-name> <guest-type> <max-session-per-user> <max-session-per-ip> <auth-cookie-lifetime> <global-policy-login-option>

e.g.

> set default-policy system_default webfilter_profile ICAP_profile 1 50 30 96 1

<isolator-profile-name >

Isolator profile name

<webfilter-profile-name >

Web Filter profile name

<icap-profile-name >

ICAP profile name

<guest-type>

Login mode of the user:

1

guest disable: A user must log in with the following types of credentials:

  • Local user account—Only if Login Option is Local User or SAML User.

  • SAML credentials—Only if a SAML server is configured through FortiAuthenticator in SAML servers.

2

guest enable: A user can log in with a user account, SAML/NTML authentication, or as a guest.

0

guest only: A user has to log in as a guest. No credentials are required.

<max-session-per-user>

Maximum number of sessions (tabs) allowed for requests from a same local user

<max-session-per-ip>

Maximum number of sessions (tabs) allowed for requests from a unique IP address

<auth-cookie-lifetime>

Number of hours after which the authorization cookie expires and the user needs to re-login. This parameter accepts integers within the range of 1-240.

Note

This parameter does not take effect when the user is in guest mode.

<global-policy-login-option>

Login option allowed for the user. This option is available only if Guest Type is guest disable and a SAML server is configured through FortiAuthenticator in SAML servers.

1

Local User or SAML User: A user can log in with a local user account or SAML credentials.

0

SAML User: A user can only log in using SAML credentials. Local user accounts are not allowed.

To display the default policy profile from CLI:

> show default-policy

Default Policy:

Guest Type : 1

Isolator Profile : system_default

WebFilter Profile : webfilter_profile

ICAP Profile : ICAP_profile

Max Session Per User : 50

Max Session Per IP : 30

Auth Cookie Lifetime : 96

Global Policy Login Option : 1

Applying profile settings to local user account

To apply profile settings to local user account:
  1. From the administration portal, go to Policies and Profiles > Policies and make sure the policy you want to apply exists. If not, create a new policy with the desired profiles.
  2. Go to Users > User Definition. Select the user you wish to apply the profile settings to and click Edit.
  3. From the Policy Name drop-down menu, select the policy you wish to apply to the local user.
  4. Click OK to finish.

Applying profile settings to user groups

To apply profile settings to user groups:
  1. From the administration portal, go to Policies and Profiles > Policies and make sure the policy you want to apply exists. If not, create a new policy with the desired profiles.
  2. Go to Users > User Groups. Select the user group you wish to apply the profile settings and click Edit.
  3. From the Policy Name drop-down menu, select the policy you wish to apply to the user group.
  4. Click OK to finish.

Default policy

Default policy

There are several ways you can apply Isolator profile and Web Filter profile settings to end users. Isolator profiles and Web Filter profiles can be applied to the guest account, individual local user accounts, and/or local user groups.

Applying default policy and profile settings

The FortiIsolator provides Default Policy to local users and guest that do not have assigned groups with selected policy. Default Policy is a way to apply a certain Isolator profile, Web Filter profile, and/or ICAP profile to local individual users or guest.

To apply profiles to default policy from GUI:
  1. Go to Policies and Profiles > Default Policy and select the desired Guest Type. This option determines the way of Logging in as an end user.
    guest disable

    A user has to log in with a user account of one of the following types:

    • Local user - The user can log in by entering the designated username and password configured in User definition if Login Option is Local User or SAML User.
    • NTLM user - If an FSSO agent server is configured in LDAP servers, the user can log in with single-sign-on by clicking the NTLM Authentication link and entering the credentials.
    • SAML user - If a SAML server is configured through FortiAuthenticator in SAML servers, the user can log in with single-sign-on by clicking the SAML Single Sign On link and entering the credentials.

    guest enable

    A user can log in with either a user account or as a guest.

    • To log in with a user account, the user enters the credentials of one of the following account types:

      • Local user - The user enters the designated username and password configured in User definition.
      • NTLM user - If an FSSO agent server is configured in LDAP servers, the user can single-sign-on by clicking the NTLM Authentication link and entering the credentials.
      • SAML user - If a SAML server is configured through FortiAuthenticator in SAML servers, the user can single-sign-on by clicking the SAML Single Sign On link and entering the credentials.
    • To log in as a guest, the user leaves the username and password empty and selects Guest.

    guest only

    A user has to log in as a guest.

    Note

    With guest only, the login page will not show. Users can browse sites without being prompted to log in.

  2. Select the Isolator profile, Web Filter profile, and/or ICAP Filter profile to be used in the policy. Also set Max Session Per User, Max Session Per IP, Auth Cookie Lifetime, and Login Option to be used in the default policy.

    Default Isolator Profile Name

    Select an Isolator profile for Default Policy.

    Default WebFilter Profile Name

    Select a Web Filter profile for Default Policy.

    Default ICAP Profile Name

    Select an ICAP profile for Default Policy.

    Max Session Per User

    Maximum number of sessions (tabs) allowed for requests from a same local user

    Max Session Per IP

    Maximum number of sessions (tabs) allowed for requests from a unique IP address

    Auth Cookie Lifetime

    Number of hours after which the authorization cookie expires and the user needs to re-login. Enter an integer within the range of 1-240.

    Note

    This setting does not take effect when the user is in guest mode.

    Login Option

    Select the options that the user can log in. This option is available only if Guest Type is guest disable and a SAML server is configured through FortiAuthenticator in SAML servers.

    • Local User or SAML User—Allow the user to log in using a local user account or SAML credentials.

    • SAML User—Allow the user to log in using the SAML credentials only. Local user accounts are not allowed.

  3. Click OK to finish.

To apply profiles to default policy from CLI:

> set guest-type 0|1|2

(disabled = 0, enabled = 1, guest-only = 2)

For example:

> set guest-type 0

> show guest-type

guest type : Disabled

> set guest-type 1

> show guest-type

guest type : Enabled

> set guest-type 2

> show guest-type

guest type : Guest Only

> set default-policy <isolator-profile-name> <webfilter-profile-name> <icap-profile-name> <guest-type> <max-session-per-user> <max-session-per-ip> <auth-cookie-lifetime> <global-policy-login-option>

e.g.

> set default-policy system_default webfilter_profile ICAP_profile 1 50 30 96 1

<isolator-profile-name >

Isolator profile name

<webfilter-profile-name >

Web Filter profile name

<icap-profile-name >

ICAP profile name

<guest-type>

Login mode of the user:

1

guest disable: A user must log in with the following types of credentials:

  • Local user account—Only if Login Option is Local User or SAML User.

  • SAML credentials—Only if a SAML server is configured through FortiAuthenticator in SAML servers.

2

guest enable: A user can log in with a user account, SAML/NTML authentication, or as a guest.

0

guest only: A user has to log in as a guest. No credentials are required.

<max-session-per-user>

Maximum number of sessions (tabs) allowed for requests from a same local user

<max-session-per-ip>

Maximum number of sessions (tabs) allowed for requests from a unique IP address

<auth-cookie-lifetime>

Number of hours after which the authorization cookie expires and the user needs to re-login. This parameter accepts integers within the range of 1-240.

Note

This parameter does not take effect when the user is in guest mode.

<global-policy-login-option>

Login option allowed for the user. This option is available only if Guest Type is guest disable and a SAML server is configured through FortiAuthenticator in SAML servers.

1

Local User or SAML User: A user can log in with a local user account or SAML credentials.

0

SAML User: A user can only log in using SAML credentials. Local user accounts are not allowed.

To display the default policy profile from CLI:

> show default-policy

Default Policy:

Guest Type : 1

Isolator Profile : system_default

WebFilter Profile : webfilter_profile

ICAP Profile : ICAP_profile

Max Session Per User : 50

Max Session Per IP : 30

Auth Cookie Lifetime : 96

Global Policy Login Option : 1

Applying profile settings to local user account

To apply profile settings to local user account:
  1. From the administration portal, go to Policies and Profiles > Policies and make sure the policy you want to apply exists. If not, create a new policy with the desired profiles.
  2. Go to Users > User Definition. Select the user you wish to apply the profile settings to and click Edit.
  3. From the Policy Name drop-down menu, select the policy you wish to apply to the local user.
  4. Click OK to finish.

Applying profile settings to user groups

To apply profile settings to user groups:
  1. From the administration portal, go to Policies and Profiles > Policies and make sure the policy you want to apply exists. If not, create a new policy with the desired profiles.
  2. Go to Users > User Groups. Select the user group you wish to apply the profile settings and click Edit.
  3. From the Policy Name drop-down menu, select the policy you wish to apply to the user group.
  4. Click OK to finish.