Default policy
There are several ways you can apply Isolator profile and Web Filter profile settings to end users. Isolator profiles and Web Filter profiles can be applied to the guest account, individual local user accounts, and/or local user groups.
Applying default policy and profile settings
The FortiIsolator provides Default Policy to local users and guest that do not have assigned groups with selected policy. Default Policy is a way to apply a certain Isolator profile, Web Filter profile, and/or ICAP profile to local individual users or guest.
To apply profiles to default policy from GUI:
- Go to Policies and Profiles > Default Policy and select the desired Guest Type. This option determines the way of Logging in as an end user.
guest disable A user has to log in with a user account of one of the following types:
- Local user - The user can log in by entering the designated username and password configured in User definition if Login Option is Local User or SAML User.
- NTLM user - If an FSSO agent server is configured in LDAP servers, the user can log in with single-sign-on by clicking the NTLM Authentication link and entering the credentials.
- SAML user - If a SAML server is configured through FortiAuthenticator in SAML servers, the user can log in with single-sign-on by clicking the SAML Single Sign On link and entering the credentials.
guest enable A user can log in with either a user account or as a guest.
To log in with a user account, the user enters the credentials of one of the following account types:
- Local user - The user enters the designated username and password configured in User definition.
- NTLM user - If an FSSO agent server is configured in LDAP servers, the user can single-sign-on by clicking the NTLM Authentication link and entering the credentials.
- SAML user - If a SAML server is configured through FortiAuthenticator in SAML servers, the user can single-sign-on by clicking the SAML Single Sign On link and entering the credentials.
- To log in as a guest, the user leaves the username and password empty and selects Guest.
guest only A user has to log in as a guest.
With guest only, the login page will not show. Users can browse sites without being prompted to log in.
- Select the Isolator profile, Web Filter profile, and/or ICAP Filter profile to be used in the policy. Also set Max Session Per User, Max Session Per IP, Auth Cookie Lifetime, and Login Option to be used in the default policy.
Default Isolator Profile Name
Select an Isolator profile for Default Policy.
Default WebFilter Profile Name
Select a Web Filter profile for Default Policy.
Default ICAP Profile Name
Select an ICAP profile for Default Policy.
Max Session Per User
Maximum number of sessions (tabs) allowed for requests from a same local user
Max Session Per IP
Maximum number of sessions (tabs) allowed for requests from a unique IP address
Auth Cookie Lifetime
Number of hours after which the authorization cookie expires and the user needs to re-login. Enter an integer within the range of 1-240.
This setting does not take effect when the user is in guest mode.
Login Option
Select the options that the user can log in. This option is available only if Guest Type is guest disable and a SAML server is configured through FortiAuthenticator in SAML servers.
Local User or SAML User—Allow the user to log in using a local user account or SAML credentials.
SAML User—Allow the user to log in using the SAML credentials only. Local user accounts are not allowed.
- Click OK to finish.
To apply profiles to default policy from CLI:
> set guest-type 0|1|2
(disabled = 0, enabled = 1, guest-only = 2)
For example:
> set guest-type 0
> show guest-type
guest type : Disabled
> set guest-type 1
> show guest-type
guest type : Enabled
> set guest-type 2
> show guest-type
guest type : Guest Only
> set default-policy <isolator-profile-name> <webfilter-profile-name> <icap-profile-name> <guest-type> <max-session-per-user> <max-session-per-ip> <auth-cookie-lifetime> <global-policy-login-option>
e.g.
> set default-policy system_default webfilter_profile ICAP_profile 1 50 30 96 1
<isolator-profile-name >
|
Isolator profile name |
||||||
<webfilter-profile-name >
|
Web Filter profile name |
||||||
<icap-profile-name >
|
ICAP profile name |
||||||
<guest-type>
|
Login mode of the user:
|
||||||
<max-session-per-user>
|
Maximum number of sessions (tabs) allowed for requests from a same local user |
||||||
<max-session-per-ip>
|
Maximum number of sessions (tabs) allowed for requests from a unique IP address |
||||||
<auth-cookie-lifetime>
|
Number of hours after which the authorization cookie expires and the user needs to re-login. This parameter accepts integers within the range of 1-240.
|
||||||
|
Login option allowed for the user. This option is available only if Guest Type is guest disable and a SAML server is configured through FortiAuthenticator in SAML servers.
|
To display the default policy profile from CLI:
> show default-policy
Default Policy:
Guest Type : 1
Isolator Profile : system_default
WebFilter Profile : webfilter_profile
ICAP Profile : ICAP_profile
Max Session Per User : 50
Max Session Per IP : 30
Auth Cookie Lifetime : 96
Global Policy Login Option : 1
Applying profile settings to local user account
To apply profile settings to local user account:
- From the administration portal, go to Policies and Profiles > Policies and make sure the policy you want to apply exists. If not, create a new policy with the desired profiles.
- Go to Users > User Definition. Select the user you wish to apply the profile settings to and click Edit.
- From the Policy Name drop-down menu, select the policy you wish to apply to the local user.
- Click OK to finish.
Applying profile settings to user groups
To apply profile settings to user groups:
- From the administration portal, go to Policies and Profiles > Policies and make sure the policy you want to apply exists. If not, create a new policy with the desired profiles.
- Go to Users > User Groups. Select the user group you wish to apply the profile settings and click Edit.
- From the Policy Name drop-down menu, select the policy you wish to apply to the user group.
- Click OK to finish.