User and Device Scheduling

Video Activity

In this video, you will learn how to create schedules that restrict internet access based on time and user account info, allowing you more control over what content users can access and how much bandwidth is used. This example involves a full-time employee with unlimited access, a part-time employee with limited access, and a restriction on mobile ...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
1 hour 35 minutes
Difficulty
Beginner
CEU/CPE
2
Video Description

In this video, you will learn how to create schedules that restrict internet access based on time and user account info, allowing you more control over what content users can access and how much bandwidth is used. This example involves a full-time employee with unlimited access, a part-time employee with limited access, and a restriction on mobile devices. Visit Fortinet's documentation library at http://docs.fortinet.com

Video Transcription
00:00
>> In this video, you will learn how to create schedules
00:00
that restrict Internet access
00:00
based on time and user account info,
00:00
allowing you more control over what content users
00:00
can access and how much bandwidth is used.
00:00
This example involves
00:00
a full-time employee with unlimited access,
00:00
a part-time employee with limited access,
00:00
and a restriction on smartphones, but not tablets.
00:00
First, go to User and Device,
00:00
User Definitions to create two users,
00:00
each with the username and a password.
00:00
Then go to the User Groups list
00:00
and create a full-time group.
00:00
Adding the first user you created,
00:00
and a part-time group
00:00
with the second user that you created.
00:00
Next, go to Policy and Objects,
00:00
Schedules to create a schedule
00:00
to represent part-time users.
00:00
Set the type to recurring and set the days and
00:00
hours you want part-time users
00:00
to be able to access the Internet.
00:00
Now go to User and Device,
00:00
Device Groups and create a new group that will
00:00
include the various types of smart phones as members.
00:00
Go to the policy list to create
00:00
the three policies that will govern full-time,
00:00
part-time, and mobile users.
00:00
For the full-time policy,
00:00
set the incoming interface to the local interface.
00:00
Source users to the full-time group,
00:00
outgoing interface to your Internet facing interface,
00:00
and set the schedule to always.
00:00
Configure the rest as normal, and enable NAT.
00:00
Scroll down to the logging options,
00:00
enable log allowed traffic,
00:00
and select all sessions to
00:00
log all full-time user traffic.
00:00
Next, create the part-time policy.
00:00
Set the incoming interface to local,
00:00
the source users to the part-time group,
00:00
outgoing interface to the Internet,
00:00
and set the schedule to part-time.
00:00
Enable NAT and log all sessions on the policy list.
00:00
Right-click the title row and add ID to
00:00
the list of visible columns and select "Apply".
00:00
Note down the ID for
00:00
the part-time policy that you created.
00:00
Go to System,
00:00
Dashboard, Status,
00:00
and open the CLI console
00:00
and to the following commands to ensure that
00:00
part-time access will be revoked from
00:00
existing sessions on off scheduled times and days.
00:00
Config firewall policy, edit the ID number,
00:00
set, schedule hyphen timeout,
00:00
enable, and lastly,
00:00
return to the policy list and create
00:00
a policy that denies all mobile traffic.
00:00
Set the incoming interface to the local interface.
00:00
Source device to your mobile device group,
00:00
outgoing interface to your Internet facing interface,
00:00
and set the action to deny.
00:00
Make sure log violation traffic is enabled.
00:00
Back on the policy list,
00:00
move this policy to the top
00:00
>> so it will take effect first.
00:00
>> Browse the Internet using
00:00
a computer on the local network,
00:00
you will be prompted
00:00
>> to enter authentication credentials.
00:00
>> Login using the full-time account.
00:00
You will then be able to
00:00
>> access the Internet at anytime.
00:00
>> In the FortiGate interface,
00:00
go to User and Device,
00:00
Monitor, Firewall,
00:00
select the full-time user and de-authenticate them.
00:00
Attempt to browse the Internet again
00:00
and login using the part-time account.
00:00
If you are outside the part-time schedule,
00:00
you will be unable to access the Internet.
00:00
All attempts to connect to the Internet
00:00
using a mobile phone will be denied.
00:00
Thank you for watching.
00:00
If you need further details,
00:00
you can visit docs.fortinet.com at
00:00
anytime to access our complete documentation library.
Up Next