Managing Guest Access

Visitors to your premises might need user accounts on your network for the duration of their stay. If you are hosting a large event such as a conference, you might need to create many such temporary accounts. The FortiOS Guest Management feature is designed for this purpose.

A guest user account User ID can be the user’s email address, a randomly generated string, or an ID that the administrator assigns. Similarly, the password can be administrator-assigned or randomly generated.

You can create many guest accounts at once using randomly-generated User IDs and passwords. This reduces administrator workload for large events.

 

User’s view of guest access

1. The user receives an email, SMS message, or printout from a FortiOS administrator listing a User ID and password.

2. The user logs onto the network with the provided credentials.

3. After the expiry time, the credentials are no longer valid.

 

Administrator’s view of guest access

1. Create one or more guest user groups.

All members of the group have the same characteristics: type of User ID, type of password, information fields used, type and time of expiry.

2. Create guest accounts using Guest Management.

3. Use captive portal authentication and select the appropriate guest group.

 

Configuring guest user access

To set up guest user access, you need to create at least one guest user group and add guest user accounts. Optionally, you can create a guest management administrator whose only function is the creation of guest accounts in specific guest user groups. Otherwise, any administrator can do guest management.

 

Creating guest management administrators

To create a guest management administrator

1. Go to System > Admin > Administrators and create a regular administrator account.

For detailed information see the System Administration chapter.

2. Select Restrict to Provision Guest Accounts.

3. In Guest Groups, add the guest groups that this administrator manages.

 

Creating guest user groups

The guest group configuration determines the fields that are provided when you create a guest user account.

 

To create a guest user group:

1. Go to User & Device > User > User Groups and select Create New.

2. Enter the following information:

Name                                           Enter a name for the group.

Type                                            Guest

Viewing, editing and deleting user groups

To view the list of FortiGate user groups, go to User & Device > User > User Groups.

 

Editing a user group

When editing a user group in the CLI you must set the type of group this will be — either a firewall group, a Fortinet Single Sign-On Service group (FSSO), a Radius based Single Sign-On Service group (RSSO), or a guest group. Once the type of group is set, and members are added you cannot change the group type without removing the members.

In the web-based manager, if you change the type of the group any members will be removed automatically.

 

To edit a user group – web-based manager:

1. Go to User & Device > User > User Groups.

2. Select the user group that you want to edit.

3. Select the Edit button.

4. Modify the user group as needed.

5. Select OK.

 

 

To edit a user group – CLI example:

This example adds user3 to Group1. Note that you must re-specify the full list of users:

config user group edit Group1

set group-type firewall

set member user2 user4 user3 end

 

 

Deleting a user group

Before you delete a user group, you must ensure there are no objects referring to, it such as security policies. If there are, you must remove those references before you are able to delete the user group.

 

To remove a user group – web-based manager:

1. Go to User & Device > User > User Groups.

2. Select the user group that you want to remove.

3. Select the Delete button.

4. Select OK.

 

 

To remove a user group – CLI example:

config user group delete Group2

end

 

Configuring Peer user groups

Peer user groups can only be configured using the CLI. Peers are digital certificate holders defined using the config user peer command. The peer groups you define here are used in dialup IPsec VPN configurations that accept RSA certificate authentication from members of a peer certificate group.

 

To create a peer group – CLI example:

config user peergrp edit vpn_peergrp1

set member pki_user1 pki_user2 pki_user3 end

SSO user groups

SSO user groups are part of FSSO authentication and contain only Windows or Novell network users. No other user types are permitted as members. Information about the Windows or Novell user groups and the logon activities of their members is provided by the Fortinet Single Sign On (FSSO) which is installed on the network domain controllers.

You can specify FSSO user groups in security policies in the same way as you specify firewall user groups. FSSO user groups cannot have SSL VPN or dialup IPsec VPN access.

For information about configuring FSSO user groups, see Creating Fortinet Single Sign-On (FSSO) user groups on page 589. For complete information about installing and configuring FSSO, see Agent-based FSSO on page 553.

Editing CASI profiles

The CASI profile application list consists of the Application Name, Category, and Action. A default

CASI profile exists, with the option to create custom profiles. For each CASI profile application, the user has the option to Allow, Block, or Monitor the selected cloud application. The following image demonstrates the ability to Allow, Block, or Monitor YouTube using CASI:

When the user drills down into a selected cloud application, the following options are available (depending on the type of service):

lFor business services, such as Salesforce and Zoho:

Option to allow, block, or monitor file download/upload and login.

For collaboration services, such as Google.Docs and Webex:

Option to allow, block, or monitor file access/download/upload and login.

For web email services, such as Gmail and Outlook:

Option to allow, block, or monitor attachment download/upload, chat, read/send message.

For general interst services, such as Amazon, Google, and Bing:

Option to allow, block, or monitor login, search phase, and file download/upload.

For social media services, such as Facebook, Twitter, and Instagram:

Option to allow, block, or monitor chat, file download/upload, post, login.

For storage backup services, such as Dropbox, iCloud, and Amazon Cloud Drive:

Option to allow, block, or monitor file access/download/upload and login.

For video/audio services, such as YouTube, Netflix, and Hulu:

Option to allow, block, or monitor channel access, video access/play/upload, and login.

 

 

CLI Syntax

 

configure application casi profile edit “profile name”

set comment “comment”

set replacemsg-group “xxxx”

set app-replacemsg [enable|disable]

configure entries edit

set application “app name”

 

 

 

 

 

 

 

 

 

next end

set action [block|pass]

set log [enable|disable]

next edit 2

 

 

configure firewall policy edit “1”

set casi-profile “profile name” next

end

 

config firewall sniffer edit 1

set casi-profile-status [enable|disable]

set casi-profile “sniffer-profile” next

end

 

config firewall interface-policy edit 1

set casi-profile-status [enable|disable]

set casi-profile “2” next

end

Cloud Access Security Inspection (CASI)

This feature introduces a new security profile called Cloud Access Security Inspection (CASI) that provides support for fine-grained control on popular cloud applications, such as YouTube, Dropbox, Baidu, and Amazon. The CASI profile is applied on a policy much like any other security profile.

Unfortunately CASI does not work when using Proxy-based profiles for AV or Web fil- tering for example.

Make sure to only use Flow-based profiles in combination with CASI on a specific policy.

For this feature, Deep Inspection of Cloud Applications (set deep-app-inspection [enable|disable]) has been moved out of the Application Control security profile options.

You will find the Cloud Access Security Inspection feature under Security Profiles > Cloud Access Security

Inspection, but you must first enable it in the Feature store under System > Feature Select > CASI.

7–day time display

In FortiOS 5.4, the following FortiGate models now support 7-day time display:

• FortiGate 1000D
• FortiGate 1500D
• FortiGate 3700DX
• FortiGate 3700D

The option for 7-day time display, however, can only be configured in the CLI using the following command:

config log setting

set fortiview-weekly-data {enable|disable}

end

FortiGuard Cloud App DB identification

FortiView now recognizes FortiGuard Cloud Application database traffic, which is mainly monitored and validated by FortiFlow, an internal application that identifies cloud applications based on IP, Port, and Protocol. Administrators can potentially use this information for WAN Link Load Balancing, for example.