Hello

You can achieve this in various ways, Navigate to Configure > Authentication > Users, select the user and set Access Time as Denied all the time. You can also create a Firewall rule on the top with Identity set to "Match Known Users" , select the users for which the access has to be denied and set the Web Policy and Application Control as "DENY ALL"

Let me know if that works for you.

Hello

Thank you very much for your answer

I can give access or deny to any Active Directory User, for users there is no problem, for exemple i can give internet access to "ahmed" but not to "khaled" , my real problem when i connect to the network  a local machine wich it's not joined to the Domain controller, this machine can connect to the internet even if i checked the "Match Known Users"

Hello

Thank you very much for your answer

I can give access or deny to any Active Directory User, for users there is no problem, for exemple i can give internet access to "ahmed" but not to "khaled" , my real problem when i connect to the network  a local machine wich it's not joined to the Domain controller, this machine can connect to the internet even if i checked the "Match Known Users"

Firewall Rules with "Match Known Users" will only allow the traffic for authenticated user. You will have to authenticate the user using Captive Portal or other method.

i add a firwall rule at the "top" like this picture:

Now only AD-User can get access to the internet, and others like local user they can't access to the internet.

But when i login with a local user, the browser doesn't ask me to enter login/pass even if i checked for "Captive Portal"

Zidane,

Check the "show the captive portal to unknown users on the firewall rule where you would like to force the authentication.

This thread should be closed because the title is so general.

I will pm you in order to edit this thread.

Thanks