Firewall Policy Configuring firewall policies
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903 397
http://docs.fortinet.com/ • Feedback
For example, if you want to require HTTPS certificate-based authentication before
allowing SMTP and POP3 traffic, you must select a firewall service (in the firewall policy)
that includes SMTP, POP3 and HTTPS services. Prior to using either POP3 or SMTP, the
network user would send traffic using the HTTPS service, which the FortiGate unit would
use to verify the network user’s certificate; upon successful certificate-based
authentication, the network user would then be able to access his or her email.
In most cases, you should ensure that users can use DNS through the FortiGate unit
without authentication. If DNS is not available, users will not be able to use a domain
name when using a supported authentication protocol to trigger the FortiGate unit’s
authentication challenge.
Authentication requires that Action is ACCEPT or SSL-VPN, and that you first create
users, assign them to a firewall user group, and assign a protection profile to that user
group. For information on configuring user groups, see “User Group” on page 666. For
information on configuring authentication settings, see “Identity-based firewall policy
options (non-SSL-VPN)” on page 397 and “Configuring SSL VPN identity-based firewall
policies” on page 400.
Identity-based firewall policy options (non-SSL-VPN)
For network users to use non-SSL-VPN identity-based policies, you need to add user
groups to the policy. For information about configuring user groups, see “User Group” on
page 666.
To configure identity-based policies, go to Firewall > Policy, select Create New to add a
firewall policy, or, in the row corresponding to an existing firewall policy, select Edit. Make
sure that Action is set to ACCEPT. Select Enable Identity Based Policy.
Figure 210: Selecting user groups for authentication
Note: If you do not install certificates on the network user’s web browser, the network users
may see an SSL certificate warning message and have to manually accept the default
FortiGate certificate, which the network users’ web browsers may then deem as invalid. For
information on installing certificates, see “System Certificates” on page 301.
Note: When you use certificate authentication, if you do not specify any certificate when
you create a firewall policy, the FortiGate unit will use the default certificate from the global
settings will be used. If you specify a certificate, the per-policy setting will override the
global setting. For information on global authentication settings, see “Options” on
page 675.
To Next Page
Loading...
Need help?
General
