Configuring firewall policies Firewall Policy
FortiGate Version 4.0 MR1 Administration Guide
398 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
To create an identity-based firewall policy (non-SSL-VPN)
1 Go to Firewall > Policy > Policy and select Create New.
2 Configure Source Interface/Zone, Source Address, Destination Interface/Zone,
Destination Address, Schedule, and Service. For more information, see “Configuring
firewall policies” on page 391.
3 In the Action field, select ACCEPT.
4 Select the Enable Identity Based Policy check box.
A table opens below the check box.
5 Select Add.
Enable Identity
Based Policy
Select to enable identity-based policy authentication.
When the Action is set to ACCEPT, you can select one or more authentication
server types. When a network user attempts to authenticate, the server types
selected indicate which local or remote authentication servers the FortiGate unit
will consult to verify the user’s credentials.
Add Select to create an identity-based firewall policy. For more information, see “To
create an identity-based firewall policy (non-SSL-VPN)” on page 398.
User Group The selected user groups that must authenticate to be allowed to use this policy.
Schedule The one-time or recurring schedule that controls when the policy is in effect.
You can also create schedules by selecting Create New from this list. For more
information, see “Firewall Schedule” on page 437.
Service The firewall service or service group that packets must match to trigger this policy.
Profile The protection profile to apply to this policy. You can also create a protection
profile by selecting Create New from this list. For more information, see “Firewall
Protection Profile” on page 479.
Traffic Shaping The traffic shaping configuration for this policy.
For more information, see “Firewall Policy” on page 387.
Reverse
Direction
Traffic
Shaping
Select to enable the reverse traffic shaping. For example, if the
traffic direction that a policy controls is from port1 to port2, select
this option will also apply the policy shaping configuration to traffic
from port2 to port1.
Log Traffic If the Log Allowed Traffic option is selected when adding an identity-based policy,
a green check mark appears. Otherwise, a white cross mark appears.
Delete icon Select to remove this policy.
Edit icon Select to modify this policy.
Firewall Include firewall user groups defined locally on the FortiGate unit, as well as on
any connected LDAP and RADIUS servers. This option is selected by default.
Directory
Service (FSAE)
Include Directory Service groups defined in User > User Group. The groups are
authenticated through a domain controller using Fortinet Server Authentication
Extensions (FSAE). If you select this option, you must install the FSAE on the
Directory Service domain controller. For information about FSAE, see the FSAE
Technical Note. For information about configuring user groups, see “User Group”
on page 666.
NTLM
Authentication
Include Directory Service groups defined in User > User Group. If you select this
option, you must use Directory Service groups as the members of the
authentication group for NTLM. For information about configuring user groups,
see “User Group” on page 666.
Certificate Certificate-based authentication only. Select the protection profile that guest
accounts will use. Note: In order to implement certificate-based authentication,
you must select a firewall service group that includes one of the supported
authentication protocols that use certificate-based authentication. You should also
install the certificate on the network user’s web browser. For more information,
see “Adding authentication to firewall policies” on page 396.