Configuring firewall policies Firewall Policy
FortiGate Version 4.0 Administration Guide
328 01-400-89802-20090424
http://docs.fortinet.com/ • Feedback
In most cases, you should ensure that users can use DNS through the FortiGate unit
without authentication. If DNS is not available, users will not be able to use a domain
name when using a supported authentication protocol to trigger the FortiGate unit’s
authentication challenge.
Authentication requires that Action is ACCEPT or SSL-VPN, and that you first create
users, assign them to a firewall user group, and assign a protection profile to that user
group. For information on configuring user groups, see “User Group” on page 583. For
information on configuring authentication settings, see “Identity-based firewall policy
options (non-SSL-VPN)” on page 328 and “Configuring SSL VPN identity-based firewall
policies” on page 331.
Identity-based firewall policy options (non-SSL-VPN)
For network users to use non-SSL-VPN identity-based policies, you need to add user
groups to the policy. For information about configuring user groups, see “User Group” on
page 583.
To configure identity-based policies, go to Firewall > Policy, select Create New to add a
firewall policy, or, in the row corresponding to an existing firewall policy, select Edit. Make
sure that Action is set to ACCEPT. Select Enable Identity Based Policy.
Figure 193: Selecting user groups for authentication
Note: If you do not install certificates on the network user’s web browser, the network users
may see an SSL certificate warning message and have to manually accept the default
FortiGate certificate, which the network users’ web browsers may then deem as invalid. For
information on installing certificates, see “System Certificates” on page 243.
Note: When you use certificate authentication, if you do not specify any certificate when
you create a firewall policy, the FortiGate unit will use the default certificate from the global
settings will be used. If you specify a certificate, the per-policy setting will override the
global setting. For information on global authentication settings, see “Options” on
page 590.
Enable Identity
Based Policy
Select to enable identity-based policy authentication.
When the Action is set to ACCEPT, you can select one or more authentication
server types. When a network user attempts to authenticate, the server types
selected indicate which local or remote authentication servers the FortiGate unit
will consult to verify the user’s credentials.
Add Select to create an identity-based firewall policy. For more information, see “To
create an identity-based firewall policy (non-SSL-VPN)” on page 329.
User Group The selected user groups that must authenticate to be allowed to use this policy.
Schedule The one-time or recurring schedule that controls when the policy is in effect.
You can also create schedules by selecting Create New from this list. For more
information, see “Firewall Schedule” on page 361.
To Next Page
Loading...