Configuring firewall policies
Firewall Policy
FortiGate Version 4.0 Administration Guide
328
01-400-89802-20090424
In most cases, you should ensure that users can use DNS through the FortiGate unit
without authentication. If DNS is not available, users will not be able to use a domain
name when using a supported authentication protocol to trigger the FortiGate unit’s
authentication challenge.
Authentication requires that Action is ACCEPT or SSL-VPN, and that you first create
users, assign them to a firewall user group, and assign a protection profile to that user
group. For information on configuring user groups, see
information on configuring authentication settings, see
“Identity-based firewall policy
options (non-SSL-VPN)” on page 328
and
“Configuring SSL VPN identity-based firewall
.
Identity-based firewall policy options (non-SSL-VPN)
For network users to use non-SSL-VPN identity-based policies, you need to add user
groups to the policy. For information about configuring user groups, see
To configure identity-based policies, go to
Firewall > Policy
, select
Create New
to add a
firewall policy, or, in the row corresponding to an existing firewall policy, select Edit. Make
sure that
Action
is set to
ACCEPT
. Select
Enable Identity Based Policy
.
Figure 193: Selecting user groups for authentication
Note:
If you do not install certificates on the network user’s web browser, the network users
may see an SSL certificate warning message and have to manually accept the default
FortiGate certificate, which the network users’ web browsers may then deem as invalid. For
information on installing certificates, see
“System Certificates” on page 243
Note:
When you use certificate authentication, if you do not specify any certificate when
you create a firewall policy, the FortiGate unit will use the default certificate from the global
settings will be used. If you specify a certificate, the per-policy setting will override the
global setting. For information on global authentication settings, see
Enable Identity
Based Policy
Select to enable identity-based policy authentication.
When the
Action
is set to
ACCEPT,
you can select
one or more authentication
server types. When a network user attempts to authenticate, the server types
selected indicate which local or remote authentication servers the FortiGate unit
will consult to verify the user’s credentials.
Add
Select to create an identity-based firewall policy. For more information, see
create an identity-based firewall policy (non-SSL-VPN)” on page 329
User Group
The selected user groups that must authenticate to be allowed to use this policy.
Schedule
The one-time or recurring schedule that controls when the policy is in effect.
You can also create schedules by selecting
Create New
from this list. For more
information, see
“Firewall Schedule” on page 361
.
Delete
Edit
Summary of Contents for Gate 60D
Page 705: ...www fortinet com...
Page 706: ...www fortinet com...