Table of Contents
Advertisement
User groups
SSL VPN user groups
Protection profiles
40
Note: You cannot use Directory Service user groups directly in FortiGate firewall policies.
You must add Directory Service groups to FortiGate user groups. A Directory Service group
should belong to only one FortiGate user group. If you assign it to multiple FortiGate user
groups, the FortiGate unit recognizes only the last user group assignment.
For a Directory Service user group, the Directory Service server authenticates
users when they log on to the network. The FortiGate unit receives the user's
name and IP address from the FSAE collector agent. For more information about
FSAE, see the
FSAE Technical Note.
A Directory Service user group provides access to a firewall policy that requires
Directory Service type authentication and lists the user group as one of the
allowed groups. The members of the user group are Directory Service users or
groups that you select from a list that the FortiGate unit receives from the
Directory Service servers that you have configured. See
servers" on page
27.
Note: A Directory Service user group cannot have SSL VPN access.
For more information about users and user groups, see the
Administration Guide.
An SSL VPN user group provides access to a firewall policy that requires
SSL VPN type authentication and lists the user group as one of the allowed
groups. Local user accounts, LDAP, and RADIUS servers can be members of an
SSL VPN user group. The FortiGate unit requests the user's user name and
password when the user accesses the SSL VPN web portal. The user group
settings include options for SSL VPN features.
An SSL VPN user group can also provide access to an IPSec VPN for dialup
users. In this case, the IPSec VPN phase 1 configuration uses the Accept peer ID
in dialup group peer option. You configure the user's VPN client with the user
name as peer ID and the password as pre-shared key. The user can connect
successfully to the IPSec VPN only if the user name is a member of the allowed
user group and the password matches the one stored on the FortiGate unit.
Note: A user group cannot be an IPSec dialup group if any member is authenticated using
a RADIUS or LDAP server.
Each user group is associated with a protection profile to determine the antivirus,
web filtering, spam filtering, logging, and intrusion protection settings that apply to
the authenticated connection. The FortiGate unit contains several pre-configured
protection profiles and you can create your own as needed.
When you create or modify any firewall policy, you can select a protection profile.
If the firewall policy requires authentication, its own protection profile is disabled
and the authentication user group protection profile applies.
Note: Protection profiles do not apply to VPN connections.
Users/peers and user groups
"Directory Service
FortiGate
FortiOS v3.0 MR7 User Authentication User Guide
01-30007-0347-20080828
Advertisement
Table of Contents
