Adding Authentication To Firewall Policies - Fortinet FortiGate Series Administration Manual

Configuring firewall policies

Adding authentication to firewall policies

396
Traffic Priority Select High, Medium, or Low. Select Traffic Priority so the FortiGate unit
manages the relative priorities of different types of traffic. For example, a policy
for connecting to a secure web server needed to support e-commerce traffic
should be assigned a high traffic priority. Less important services should be
assigned a low priority. The firewall provides bandwidth to low-priority
connections only when bandwidth is not needed for high-priority connections.
Be sure to enable traffic shaping on all firewall policies. If you do not apply any
traffic shaping rule to a policy, the policy is set to high priority by default.
Distribute firewall policies over all three priority queues.
Reverse Select to enable the reverse traffic shaping. For example, if the traffic direction
that a policy controls is from port1 to port2, select this option will also apply the
Direction
policy shaping configuration to traffic from port2 to port1.
Traffic
Shaping
Log Allowed Select to record messages to the traffic log whenever the policy processes a
connection. You must also enable traffic log for a logging location (syslog,
Traffic
WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging
severity level to Notification or lower using the Log and Report screen. For more
information see
Log Violation Available only if Action is set to DENY. Select Log Violation Traffic, for Deny
policies, to record messages to the traffic log whenever the policy processes a
Traffic
connection. You must also enable traffic log for a logging location (syslog,
WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging
severity level to Notification or lower using the Log and Report screen. For more
information, see
Enable Endpoint Select to enable the Endpoint NAC feature. From the list, select the Endpoint
NAC profile to apply. For more information, see
NAC
Notes:
• You cannot enable Endpoint NAC in firewall policies if Redirect HTTP
Challenge to a Secure Channel (HTTPS) is enabled in User > Options >
Authentication.
• If the firewall policy involves a load balancing virtual IP, the Endpoint NAC
check is not performed.
Comments Add information about the policy. The maximum length is 63 characters.
If you enable Enable Identity Based Policy in a firewall policy, network users must send
traffic involving a supported firewall authentication protocol to trigger the firewall
authentication challenge, and successfully authenticate, before the FortiGate unit will
allow any other traffic matching the firewall policy.
User authentication can occur through any of the following supported protocols:
• HTTP
• HTTPS
• FTP
• Telnet
The authentication style depends on which of these supported protocols you have
included in the selected firewall services group and which of those enabled protocols the
network user applies to trigger the authentication challenge. The authentication style will
be one of two types. For certificate-based (HTTPS or HTTP redirected to HTTPS only)
authentication, you must install customized certificates on the FortiGate unit and on the
browsers of network users, which the FortiGate unit matches. For user name and
password-based (HTTP, FTP, and Telnet) authentication, the FortiGate unit prompts
network users to input their firewall user name and password.
"Log&Report" on page 709.
"Log&Report" on page 709.
FortiGate Version 4.0 MR1 Administration Guide
Firewall Policy
"Endpoint NAC" on page 695.
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback