Fortinet FortiGate Series Administration Manual page 398

Configuring firewall policies
398
Enable Identity Select to enable identity-based policy authentication.
Based Policy When the Action is set to ACCEPT, you can select one or more authentication
server types. When a network user attempts to authenticate, the server types
selected indicate which local or remote authentication servers the FortiGate unit
will consult to verify the user's credentials.
Add Select to create an identity-based firewall policy. For more information, see
create an identity-based firewall policy (non-SSL-VPN)" on page
User Group The selected user groups that must authenticate to be allowed to use this policy.
Schedule The one-time or recurring schedule that controls when the policy is in effect.
You can also create schedules by selecting Create New from this list. For more
information, see
Service The firewall service or service group that packets must match to trigger this policy.
Profile The protection profile to apply to this policy. You can also create a protection
profile by selecting Create New from this list. For more information, see
Protection Profile" on page
Traffic Shaping The traffic shaping configuration for this policy.
For more information, see
Reverse
Direction
Traffic
Shaping
Log Traffic If the Log Allowed Traffic option is selected when adding an identity-based policy,
a green check mark appears. Otherwise, a white cross mark appears.
Delete icon Select to remove this policy.
Edit icon Select to modify this policy.
Firewall Include firewall user groups defined locally on the FortiGate unit, as well as on
any connected LDAP and RADIUS servers. This option is selected by default.
Directory Include Directory Service groups defined in User > User Group. The groups are
authenticated through a domain controller using Fortinet Server Authentication
Service (FSAE)
Extensions (FSAE). If you select this option, you must install the FSAE on the
Directory Service domain controller. For information about FSAE, see the
Technical
on page 666.
NTLM Include Directory Service groups defined in User > User Group. If you select this
option, you must use Directory Service groups as the members of the
Authentication
authentication group for NTLM. For information about configuring user groups,
see "User Group" on page
Certificate Certificate-based authentication only. Select the protection profile that guest
accounts will use. Note: In order to implement certificate-based authentication,
you must select a firewall service group that includes one of the supported
authentication protocols that use certificate-based authentication. You should also
install the certificate on the network user's web browser. For more information,
see "Adding authentication to firewall policies" on page
To create an identity-based firewall policy (non-SSL-VPN)
1 Go to Firewall > Policy > Policy and select Create New.
2 Configure Source Interface/Zone, Source Address, Destination Interface/Zone,
Destination Address, Schedule, and Service. For more information, see
firewall policies" on page
3 In the Action field, select ACCEPT.
4 Select the Enable Identity Based Policy check box.
A table opens below the check box.
5 Select Add.
"Firewall Schedule" on page
479.
"Firewall Policy" on page
Select to enable the reverse traffic shaping. For example, if the
traffic direction that a policy controls is from port1 to port2, select
this option will also apply the policy shaping configuration to traffic
from port2 to port1.
Note. For information about configuring user groups, see
666.
391.
FortiGate Version 4.0 MR1 Administration Guide
Firewall Policy
398.
437.
"Firewall
387.
"User Group"
396.
"Configuring
01-410-89802-20090903
http://docs.fortinet.com/
"To
FSAE
• Feedback