Fortinet 5.0 Patch 6 Users

Fortinet 221 FortiWeb 5.0 Patch 6 Administration Guide

Users

On FortiWeb, user accounts do not log in to the administrative web UI.

Instead, they are used to add HTTP-based authentication and authorize each request from

clients that are connecting through FortiWeb to your protected web servers.

Best practices dictate that each person accessing your web sites should have his or her own

account so that security audits can reliably associate a login event with a specific person.

Accounts should be restricted to URLs for which they are authorized. Authorization may be

derived from a person’s role in the organization.

For example, a CFO would reasonably have access to all financial data, but a manufacturing

technician usually should not. Such segregation of duties in financial regulation schemes often

translates to role-based access control (RBAC) in information systems, which you can

implement through FortiWeb’s HTTP authentication and authorization rules.

For instructions, see “Offloading HTTP authentication & authorization” on page 225.

Multiple different methods exist for end-users to authenticate with web sites. These methods

have different appearances and features.

The HTTP/HTTPS protocol itself (RFC 2965) supports simple authentication via the

Authorization: and WWW-Authenticate: fields in HTTP headers.

When a web site requires authentication in order to authorize access to a URL, it replies with an

HTTP 401 Authorization Required response. This elicits a prompt from the web browser.

User authentication is not supported in all operation modes. See “Supported features in each

operation mode” on page 62.