Fortinet 240 FortiWeb 5.0 Patch 6 Administration Guide
9. Click OK.
10.Repeat the previous steps for each user that you want to add to the authentication rules.
11.Group the authentication rule in an authentication policy. For details, see “Grouping
authorization rules” on page 240.
Grouping authorization rulesOften, you may want to specify multiple authorization realms to apply to a single server policy.
Before you can use authorization rules in a protection profile, you must group them together.
(These sets are called “authentication policies” in the web UI).
Authentication policies also contain settings such as connection and cache timeouts that will be
applied to all requests authenticated using this authentication policy.
User Realm Type the realm, such as Restricted Area, to which the Auth Path
belongs.
The realm is often used by browsers:
• It may appear in the browser’s prompt for the user’s credentials.
Especially if a user has multiple logins, and only one login is valid for that
specific realm, displaying the realm helps to indicate which user name
and password should be supplied.
• After authenticating once, the browser may cache the authentication
credentials for the duration of the browser session. If the user requests
another URL from the same realm, the browser often will automatically
re-supply the cached user name and password, rather than asking the
user to enter them again for each request.
The realm may be the same for multiple authentication rules, if all of those
URLs permit the same user group to authenticate.
For example, the user group All_Employees could have access to the
Auth Path URLs /wiki/Main and /wiki/ToDo. These URLs both belong
to the realm named Intranet Wiki. Because they use the same realm
name, users authenticating to reach /wiki/Main usually will not have to
authenticate again to reach /wiki/ToDo, as long as both requests are
within the same browser session.
This field does not appear if Auth Type is NTLM, which does not support
HTTP-style realms.
Auth Path Type the literal URL, such as /employees/holidays.html, that a request
must match in order to invoke HTTP authentication.
Setting
name
Description
Alternatively or in addition to HTTP authentication, with SSL connections, you can require that
clients present a valid personal certificate. For details, see “Certificate Verification” on
page 493.