Source Interface, Zone | Fortinet v3.0 MR7 instruction


Configuring authenticated access	Firewall policy authentication

The FortiGate unit performs authentication only on requests to access HTTP, HTTPS, FTP, and Telnet. Once the user is authenticated, the user can access other services if the firewall policy permits.

4Select the position of the DNS policy so that it precedes the policy that provides access to the Internet.

Figure 25: Move firewall policy position selection

5Select OK.

Configuring authenticated access to the Internet

A policy for accessing the Internet is similar to a policy for accessing a specific network, but the destination address is set to all. The destination interface is the one that connects to the Internet service provider. For general purpose Internet access, the Service is set to ANY.

Access to HTTP, HTTPS, FTP and Telnet sites may require access to a domain name service. DNS requests do not trigger authentication. You must configure a policy to permit unauthenticated access to the appropriate DNS server, and this policy must precede the policy for Internet access.

To configure a firewall policy for access to a DNS server - web-based manager

1Go to Firewall > Policy.

2Select Create New to create a new firewall policy, enter the following information, and select OK.

Source Interface/	List of source interfaces available. Select the interface to which
Zone	computers on your network are connected.
Source Address	List of source address names. Select all.

Destination Interface/ List of destination interfaces available. Select the interface that

Zone	connects to the Internet.

Destination Address List of destination address names. Select all.

Schedule	List of available schedules. Select always.
Service	List of available services. Select DNS.
Action	List of available authentication result actions. Select ACCEPT.

Note: Position the DNS server in the firewall policy list according to the guidelines outlined in “Firewall policy order”.

FortiOS v3.0 MR7 User Authentication User Guide
01-30007-0347-20080828	51

Image 51

Fortinet v3.0 MR7 manual Configuring authenticated access to the Internet, Source Interface, Zone

Contents

E R G U I D E Trademarks FortiOS v3.0 MR7 User Authentication User Guide Contents Creating local users Creating peer users Configuring authenticated accessUsers/peers and user groups Index Introduction About authentication User’s view of authentication Web-based user authenticationVPN client-based authentication See Creating local users on See Creating peer users on FortiGate administrator’s view of authentication See Configuring user groups on Authentication servers User groups Public Key Infrastructure PKI authenticationPeers Users VPN tunnels Authentication timeoutAbout this document Firewall policies Name field, type admin FortiGate documentationTypographic conventions Related documentation FortiGate Administration Guide FortiAnalyzer documentation FortiManager documentationFortiClient documentation FortiMail documentation Comments on Fortinet technical documentation Customer service and technical supportFortinet Tools and Documentation CD Fortinet Knowledge Center Radius servers Authentication servers Radius attributes sent in Radius accounting message Configuring the FortiGate unit to use a Radius server Primary Server Secret Primary Server Name/IP Group Edit icon Edit a Radius server configuration Ldap servers Ldapsearch -x objectclass= Configuring the FortiGate unit to use an Ldap server Identifier PasswordServer Port Common Name Certificate To configure the FortiGate unit for Ldap authentication CLIEdit Protocol Ldap server Distinguished Name Query tree Using the Query icon Ascii TACACS+ servers Server Key Authentication Type Directory Service servers Fsae Collector IP Create NewDomain Groups Fsae Collector IP/Name Port Directory Service server configuration Name CLI Example Directory Service server list Directory Service servers Users/peers Users/peers and user groups User type Authentication Creating local usersTo create a local user web-based manager Go to User Local To view a list of all local users, go to User Local Delete icon Edit iconTo create a local user CLI To remove a user from the FortiGate unit configuration CLI Creating peer usersDelete icon Authenticating peer user To view a list of PKI peer users, go to User PKISubject Remove PKI peer user To create a peer user for PKI authentication CLI Directory Service user groups User groupsFirewall user groups Protection profiles SSL VPN user groups Configuring user groups Select Create New and enter the following informationFirewall FortiGuard Web Configuring Directory Service user groupsTo create a firewall user group CLI Members Available Users/Groups or Available Members Configuring SSL VPN user groups Group Name Configuring Peer user groupsViewing a list of user groups To create a peer group CLI Config user group delete groupname End User groups Telnet Authentication timeoutAuthentication protocols Enter the Idle Timeout value seconds Select Apply Authentication Settings Firewall policy authentication Go to Firewall Policy Configuring authentication for a firewall policyAuthentication is an Advanced firewall option To configure authentication for a firewall policy Firewall Policy Move To Firewall policy order Configuring authenticated access to the Internet Source InterfaceZone Go to VPN SSL VPN authenticationConfiguring authentication of SSL VPN users Select Enable SSL-VPN and enter information as follows Encryption Key Algorithm Default RC4128Server Certificate Require Client Certificate To configure authentication for an SSL VPN CLI Select Require Client Certificate, and then select Apply Configuring authentication of VPN peers and clientsConfiguring authentication of Pptp VPN users/user groups Select Enable Pptp To configure authentication for an L2TP VPN CLI Configuring authentication of L2TP VPN users/user groupsConfiguring authentication of remote IPSec VPN users To configure authentication for a Pptp VPN CLI To configure user group authentication for dialup IPSec CLI Only users with passwords on the FortiGate unitRemote Gateway IPSec configuration for dialup users Configuring XAuth authentication Server Type To configure authentication for a dialup IPSec VPN CLIRemote Gateway Authentication Method XAuth VPN authentication Index 01-30007-0347-20080731 MS-CHAP VSA