Configuring authenticated access

To enable logging within an existing security policy – web-based manager:

1. Go to Policy & Objects > Policy > IPv4.

2. Expand to reveal the policy list of a policy.

3. Select the security policy you want to enable logging on and then select Edit.

4. To log all general firewall traffic, select the check box beside Log Allowed Traffic, and choose to enable

Security Events or All Sessions.

5. Select OK.


Identitybased policy

An identity-based policy (IBP) performs user authentication in addition to the normal security policy duties. If the user does not authenticate, access to network resources is refused. This enforces Role Based Access Control (RBAC) to your organization’s network and resources.

Identity-based policies also support Single Sign-On operation. The user groups selected in the policy are of the Fortinet Single Sign-On (FSSO) type.

User authentication can occur through any of the following supported protocols, including: HTTP, HTTPS, FTP, and Telnet. The authentication style depends on which of these protocols is included in the selected security services group and which of those enabled protocols the network user applies to trigger the authentication challenge.

For username and password-based authentication (HTTP, FTP, and Telnet) the FortiGate unit prompts network users to enter their username, password, and token code if two-factor authentication is selected for that user account. For certificate-based authentication, including HTTPS or HTTP redirected to HTTPS only, see Certificate authentication on page 509.

With identity-based policies, the FortiGate unit allows traffic that matches the source and destination addresses, device types, and so on. This means specific security policies must be placed before more general ones to be effective.

When the identity-based policy has been configured, the option to customize authentication messages is available. This allows you to change the text, style, layout, and graphics of the replacement messages associated with this firewall policy. When enabled, customizing these messages follows the same method as changing the disclaimer. See Disclaimer on page 506.

Types of authentication also available in identity-based policies are

  • NTLM authentication
  • Certificate authentication


NTLM authentication

NT LAN Manager (NTLM) protocol can be used as a fallback for authentication when the Active Directory (AD) domain controller is unreachable. NTLM uses the web browser to send and receive authentication information. See “NTLM” and “FSSO NTLM authentication support”.

To enable NTLM

1. Edit the policy in the CLI to enable NTLM. For example, if the policy ID is 4:

2. Go to Policy & Objects > Policy > IPv4 and note the ID number of your FSSO policy.

3. The policy must have an FSSO user group as Source User(s). There must be at least one FSSO Collector agent configured on the FortiGate unit.

config firewall policy edit 4

set ntlm enable end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.