Explorer

Solved

Authentication Ruleset, where is the decision which will be used?

Forum|Forum|8 years ago
February 1, 2018
3 replies
22654 views

Hi there,

for example i have this (after upgrading 5.4 to 5.6)

    edit "auth-rule4pol7"
        set srcaddr "Inside-Network-Clients" "Inside-Network-Server" "VPNs"
        set ip-based disable
        set active-auth-method "auth-sch4pol7"
    next
    edit "auth-rule4pol3"
        set srcaddr "Inside-Network-Clients" "Inside-Network-Server" "VPNs"
        set ip-based disable
        set active-auth-method "auth-sch4pol3"

So basically both has the same criteria...so both may fit. Now i have watched at my previous explicit Proxy rules, there is not mentioned which authentication rule will be used. So how do i prioritise the authentication rule over another one? Or how do i say this Proxy policy should use this rule like it was in 5.4?

Hope someone can help

5.6

Best answer by Fishbone_FTNT

Hi Wurstsalat, rules are evaluated top-down. So first will match it all. Second is just the leftover from upgrade process.

EDIT: You are basically selecting which authentication to use based on source IP address in the rule. Once rule is matched, authentication scheme specified in it will be used.

Fishbone)(

Fishbone_FTNTAnswer

Staff

Hi Wurstsalat, rules are evaluated top-down. So first will match it all. Second is just the leftover from upgrade process.

EDIT: You are basically selecting which authentication to use based on source IP address in the rule. Once rule is matched, authentication scheme specified in it will be used.

Fishbone)(

WurstsalatAuthor

Explorer

Hi,

thanks for the Response. So how do i reorder? Delete all existing and create it in the order i want to?

Kind regards

Fishbone_FTNT

Staff

Hi Wurstsalat, (btw awesome nickname! :)) You didn't share with us the auth schemes. But if they are same, you can have only single pair of rule->scheme mapping.

You need to think of it as policy-like selection of authentication methods. Top-down, first match of rule selects authentication methods, depending if it's passive (ie FSSO or RSSO), or active (Negotiate, Ntlm, etc..).

Cheers, Fishbone)(

darhan

New Member

Good afternoon, the question is, you need to save the browser password in the operating system, because to access the Internet a new provider requires you to enter credentials in the browser window, only after that the Internet will work. And it is necessary that when you turn on the computer, the password that you enter in the browser is automatically stored in the system, and you do not need to enter the password in the browser window (or even when the saved password is in the browser, you need to press continue) so that the system itself is authorized. In short, you need to save the password to the browser in Windows.

fortinet.jpg

WurstsalatAuthor

Explorer

nope, you are talking about forms based authentication...if you use ntlm/kerberos authentication there is no need for the user to enter any credentials after domain logon at the Computer, this works with the most Browsers such as firefox (configuration required), Chrome based, Internet Explorer and Edge. This works for explicit Proxy as follows

- Client sends unauthenticated request

- Explicit Proxy replies with http 407

- Client sends automaticaly authentication information

- Depending on the Proxy rules, Client gets access

Anyway this was never the question ;)

MarioRuisi

New Member

Hi Guys,

is there a way to build a rule with no authentication?

I have build up explicit Proxy in 5.6.7 with FSSO authentication. Anyway there are some systems which are not member of our domain which needs to access to the internet.

For some reasons I do not have the possibility to set up a authentication scheme/rule for no authentication.

Can someone help me?

Best regards

Mario

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded