Skip to main content
Benny_Lyne_Amorsen
Benny_Lyne_Amorsen
New Member
July 5, 2021
Question

Firewall authentication with cookies

  • July 5, 2021
  • 1 reply
  • 2427 views

Firewall authentication for specifik policies is really useful, in that it is easy to force users to authenticate before accessing a specific webserver.

 

However, there is a snag if multiple users share the same IP address. This could be due to using a terminal server or because of SNAT. When the first user logs in, subsequent users coming from the same IP address are allowed in without being prompted.

 

In the case of HTTP it would be very useful if the firewall could use session cookies to differentiate between the users who are sharing IP addresses. Is there a way to configure the Fortigate to do so?

 

Explicit proxy has all the fancy options for authentication and sessions. Is it possible to somehow coerce explicit proxy to do the job, without having to actually configure the browsers to use the proxy?

 

In a perfect world the firewall would even pass the authenticated user name in an HTTP header, thereby saving the web application from having to deal with authentication.

    1 reply

    Benny_Lyne_Amorsen
    Benny_Lyne_AmorsenAuthor
    New Member
    July 14, 2021

    Official advice from support is that the Fortigate cannot do this. Firewall authentication is strictly per-IP, so any IP sharing results in everyone getting access.

     

    FortiWeb should be able to, according to specifications, but I have not tested.

    Terms & ConditionsAccessibility statement