Description
This article describes how to authenticate Web server from external network on VIP policy.
Scope
Solution
Access the Internal Web server hosted internally after authentication from external network.
Internal Hosted web server (10.40.9.78), configured a VIP to access the same from external network on external port 444 and mapped to 80.
Configured LDAP config and a LDAP user group:
Configure User Group:
Config Firewall policy:
Try to access the Web Server from external network on port 444
Access to the web server after successful authentication and verify the authenticated user under Monitor -> Firewall User Monitor.
To configure a file-type based web filter in the CLI:
1) VIP configuration:
#config firewall vip
edit "http-78"
set uuid 63691eda-fe32-51e9-b423-b3e34f895709
set extip 10.5.22.160
set extintf "port1"
set portforward enable
set mappedip "10.40.9.78"
set extport 444
set mappedport 80
next
end
2) LDAP configuration:
#config user ldap
edit "ldap"
set server "10.40.9.78"
set cnid "sAMAccountName"
set dn "dc=dubailab,dc=lab"
set type regular
set username "cn=administrator,cn=users,dc=dubailab,dc=lab"
set password ENC MTAwNOQwLf3m/oe8IAgwGz21RIGw+1l73inUJeSC4G91ctOJGk2p2kBvYclGdPmj2hf3LUziQqAMjWMv4ubZwJzoDWVfHAFLsUvIH6gD43+bDwn6sKGAHNb9Pgvxjyr1h2xNGoVHwkqBzvXowJa9qwhEcTpwEZC1qp346oHcniS2jNoaCrcja+cXVGtyApcOIj0X4Q==
next
end
3) User Group Config:
#config user group
edit "ldap_grp"
set member "ldap"
config match
edit 1
set server-name "ldap"
set group-name "CN=hrgrp,CN=Users,DC=dubailab,DC=lab"
next
end
next
end
4) Config User Settings:
#config user setting
set auth-cert "Fortinet_Factory"
config auth-ports
edit 1
set type http
set port 444
next
end
end
5) Firewall Policy:
#config firewall policy
edit 3
set name "vip"
set uuid 803671de-fe32-51e9-69e2-f42ee8ec29f0
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "http-78"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set groups "ldap_grp"
next
end
