|
Consider a situation where the domain (e.g., www.example.com) should be exempted from Explicit Proxy Authentication. To accomplish the goal from the CLI, follow these steps:
- Create an FQDN Address Object (for the domain to exempt):
config firewall address
edit "example_com"
set type fqdn
set fqdn "www.example.com"
next
end
- Create a new authentication rule with no authentication method:
config authentication rule
edit "no_authentication"
set srcaddr "all"
set dstaddr "example_com"
set ip-based disable
next
end
- Move the No-Auth Rule to the Top (above any authenticating rules):
config authentication rule
move "no_authentication" before “kerberos_rule”
end
- Create a dedicated Proxy Policy (accepts traffic without triggering auth):
config firewall proxy-policy
edit 20
set name "no_authentication"
set srcaddr "all"
set dstaddr "example_com"
set action accept
set service "webproxy"
set schedule always
set logtraffic all
next
end
-
Ensure Policy Order: Proxy policies are evaluated top-down. Place this policy above general policies.
The steps to perform this in the GUI are mainly the same:
- Create the FQDN object:
- Create a new authentication rule with no scheme and 'IP-based Authentication disabled'. It is only possible to specify the source address in the GUI; the destination will be added after:
Once the rule is saved, edit it again. There will be an 'Edit in CLI' button on the right:
Select that button, then do 'set dstaddr <fqdn object>':
- Ensure that the rule is at the top (or at least above the rules with authentication) using the handle at the left:
- Create a proxy policy with no user group specified, with the destination as the FQDN object:
- Ensure the rule is at the top of the list, using the handle at the left if needed:
Result:
The traffic to the domain (www.example.com) will be allowed to bypass the explicit proxy authentication.
|
