Firewall Authentication - Multiple Users from Same Source IP
We are using a FGT VM64 v6.4.6 build1879 and have an inbound policy to a VIP that we'd like to add firewall authentication to. I have added firewall users to the rule, and get the expected firewall authentication page when attempting to access the VIP from the outside. I authenticate myself successfully and proceed to the VIP as expected.
The issue, however, is that authentication appears to be tied exclusively to the source IP. Once a user is authenticated to the firewall from a source IP, any other request to any policy that the original user has access to on the firewall from the same source IP is automatically authenticated, even if it's physically a different user connecting from a totally different device within the same NATd network.
Here is a scenario:
1) We have two local users defined, User1 and User2.
2) We have two inbound firewall policies at headquarters that protect VIPs, PolicyX and PolicyY.
3) PolicyX has User1 and User2 in the source. PolicyY has User1 in the source.
4) User1 and User2 are both LAN users working at a remote facility that has one public IP address, SourceIP1.
5) User2 connects to PolicyX from SourcIP1 at headquarters. She is presented with the firewall authentication form, is authenticated successfully, and proceeds to work on the VIP attached to PolicyX.
6) User1 attempts to connect to the VIP in PolicyY from SourceIP1 at headquarters. He is not presented with the firewall authentication form and is denied access to PolicyX, presumably because User2 has authenticated from SourceIP1 and is not a user assigned to PolicyY.
7) User1 attempts to connect to the VIP in PolicyX from SourceIP1 at headquarters. He is not presented with the firewall authentication form, but is allowed to automatically proceed to the VIP attached to PolicyX, presumably since User2 had previously authenticated from the same SourceIP1.
8)Conversely, if User1 was the first to login, User2 would be able to access PolicyY, even though User2 is not allowed.
It appears that FGT does a reverse lookup on the source IP to see if there is a user already authenticated from that IP. If it doesn't find a matching user, then it presents the firewall authentication page. If it does find a user that has already authenticated from the source IP, if assumes it's the same user for all subsequent connections.
Am I missing a configuration option, or is this by design? Thanks for any assistance you can provide!
Authentication on FortiGate is principally IP based, you're correct. If a user authenticated on an IP, then any subsequent traffic coming from that IP will be authenticated until the authentication session times out/is removed.
The principal issue here is: How is the FortiGate to know what traffic comes from what user, if multiple users share the same IP?
For setups with multiple users sharing the same IP due to a terminal server, there is the option of FSSO and TS Agent, but that is not applicable here, as the users only share the same IP due to NAT.
I know of two possible options:
- transparent proxy
-> with proxy authentication, you can enable session-based authentication with web-cookies, meaning each user would have their own cookie after authentication, and FortiGate would use that to tell apart which traffic belongs to which user
-> it is essentially a VIP with authentication requirements, so you could set up session-based authentication much as outlined above for transparent proxy, and allow access based on the user identity/group memberships
-> there are also some other, granular access control settings
-> it requires a setup also involving FortiClient and EMS server, though
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.