Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Benny_Lyne_Amorsen
New Contributor II

Firewall authentication with cookies

Firewall authentication for specifik policies is really useful, in that it is easy to force users to authenticate before accessing a specific webserver.

 

However, there is a snag if multiple users share the same IP address. This could be due to using a terminal server or because of SNAT. When the first user logs in, subsequent users coming from the same IP address are allowed in without being prompted.

 

In the case of HTTP it would be very useful if the firewall could use session cookies to differentiate between the users who are sharing IP addresses. Is there a way to configure the Fortigate to do so?

 

Explicit proxy has all the fancy options for authentication and sessions. Is it possible to somehow coerce explicit proxy to do the job, without having to actually configure the browsers to use the proxy?

 

In a perfect world the firewall would even pass the authenticated user name in an HTTP header, thereby saving the web application from having to deal with authentication.

1 REPLY 1
Benny_Lyne_Amorsen
New Contributor II

Official advice from support is that the Fortigate cannot do this. Firewall authentication is strictly per-IP, so any IP sharing results in everyone getting access.

 

FortiWeb should be able to, according to specifications, but I have not tested.

Top Kudoed Authors