Firewall authentication for specifik policies is really useful, in that it is easy to force users to authenticate before accessing a specific webserver.
However, there is a snag if multiple users share the same IP address. This could be due to using a terminal server or because of SNAT. When the first user logs in, subsequent users coming from the same IP address are allowed in without being prompted.
In the case of HTTP it would be very useful if the firewall could use session cookies to differentiate between the users who are sharing IP addresses. Is there a way to configure the Fortigate to do so?
Explicit proxy has all the fancy options for authentication and sessions. Is it possible to somehow coerce explicit proxy to do the job, without having to actually configure the browsers to use the proxy?
In a perfect world the firewall would even pass the authenticated user name in an HTTP header, thereby saving the web application from having to deal with authentication.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Official advice from support is that the Fortigate cannot do this. Firewall authentication is strictly per-IP, so any IP sharing results in everyone getting access.
FortiWeb should be able to, according to specifications, but I have not tested.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1731 | |
1099 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.