Firewall authentication for specifik policies is really useful, in that it is easy to force users to authenticate before accessing a specific webserver.
However, there is a snag if multiple users share the same IP address. This could be due to using a terminal server or because of SNAT. When the first user logs in, subsequent users coming from the same IP address are allowed in without being prompted.
In the case of HTTP it would be very useful if the firewall could use session cookies to differentiate between the users who are sharing IP addresses. Is there a way to configure the Fortigate to do so?
Explicit proxy has all the fancy options for authentication and sessions. Is it possible to somehow coerce explicit proxy to do the job, without having to actually configure the browsers to use the proxy?
In a perfect world the firewall would even pass the authenticated user name in an HTTP header, thereby saving the web application from having to deal with authentication.