xsilver wrote:

Hi,

 

you haven't mentioned it, but you need firewall policy!

For more details and config examples refer to Authentication guide on docs.fortinet.com.

 

Kind regards, Tomas

To be specific, your internal to wan policy needs to be set to user group: yourUserGroup

All other policies (going from internal to wan (all)) need to be authentication or deny

Millibhu wrote:

I already modified my security policy (internal to WAN) , I specified the source users to be user group (group I create to authen with LDAP) and source address to be none (previously source address is set to any) and set action to be Accept. But still when I open browser it does not prompt any authentication portal.

Let's ignore the authentication method for now, if you don't get an authentication page something is wrong with your policies

Take another look at your internal > wan policy

It sould be

Source Interface: internal

Source User: YourUserGroup

Source Address: yourInternalNetwork

Destination Interface: wan1 (or 2 depending on your setup)

Destination Address: any

Service: all (or at least http/https)

NAT on (depending on your setup)

 

All other internal > wan policies with the same source IPs need to be deny or authenticate! This is important

Hi,

 

I follow your instruction this is my security policy config

FGT_HA_2 # show firewall policy 1 config firewall policy     edit 1         set uuid 8a53c544-3bc3-51e5-4279-90090cb380f8         set srcintf "port1"         set dstintf "wan1"         set srcaddr "My_network"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"         set utm-status enable         set logtraffic all         set webcache enable         set ntlm enable         set groups "My_user_group"         set av-profile "default"         set webfilter-profile "allow_9gag"         set ips-sensor "default"         set application-list "default"         set profile-protocol-options "default"         set ssl-ssh-profile "certificate-inspection"         set nat enable     next end

 

I have only 1 security policy , the other is implicit deny

 

now I have denied my explicit proxy policy.

 

config firewall explicit-proxy-policy     edit 1         set uuid e493a46c-4c93-51e5-3a46-b142df3ef351         set proxy web         set dstintf "wan1"         set srcaddr "all"         set dstaddr "all"         set service "webproxy"         set action accept         set status disable         set schedule "always"         set utm-status enable         set av-profile "default"         set webfilter-profile "default"         set ips-sensor "default"         set application-list "default"         set profile-protocol-options "default"         set ssl-ssh-profile "certificate-inspection"     next end

 

It still does not prompt for authentication, not sure where did I miss ?

 

Thanks

Millibhu

 

Hi ,

 

now am able to get for the prompt authentication

I forget to put the authentication in my proxy security profiles.

 

But when I put my username/password (join domain name) it could not pass the authenticaiton, only the account that I use for LDAP queries can pass the authentication. Am I missing something ?

 

Thanks