Created on 09-22-2009 03:28 PM
Firewall policy authentication has been reworked in FortiOS 4.0. Any firewall policy that requires authentication is now known as an Identity Based Policy. Previously, a separate authentication firewall policy had to be created for different schedules, services, and traffic shaping settings.
In FortiOS 4.0, all firewall authentication settings are configured in the Identity Based Policy section of a firewall policy. If no traffic matches any of the Identity Based Policies, the traffic is subjected to an implicit DENY ALL.
This article uses an example showing changes between FortiOS 3.0 authentication policies and the actions that will applied after an upgrade to 4.0, which uses IDP.
In FortiOS 3.0 MR6/MR7
config firewall policy
edit 1
set action accept
set groups grp1 grp2
set service HTTP
next
edit 2
set action accept
set service TELNET
next
end
After upgrading to FortiOS 4.0.
In FortiOS 4.0, the TELNET policy is never hit because of the implicit DENY ALL at the bottom of Identity Based Policy. To correct the behaviour, users must move the non-Identity Based Policy (TELNET policy) above the Identity Based Policy.
Reorganized policy in FortiOS 4.0.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.