- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Authentication changes in FortiOS 4.0 using Ident...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Not applicable
Created on 09-22-2009 03:28 PM
Article Id
193151
Description
Solution
config firewall policy
edit 2
set action accept
set service TELNET
next
edit 1
set action accept
set identity-based enable
config identity-based-policy
edit 1
set groups grp1 grp2
set service HTTP
next
end
Firewall policy authentication has been reworked in FortiOS 4.0. Any firewall policy that requires authentication is now known as an Identity Based Policy. Previously, a separate authentication firewall policy had to be created for different schedules, services, and traffic shaping settings.
In FortiOS 4.0, all firewall authentication settings are configured in the Identity Based Policy section of a firewall policy. If no traffic matches any of the Identity Based Policies, the traffic is subjected to an implicit DENY ALL.
This article uses an example showing changes between FortiOS 3.0 authentication policies and the actions that will applied after an upgrade to 4.0, which uses IDP.
Solution
In FortiOS 3.0 MR6/MR7
config firewall policy
edit 1
set action accept
set groups grp1 grp2
set service HTTP
next
edit 2
set action accept
set service TELNET
next
end
After upgrading to FortiOS 4.0.
config firewall policy
edit 1
set action accept
set identity-based enable
config identity-based-policy
edit 1
set groups grp1 grp2
set service HTTP
next
end
next
edit 2
edit 2
set action accept
set service TELNET
next
end
In FortiOS 4.0, the TELNET policy is never hit because of the implicit DENY ALL at the bottom of Identity Based Policy. To correct the behaviour, users must move the non-Identity Based Policy (TELNET policy) above the Identity Based Policy.
Reorganized policy in FortiOS 4.0.config firewall policy
edit 2
set action accept
set service TELNET
next
edit 1
set action accept
set identity-based enable
config identity-based-policy
edit 1
set groups grp1 grp2
set service HTTP
next
end
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.